linux-qoriq: fix CVE-2016-0758

Fixes a flaw in the Linux kernel's ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system. References: https://lkml.org/lkml/2016/5/12/270 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/ ?id=af00ae6ef5a2c73f21ba215c476570b7772a14fb [backported from stable 3.16] Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-11-30 13:17:39 +0100
committer: Otavio Salvador <otavio@ossystems.com.br> 2016-12-09 09:41:45 -0200
commit: c81b13fce917cfa8a0bb98da18817dcc14ac6b11 (patch)
tree: 5db1efe28a2fceb589c36756ac5df5d004377f22
parent: a870befa7789197b0091cc18c9c5196a848a75c7 (diff)
download: meta-freescale-c81b13fce917cfa8a0bb98da18817dcc14ac6b11.tar.gz
2 files changed, 99 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch
new file mode 100644
index 000000000..5447552fb
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch
@@ -0,0 +1,98 @@
+From af00ae6ef5a2c73f21ba215c476570b7772a14fb Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 23 Feb 2016 11:03:12 +0000
+Subject: KEYS: Fix ASN.1 indefinite length object parsing
+commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream.
+This fixes CVE-2016-0758.
+In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
+it isn't validated against the remaining amount of data before being added
+to the cursor.  With a sufficiently large size indicated, the check:
+        datalen - dp < 2
+may then fail due to integer overflow.
+Fix this by checking the length indicated against the amount of remaining
+data in both places a definite length is determined.
+Whilst we're at it, make the following changes:
+ (1) Check the maximum size of extended length does not exceed the capacity
+     of the variable it's being stored in (len) rather than the type that
+     variable is assumed to be (size_t).
+ (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
+     integer 0.
+ (3) To reduce confusion, move the initialisation of len outside of:
+        for (len = 0; n > 0; n--) {
+     since it doesn't have anything to do with the loop counter n.
+CVE: CVE-2016-0758.
+Upstream-Status: Backport [backported from kernel.org 3.16 branch]
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Acked-by: David Woodhouse <David.Woodhouse@intel.com>
+Acked-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/asn1_decoder.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index d60ce8a..806c5b6 100644
+--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
+@@ -69,7 +69,7 @@ next_tag:
+ 
+        /* Extract a tag from the data */
+        tag = data[dp++];
+-       if (tag == 0) {
+       if (tag == ASN1_EOC) {
+                /* It appears to be an EOC. */
+                if (data[dp++] != 0)
+                        goto invalid_eoc;
+@@ -91,10 +91,8 @@ next_tag:
+ 
+        /* Extract the length */
+        len = data[dp++];
+-       if (len <= 0x7f) {
+-               dp += len;
+-               goto next_tag;
+-       }
+       if (len <= 0x7f)
+               goto check_length;
+ 
+        if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+                /* Indefinite length */
+@@ -105,14 +103,18 @@ next_tag:
+        }
+ 
+        n = len - 0x80;
+-       if (unlikely(n > sizeof(size_t) - 1))
+       if (unlikely(n > sizeof(len) - 1))
+                goto length_too_long;
+        if (unlikely(n > datalen - dp))
+                goto data_overrun_error;
+-       for (len = 0; n > 0; n--) {
+       len = 0;
+       for (; n > 0; n--) {
+                len <<= 8;
+                len |= data[dp++];
+        }
+check_length:
+       if (len > datalen - dp)
+               goto data_overrun_error;
+        dp += len;
+        goto next_tag;
+ 
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb
index ac0f25fee..c97104e93 100644
--- a/recipes-kernel/linux/linux-qoriq_4.1.bb
+++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://CVE-2016-5696-limiting-of-all-challenge.patch \
    file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
    file://CVE-2016-2053.patch \
+    file://CVE-2016-0758.patch \
 "
 SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-11-30 13:17:39 +0100
committer	Otavio Salvador <otavio@ossystems.com.br>	2016-12-09 09:41:45 -0200
commit	c81b13fce917cfa8a0bb98da18817dcc14ac6b11 (patch)
tree	5db1efe28a2fceb589c36756ac5df5d004377f22
parent	a870befa7789197b0091cc18c9c5196a848a75c7 (diff)
download	meta-freescale-c81b13fce917cfa8a0bb98da18817dcc14ac6b11.tar.gz

diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch new file mode 100644 index 000000000..5447552fb --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch
@@ -0,0 +1,98 @@
		1	From af00ae6ef5a2c73f21ba215c476570b7772a14fb Mon Sep 17 00:00:00 2001
		2	From: David Howells <dhowells@redhat.com>
		3	Date: Tue, 23 Feb 2016 11:03:12 +0000
		4	Subject: KEYS: Fix ASN.1 indefinite length object parsing
		5
		6	commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream.
		7
		8	This fixes CVE-2016-0758.
		9
		10	In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
		11	it isn't validated against the remaining amount of data before being added
		12	to the cursor. With a sufficiently large size indicated, the check:
		13
		14	datalen - dp < 2
		15
		16	may then fail due to integer overflow.
		17
		18	Fix this by checking the length indicated against the amount of remaining
		19	data in both places a definite length is determined.
		20
		21	Whilst we're at it, make the following changes:
		22
		23	(1) Check the maximum size of extended length does not exceed the capacity
		24	of the variable it's being stored in (len) rather than the type that
		25	variable is assumed to be (size_t).
		26
		27	(2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
		28	integer 0.
		29
		30	(3) To reduce confusion, move the initialisation of len outside of:
		31
		32	for (len = 0; n > 0; n--) {
		33
		34	since it doesn't have anything to do with the loop counter n.
		35
		36	CVE: CVE-2016-0758.
		37	Upstream-Status: Backport [backported from kernel.org 3.16 branch]
		38
		39	Signed-off-by: David Howells <dhowells@redhat.com>
		40	Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
		41	Acked-by: David Woodhouse <David.Woodhouse@intel.com>
		42	Acked-by: Peter Jones <pjones@redhat.com>
		43	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
		44	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		45	---
		46	lib/asn1_decoder.c \| 16 +++++++++-------
		47	1 file changed, 9 insertions(+), 7 deletions(-)
		48
		49	diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
		50	index d60ce8a..806c5b6 100644
		51	--- a/lib/asn1_decoder.c
		52	+++ b/lib/asn1_decoder.c
		53	@@ -69,7 +69,7 @@ next_tag:
		54
		55	/* Extract a tag from the data */
		56	tag = data[dp++];
		57	- if (tag == 0) {
		58	+ if (tag == ASN1_EOC) {
		59	/* It appears to be an EOC. */
		60	if (data[dp++] != 0)
		61	goto invalid_eoc;
		62	@@ -91,10 +91,8 @@ next_tag:
		63
		64	/* Extract the length */
		65	len = data[dp++];
		66	- if (len <= 0x7f) {
		67	- dp += len;
		68	- goto next_tag;
		69	- }
		70	+ if (len <= 0x7f)
		71	+ goto check_length;
		72
		73	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
		74	/* Indefinite length */
		75	@@ -105,14 +103,18 @@ next_tag:
		76	}
		77
		78	n = len - 0x80;
		79	- if (unlikely(n > sizeof(size_t) - 1))
		80	+ if (unlikely(n > sizeof(len) - 1))
		81	goto length_too_long;
		82	if (unlikely(n > datalen - dp))
		83	goto data_overrun_error;
		84	- for (len = 0; n > 0; n--) {
		85	+ len = 0;
		86	+ for (; n > 0; n--) {
		87	len <<= 8;
		88	len \|= data[dp++];
		89	}
		90	+check_length:
		91	+ if (len > datalen - dp)
		92	+ goto data_overrun_error;
		93	dp += len;
		94	goto next_tag;
		95
		96	--
		97	cgit v0.12
		98


diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb index ac0f25fee..c97104e93 100644 --- a/recipes-kernel/linux/linux-qoriq_4.1.bb +++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
16	file://CVE-2016-5696-limiting-of-all-challenge.patch \	16	file://CVE-2016-5696-limiting-of-all-challenge.patch \
17	file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \	17	file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
18	file://CVE-2016-2053.patch \	18	file://CVE-2016-2053.patch \
		19	file://CVE-2016-0758.patch \
19	"	20	"
20	SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"	21	SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"
21		22