[meta-freescale] [PATCH v2 1/2] linux-qoriq: fix CVE-2016-2053
Sona Sarmadi
sona.sarmadi at enea.com
Wed Nov 30 04:17:38 PST 2016
The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux
kernel before 4.3 allows attackers to cause a denial of service
(panic) via an ASN.1 BER file that lacks a public key, leading
to mishandling by the public_key_verify_signature function in
crypto/asymmetric_keys/public_key.c.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2053
upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/
?id=15430f775ee686b61569a0c3e74cf0b2ad57c8eb [backported from stable 3.16]
Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
.../linux/linux-qoriq/CVE-2016-2053.patch | 133 +++++++++++++++++++++
recipes-kernel/linux/linux-qoriq_4.1.bb | 1 +
2 files changed, 134 insertions(+)
create mode 100644 recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
new file mode 100644
index 0000000..778a99f
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
@@ -0,0 +1,133 @@
+From 15430f775ee686b61569a0c3e74cf0b2ad57c8eb Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Aug 2015 12:54:46 +0100
+Subject: ASN.1: Fix non-match detection failure on data overrun
+
+commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream.
+
+If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
+matches get skipped if there's no more data to be had rather than a
+data-overrun error being reported.
+
+This is due to the code segment that decides whether to skip optional
+matches (ie. matches that could get ignored because an element is marked
+OPTIONAL in the grammar) due to a lack of data also skips non-optional
+elements if the data pointer has reached the end of the buffer.
+
+This can be tested with the data decoder for the new RSA akcipher algorithm
+that takes three non-optional integers. Currently, it skips the last
+integer if there is insufficient data.
+
+Without the fix, #defining DEBUG in asn1_decoder.c will show something
+like:
+
+ next_op: pc=0/13 dp=0/270 C=0 J=0
+ - match? 30 30 00
+ - TAG: 30 266 CONS
+ next_op: pc=2/13 dp=4/270 C=1 J=0
+ - match? 02 02 00
+ - TAG: 02 257
+ - LEAF: 257
+ next_op: pc=5/13 dp=265/270 C=1 J=0
+ - match? 02 02 00
+ - TAG: 02 3
+ - LEAF: 3
+ next_op: pc=8/13 dp=270/270 C=1 J=0
+ next_op: pc=11/13 dp=270/270 C=1 J=0
+ - end cons t=4 dp=270 l=270/270
+
+The next_op line for pc=8/13 should be followed by a match line.
+
+This is not exploitable for X.509 certificates by means of shortening the
+message and fixing up the ASN.1 CONS tags because:
+
+ (1) The relevant records being built up are cleared before use.
+
+ (2) If the message is shortened sufficiently to remove the public key, the
+ ASN.1 parse of the RSA key will fail quickly due to a lack of data.
+
+ (3) Extracted signature data is either turned into MPIs (which cope with a
+ 0 length) or is simpler integers specifying algoritms and suchlike
+ (which can validly be 0); and
+
+ (4) The AKID and SKID extensions are optional and their removal is handled
+ without risking passing a NULL to asymmetric_key_generate_id().
+
+ (5) If the certificate is truncated sufficiently to remove the subject,
+ issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
+ stack underflow' return.
+
+This is not exploitable for PKCS#7 messages by means of removal of elements
+from such a message from the tail end of a sequence:
+
+ (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
+ as detailed above.
+
+ (2) The message digest content isn't used if it shows a NULL pointer,
+ similarly, the authattrs aren't used if that shows a NULL pointer.
+
+ (3) A missing signature results in a NULL MPI - which the MPI routines deal
+ with.
+
+ (4) If data is NULL, it is expected that the message has detached content and
+ that is handled appropriately.
+
+ (5) If the serialNumber is excised, the unconditional action associated
+ with it will pick up the containing SEQUENCE instead, so no NULL
+ pointer will be seen here.
+
+ If both the issuer and the serialNumber are excised, the ASN.1 decode
+ will fail with an 'Unexpected tag' return.
+
+ In either case, there's no way to get to asymmetric_key_generate_id()
+ with a NULL pointer.
+
+ (6) Other fields are decoded to simple integers. Shortening the message
+ to omit an algorithm ID field will cause checks on this to fail early
+ in the verification process.
+
+This can also be tested by snipping objects off of the end of the ASN.1 stream
+such that mandatory tags are removed - or even from the end of internal
+SEQUENCEs. If any mandatory tag is missing, the error EBADMSG *should* be
+produced. Without this patch ERANGE or ENOPKG might be produced or the parse
+may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
+later, depending on what gets snipped.
+
+Just snipping off the final BIT_STRING or OCTET_STRING from either sample
+should be a start since both are mandatory and neither will cause an EBADMSG
+without the patches
+
+CVE: CVE-2016-2053
+Upstream-Status: Backport [kernel.org linux-stable 3.16 branch]
+
+Reported-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Tested-by: Marcel Holtmann <marcel at holtmann.org>
+Reviewed-by: David Woodhouse <David.Woodhouse at intel.com>
+Cc: Moritz Muehlenhoff <jmm at inutil.org>
+[ luis: backported to 3.16: adjusted context ]
+Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ lib/asn1_decoder.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index 1a000bb..d60ce8a 100644
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -208,9 +208,8 @@ next_op:
+ unsigned char tmp;
+
+ /* Skip conditional matches if possible */
+- if ((op & ASN1_OP_MATCH__COND &&
+- flags & FLAG_MATCHED) ||
+- dp == datalen) {
++ if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
++ (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
+ pc += asn1_op_lengths[op];
+ goto next_op;
+ }
+--
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb
index b5a67e6..ac0f25f 100644
--- a/recipes-kernel/linux/linux-qoriq_4.1.bb
+++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
file://powerpc-fsl-Fix-build-of-the-dtb-embedded-kernel-images.patch \
file://CVE-2016-5696-limiting-of-all-challenge.patch \
file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
+ file://CVE-2016-2053.patch \
"
SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"
--
1.9.1
More information about the meta-freescale
mailing list