[meta-freescale] [PATCH v2 1/2] linux-qoriq: fix CVE-2016-2053

Sona Sarmadi sona.sarmadi at enea.com
Wed Nov 30 04:17:38 PST 2016 

The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux
kernel before 4.3 allows attackers to cause a denial of service
(panic) via an ASN.1 BER file that lacks a public key, leading
to mishandling by the public_key_verify_signature function in
crypto/asymmetric_keys/public_key.c.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2053

upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/
?id=15430f775ee686b61569a0c3e74cf0b2ad57c8eb [backported from stable 3.16]

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../linux/linux-qoriq/CVE-2016-2053.patch          | 133 +++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_4.1.bb            |   1 +
 2 files changed, 134 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch

diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
new file mode 100644
index 0000000..778a99f
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
@@ -0,0 +1,133 @@
+From 15430f775ee686b61569a0c3e74cf0b2ad57c8eb Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Aug 2015 12:54:46 +0100
+Subject: ASN.1: Fix non-match detection failure on data overrun
+
+commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream.
+
+If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
+matches get skipped if there's no more data to be had rather than a
+data-overrun error being reported.
+
+This is due to the code segment that decides whether to skip optional
+matches (ie. matches that could get ignored because an element is marked
+OPTIONAL in the grammar) due to a lack of data also skips non-optional
+elements if the data pointer has reached the end of the buffer.
+
+This can be tested with the data decoder for the new RSA akcipher algorithm
+that takes three non-optional integers.  Currently, it skips the last
+integer if there is insufficient data.
+
+Without the fix, #defining DEBUG in asn1_decoder.c will show something
+like:
+
+	next_op: pc=0/13 dp=0/270 C=0 J=0
+	- match? 30 30 00
+	- TAG: 30 266 CONS
+	next_op: pc=2/13 dp=4/270 C=1 J=0
+	- match? 02 02 00
+	- TAG: 02 257
+	- LEAF: 257
+	next_op: pc=5/13 dp=265/270 C=1 J=0
+	- match? 02 02 00
+	- TAG: 02 3
+	- LEAF: 3
+	next_op: pc=8/13 dp=270/270 C=1 J=0
+	next_op: pc=11/13 dp=270/270 C=1 J=0
+	- end cons t=4 dp=270 l=270/270
+
+The next_op line for pc=8/13 should be followed by a match line.
+
+This is not exploitable for X.509 certificates by means of shortening the
+message and fixing up the ASN.1 CONS tags because:
+
+ (1) The relevant records being built up are cleared before use.
+
+ (2) If the message is shortened sufficiently to remove the public key, the
+     ASN.1 parse of the RSA key will fail quickly due to a lack of data.
+
+ (3) Extracted signature data is either turned into MPIs (which cope with a
+     0 length) or is simpler integers specifying algoritms and suchlike
+     (which can validly be 0); and
+
+ (4) The AKID and SKID extensions are optional and their removal is handled
+     without risking passing a NULL to asymmetric_key_generate_id().
+
+ (5) If the certificate is truncated sufficiently to remove the subject,
+     issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
+     stack underflow' return.
+
+This is not exploitable for PKCS#7 messages by means of removal of elements
+from such a message from the tail end of a sequence:
+
+ (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
+     as detailed above.
+
+ (2) The message digest content isn't used if it shows a NULL pointer,
+     similarly, the authattrs aren't used if that shows a NULL pointer.
+
+ (3) A missing signature results in a NULL MPI - which the MPI routines deal
+     with.
+
+ (4) If data is NULL, it is expected that the message has detached content and
+     that is handled appropriately.
+
+ (5) If the serialNumber is excised, the unconditional action associated
+     with it will pick up the containing SEQUENCE instead, so no NULL
+     pointer will be seen here.
+
+     If both the issuer and the serialNumber are excised, the ASN.1 decode
+     will fail with an 'Unexpected tag' return.
+
+     In either case, there's no way to get to asymmetric_key_generate_id()
+     with a NULL pointer.
+
+ (6) Other fields are decoded to simple integers.  Shortening the message
+     to omit an algorithm ID field will cause checks on this to fail early
+     in the verification process.
+
+This can also be tested by snipping objects off of the end of the ASN.1 stream
+such that mandatory tags are removed - or even from the end of internal
+SEQUENCEs.  If any mandatory tag is missing, the error EBADMSG *should* be
+produced.  Without this patch ERANGE or ENOPKG might be produced or the parse
+may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
+later, depending on what gets snipped.
+
+Just snipping off the final BIT_STRING or OCTET_STRING from either sample
+should be a start since both are mandatory and neither will cause an EBADMSG
+without the patches
+
+CVE: CVE-2016-2053
+Upstream-Status: Backport [kernel.org linux-stable 3.16 branch]
+
+Reported-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Tested-by: Marcel Holtmann <marcel at holtmann.org>
+Reviewed-by: David Woodhouse <David.Woodhouse at intel.com>
+Cc: Moritz Muehlenhoff <jmm at inutil.org>
+[ luis: backported to 3.16: adjusted context ]
+Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ lib/asn1_decoder.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index 1a000bb..d60ce8a 100644
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -208,9 +208,8 @@ next_op:
+ 		unsigned char tmp;
+ 
+ 		/* Skip conditional matches if possible */
+-		if ((op & ASN1_OP_MATCH__COND &&
+-		     flags & FLAG_MATCHED) ||
+-		    dp == datalen) {
++		if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
++		    (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
+ 			pc += asn1_op_lengths[op];
+ 			goto next_op;
+ 		}
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb
index b5a67e6..ac0f25f 100644
--- a/recipes-kernel/linux/linux-qoriq_4.1.bb
+++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://powerpc-fsl-Fix-build-of-the-dtb-embedded-kernel-images.patch \
     file://CVE-2016-5696-limiting-of-all-challenge.patch \
     file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
+    file://CVE-2016-2053.patch \
 "
 SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"
 
-- 
1.9.1

More information about the meta-freescale mailing list