releases/3.16.55/lib-oid_registry.c-x.509-fix-the-buffer-overflow-in-the-utility.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Takashi Iwai <tiwai@suse.de>
 Date: Fri, 8 Sep 2017 16:15:58 -0700
 Subject: lib/oid_registry.c: X.509: fix the buffer overflow in the utility
  function for OID string

 commit afdb05e9d61905220f09268535235288e6ba3a16 upstream.

 The sprint_oid() utility function doesn't properly check the buffer size
 that it causes that the warning in vsnprintf() be triggered.  For
 example on v4.1 kernel:

   ------------[ cut here ]------------
   WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
   ...

 We can trigger this issue by injecting maliciously crafted x509 cert in
 DER format.  Just using hex editor to change the length of OID to over
 the length of the SEQUENCE container.  For example:

     0:d=0  hl=4 l= 980 cons: SEQUENCE
     4:d=1  hl=4 l= 700 cons:  SEQUENCE
     8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
    10:d=3  hl=2 l=   1 prim:    INTEGER           :02
    13:d=2  hl=2 l=   9 prim:   INTEGER           :9B47FAF791E7D1E3
    24:d=2  hl=2 l=  13 cons:   SEQUENCE
    26:d=3  hl=2 l=   9 prim:    OBJECT            :sha256WithRSAEncryption
    37:d=3  hl=2 l=   0 prim:    NULL
    39:d=2  hl=2 l= 121 cons:   SEQUENCE
    41:d=3  hl=2 l=  22 cons:    SET
    43:d=4  hl=2 l=  20 cons:     SEQUENCE      <=== the SEQ length is 20
    45:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
 	<=== the original length is 3, change the length of OID to over the length of SEQUENCE

 Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided
 patch to fix it by checking the bufsize in sprint_oid().

 Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@suse.com
 Signed-off-by: Takashi Iwai <tiwai@suse.de>
 Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
 Reported-by: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
 Cc: David Howells <dhowells@redhat.com>
 Cc: Rusty Russell <rusty@rustcorp.com.au>
 Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  lib/oid_registry.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

 --- a/lib/oid_registry.c
 +++ b/lib/oid_registry.c
 @@ -142,9 +142,9 @@ int sprint_oid(const void *data, size_t
  		}
  		ret += count = snprintf(buffer, bufsize, ".%lu", num);
  		buffer += count;
 -		bufsize -= count;
 -		if (bufsize == 0)
 +		if (bufsize <= count)
  			return -ENOBUFS;
 +		bufsize -= count;
  	}

  	return ret;
	From: Takashi Iwai <tiwai@suse.de>
	Date: Fri, 8 Sep 2017 16:15:58 -0700
	Subject: lib/oid_registry.c: X.509: fix the buffer overflow in the utility
	function for OID string

	commit afdb05e9d61905220f09268535235288e6ba3a16 upstream.

	The sprint_oid() utility function doesn't properly check the buffer size
	that it causes that the warning in vsnprintf() be triggered. For
	example on v4.1 kernel:

	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
	...

	We can trigger this issue by injecting maliciously crafted x509 cert in
	DER format. Just using hex editor to change the length of OID to over
	the length of the SEQUENCE container. For example:

	0:d=0 hl=4 l= 980 cons: SEQUENCE
	4:d=1 hl=4 l= 700 cons: SEQUENCE
	8:d=2 hl=2 l= 3 cons: cont [ 0 ]
	10:d=3 hl=2 l= 1 prim: INTEGER :02
	13:d=2 hl=2 l= 9 prim: INTEGER :9B47FAF791E7D1E3
	24:d=2 hl=2 l= 13 cons: SEQUENCE
	26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
	37:d=3 hl=2 l= 0 prim: NULL
	39:d=2 hl=2 l= 121 cons: SEQUENCE
	41:d=3 hl=2 l= 22 cons: SET
	43:d=4 hl=2 l= 20 cons: SEQUENCE <=== the SEQ length is 20
	45:d=5 hl=2 l= 3 prim: OBJECT :organizationName
	<=== the original length is 3, change the length of OID to over the length of SEQUENCE

	Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided
	patch to fix it by checking the bufsize in sprint_oid().

	Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@suse.com
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
	Reported-by: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
	Cc: David Howells <dhowells@redhat.com>
	Cc: Rusty Russell <rusty@rustcorp.com.au>
	Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	lib/oid_registry.c \| 4 ++--
	1 file changed, 2 insertions(+), 2 deletions(-)

	--- a/lib/oid_registry.c
	+++ b/lib/oid_registry.c
	@@ -142,9 +142,9 @@ int sprint_oid(const void *data, size_t
	}
	ret += count = snprintf(buffer, bufsize, ".%lu", num);
	buffer += count;
	- bufsize -= count;
	- if (bufsize == 0)
	+ if (bufsize <= count)
	return -ENOBUFS;
	+ bufsize -= count;
	}

	return ret;