The patch titled
Subject: lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string
has been added to the -mm tree. Its filename is
x509-fix-the-buffer-overflow-in-the-utility-function-for-oid-string.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/x509-fix-the-buffer-overflow-in-the-utility-function-for-oid-string.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/x509-fix-the-buffer-overflow-in-the-utility-function-for-oid-string.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Takashi Iwai <tiwai@xxxxxxx>
Subject: lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string
The sprint_oid() utility function doesn't properly check the buffer size
that it causes that the warning in vsnprintf() be triggered. For example
on v4.1 kernel:
[ 49.612536] ------------[ cut here ]------------
[ 49.612543] WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
...
We can trigger this issue by injecting maliciously crafted x509 cert in
DER format. Just using hex editor to change the length of OID to over the
length of the SEQUENCE container. For example:
0:d=0 hl=4 l= 980 cons: SEQUENCE
4:d=1 hl=4 l= 700 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 9 prim: INTEGER :9B47FAF791E7D1E3
24:d=2 hl=2 l= 13 cons: SEQUENCE
26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
37:d=3 hl=2 l= 0 prim: NULL
39:d=2 hl=2 l= 121 cons: SEQUENCE
41:d=3 hl=2 l= 22 cons: SET
43:d=4 hl=2 l= 20 cons: SEQUENCE <=== the SEQ length is 20
45:d=5 hl=2 l= 3 prim: OBJECT :organizationName
<=== the original length is 3, change the length of OID to over the length of SEQUENCE
Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided patch
to fix it by checking the bufsize in sprint_oid().
Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@xxxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: "Lee, Chun-Yi" <jlee@xxxxxxxx>
Reported-by: Pawel Wieczorkiewicz <pwieczorkiewicz@xxxxxxxx>
Cc: David Howells <dhowells@xxxxxxxxxx>
Cc: Rusty Russell <rusty@xxxxxxxxxxxxxxx>
Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@xxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
lib/oid_registry.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff -puN lib/oid_registry.c~x509-fix-the-buffer-overflow-in-the-utility-function-for-oid-string lib/oid_registry.c
--- a/lib/oid_registry.c~x509-fix-the-buffer-overflow-in-the-utility-function-for-oid-string
+++ a/lib/oid_registry.c
@@ -142,9 +142,9 @@ int sprint_oid(const void *data, size_t
}
ret += count = snprintf(buffer, bufsize, ".%lu", num);
buffer += count;
- bufsize -= count;
- if (bufsize == 0)
+ if (bufsize <= count)
return -ENOBUFS;
+ bufsize -= count;
}
return ret;
_
Patches currently in -mm which might be from tiwai@xxxxxxx are
x509-fix-the-buffer-overflow-in-the-utility-function-for-oid-string.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
