From: Sona Sarmadi Date: Wed, 30 Nov 2016 12:17:39 +0000 (+0100) Subject: linux-qoriq: fix CVE-2016-0758 X-Git-Tag: 2.2~84 X-Git-Url: https://code.ossystems.io/gitweb?a=commitdiff_plain;h=c81b13fce917cfa8a0bb98da18817dcc14ac6b11;p=meta-freescale.git linux-qoriq: fix CVE-2016-0758 Fixes a flaw in the Linux kernel's ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system. References: https://lkml.org/lkml/2016/5/12/270 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/ ?id=af00ae6ef5a2c73f21ba215c476570b7772a14fb [backported from stable 3.16] Signed-off-by: Sona Sarmadi Signed-off-by: Otavio Salvador --- diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch new file mode 100644 index 00000000..5447552f --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch @@ -0,0 +1,98 @@ +From af00ae6ef5a2c73f21ba215c476570b7772a14fb Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 23 Feb 2016 11:03:12 +0000 +Subject: KEYS: Fix ASN.1 indefinite length object parsing + +commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream. + +This fixes CVE-2016-0758. + +In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, +it isn't validated against the remaining amount of data before being added +to the cursor. With a sufficiently large size indicated, the check: + + datalen - dp < 2 + +may then fail due to integer overflow. + +Fix this by checking the length indicated against the amount of remaining +data in both places a definite length is determined. + +Whilst we're at it, make the following changes: + + (1) Check the maximum size of extended length does not exceed the capacity + of the variable it's being stored in (len) rather than the type that + variable is assumed to be (size_t). + + (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the + integer 0. + + (3) To reduce confusion, move the initialisation of len outside of: + + for (len = 0; n > 0; n--) { + + since it doesn't have anything to do with the loop counter n. + +CVE: CVE-2016-0758. +Upstream-Status: Backport [backported from kernel.org 3.16 branch] + +Signed-off-by: David Howells +Reviewed-by: Mimi Zohar +Acked-by: David Woodhouse +Acked-by: Peter Jones +Signed-off-by: Ben Hutchings +Signed-off-by: Sona Sarmadi +--- + lib/asn1_decoder.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c +index d60ce8a..806c5b6 100644 +--- a/lib/asn1_decoder.c ++++ b/lib/asn1_decoder.c +@@ -69,7 +69,7 @@ next_tag: + + /* Extract a tag from the data */ + tag = data[dp++]; +- if (tag == 0) { ++ if (tag == ASN1_EOC) { + /* It appears to be an EOC. */ + if (data[dp++] != 0) + goto invalid_eoc; +@@ -91,10 +91,8 @@ next_tag: + + /* Extract the length */ + len = data[dp++]; +- if (len <= 0x7f) { +- dp += len; +- goto next_tag; +- } ++ if (len <= 0x7f) ++ goto check_length; + + if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { + /* Indefinite length */ +@@ -105,14 +103,18 @@ next_tag: + } + + n = len - 0x80; +- if (unlikely(n > sizeof(size_t) - 1)) ++ if (unlikely(n > sizeof(len) - 1)) + goto length_too_long; + if (unlikely(n > datalen - dp)) + goto data_overrun_error; +- for (len = 0; n > 0; n--) { ++ len = 0; ++ for (; n > 0; n--) { + len <<= 8; + len |= data[dp++]; + } ++check_length: ++ if (len > datalen - dp) ++ goto data_overrun_error; + dp += len; + goto next_tag; + +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb index ac0f25fe..c97104e9 100644 --- a/recipes-kernel/linux/linux-qoriq_4.1.bb +++ b/recipes-kernel/linux/linux-qoriq_4.1.bb @@ -16,6 +16,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://CVE-2016-5696-limiting-of-all-challenge.patch \ file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ file://CVE-2016-2053.patch \ + file://CVE-2016-0758.patch \ " SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"