[meta-freescale] [PATCH v2 2/2] linux-qoriq: fix CVE-2016-0758

Sona Sarmadi sona.sarmadi at enea.com
Wed Nov 30 04:17:39 PST 2016 

Fixes a flaw in the Linux kernel's ASN.1 DER decoder processed
certain certificate files with tags of indefinite length. A local,
unprivileged user could use a specially crafted X.509 certificate
DER file to crash the system or, potentially, escalate their
privileges on the system.

References:
https://lkml.org/lkml/2016/5/12/270

Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/
?id=af00ae6ef5a2c73f21ba215c476570b7772a14fb [backported from stable 3.16]

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../linux/linux-qoriq/CVE-2016-0758.patch          | 98 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_4.1.bb            |  1 +
 2 files changed, 99 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch

diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch
new file mode 100644
index 0000000..5447552
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch
@@ -0,0 +1,98 @@
+From af00ae6ef5a2c73f21ba215c476570b7772a14fb Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 23 Feb 2016 11:03:12 +0000
+Subject: KEYS: Fix ASN.1 indefinite length object parsing
+
+commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream.
+
+This fixes CVE-2016-0758.
+
+In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
+it isn't validated against the remaining amount of data before being added
+to the cursor.  With a sufficiently large size indicated, the check:
+
+	datalen - dp < 2
+
+may then fail due to integer overflow.
+
+Fix this by checking the length indicated against the amount of remaining
+data in both places a definite length is determined.
+
+Whilst we're at it, make the following changes:
+
+ (1) Check the maximum size of extended length does not exceed the capacity
+     of the variable it's being stored in (len) rather than the type that
+     variable is assumed to be (size_t).
+
+ (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
+     integer 0.
+
+ (3) To reduce confusion, move the initialisation of len outside of:
+
+	for (len = 0; n > 0; n--) {
+
+     since it doesn't have anything to do with the loop counter n.
+
+CVE: CVE-2016-0758.
+Upstream-Status: Backport [backported from kernel.org 3.16 branch]
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Reviewed-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+Acked-by: David Woodhouse <David.Woodhouse at intel.com>
+Acked-by: Peter Jones <pjones at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ lib/asn1_decoder.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index d60ce8a..806c5b6 100644
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -69,7 +69,7 @@ next_tag:
+ 
+ 	/* Extract a tag from the data */
+ 	tag = data[dp++];
+-	if (tag == 0) {
++	if (tag == ASN1_EOC) {
+ 		/* It appears to be an EOC. */
+ 		if (data[dp++] != 0)
+ 			goto invalid_eoc;
+@@ -91,10 +91,8 @@ next_tag:
+ 
+ 	/* Extract the length */
+ 	len = data[dp++];
+-	if (len <= 0x7f) {
+-		dp += len;
+-		goto next_tag;
+-	}
++	if (len <= 0x7f)
++		goto check_length;
+ 
+ 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+ 		/* Indefinite length */
+@@ -105,14 +103,18 @@ next_tag:
+ 	}
+ 
+ 	n = len - 0x80;
+-	if (unlikely(n > sizeof(size_t) - 1))
++	if (unlikely(n > sizeof(len) - 1))
+ 		goto length_too_long;
+ 	if (unlikely(n > datalen - dp))
+ 		goto data_overrun_error;
+-	for (len = 0; n > 0; n--) {
++	len = 0;
++	for (; n > 0; n--) {
+ 		len <<= 8;
+ 		len |= data[dp++];
+ 	}
++check_length:
++	if (len > datalen - dp)
++		goto data_overrun_error;
+ 	dp += len;
+ 	goto next_tag;
+ 
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb
index ac0f25f..c97104e 100644
--- a/recipes-kernel/linux/linux-qoriq_4.1.bb
+++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://CVE-2016-5696-limiting-of-all-challenge.patch \
     file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
     file://CVE-2016-2053.patch \
+    file://CVE-2016-0758.patch \
 "
 SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"
 
-- 
1.9.1

More information about the meta-freescale mailing list