2 files changed, 134 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
new file mode 100644
index 000000000..778a99fdc
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
@@ -0,0 +1,133 @@
+From 15430f775ee686b61569a0c3e74cf0b2ad57c8eb Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 5 Aug 2015 12:54:46 +0100
+Subject: ASN.1: Fix non-match detection failure on data overrun
+commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream.
+If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
+matches get skipped if there's no more data to be had rather than a
+data-overrun error being reported.
+This is due to the code segment that decides whether to skip optional
+matches (ie. matches that could get ignored because an element is marked
+OPTIONAL in the grammar) due to a lack of data also skips non-optional
+elements if the data pointer has reached the end of the buffer.
+This can be tested with the data decoder for the new RSA akcipher algorithm
+that takes three non-optional integers.  Currently, it skips the last
+integer if there is insufficient data.
+Without the fix, #defining DEBUG in asn1_decoder.c will show something
+like:
+        next_op: pc=0/13 dp=0/270 C=0 J=0
+        - match? 30 30 00
+        - TAG: 30 266 CONS
+        next_op: pc=2/13 dp=4/270 C=1 J=0
+        - match? 02 02 00
+        - TAG: 02 257
+        - LEAF: 257
+        next_op: pc=5/13 dp=265/270 C=1 J=0
+        - match? 02 02 00
+        - TAG: 02 3
+        - LEAF: 3
+        next_op: pc=8/13 dp=270/270 C=1 J=0
+        next_op: pc=11/13 dp=270/270 C=1 J=0
+        - end cons t=4 dp=270 l=270/270
+The next_op line for pc=8/13 should be followed by a match line.
+This is not exploitable for X.509 certificates by means of shortening the
+message and fixing up the ASN.1 CONS tags because:
+ (1) The relevant records being built up are cleared before use.
+ (2) If the message is shortened sufficiently to remove the public key, the
+     ASN.1 parse of the RSA key will fail quickly due to a lack of data.
+ (3) Extracted signature data is either turned into MPIs (which cope with a
+     0 length) or is simpler integers specifying algoritms and suchlike
+     (which can validly be 0); and
+ (4) The AKID and SKID extensions are optional and their removal is handled
+     without risking passing a NULL to asymmetric_key_generate_id().
+ (5) If the certificate is truncated sufficiently to remove the subject,
+     issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
+     stack underflow' return.
+This is not exploitable for PKCS#7 messages by means of removal of elements
+from such a message from the tail end of a sequence:
+ (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
+     as detailed above.
+ (2) The message digest content isn't used if it shows a NULL pointer,
+     similarly, the authattrs aren't used if that shows a NULL pointer.
+ (3) A missing signature results in a NULL MPI - which the MPI routines deal
+     with.
+ (4) If data is NULL, it is expected that the message has detached content and
+     that is handled appropriately.
+ (5) If the serialNumber is excised, the unconditional action associated
+     with it will pick up the containing SEQUENCE instead, so no NULL
+     pointer will be seen here.
+     If both the issuer and the serialNumber are excised, the ASN.1 decode
+     will fail with an 'Unexpected tag' return.
+     In either case, there's no way to get to asymmetric_key_generate_id()
+     with a NULL pointer.
+ (6) Other fields are decoded to simple integers.  Shortening the message
+     to omit an algorithm ID field will cause checks on this to fail early
+     in the verification process.
+This can also be tested by snipping objects off of the end of the ASN.1 stream
+such that mandatory tags are removed - or even from the end of internal
+SEQUENCEs.  If any mandatory tag is missing, the error EBADMSG *should* be
+produced.  Without this patch ERANGE or ENOPKG might be produced or the parse
+may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
+later, depending on what gets snipped.
+Just snipping off the final BIT_STRING or OCTET_STRING from either sample
+should be a start since both are mandatory and neither will cause an EBADMSG
+without the patches
+CVE: CVE-2016-2053
+Upstream-Status: Backport [kernel.org linux-stable 3.16 branch]
+Reported-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Marcel Holtmann <marcel@holtmann.org>
+Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
+Cc: Moritz Muehlenhoff <jmm@inutil.org>
+[ luis: backported to 3.16: adjusted context ]
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/asn1_decoder.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index 1a000bb..d60ce8a 100644
+--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
+@@ -208,9 +208,8 @@ next_op:
+                unsigned char tmp;
+ 
+                /* Skip conditional matches if possible */
+-               if ((op & ASN1_OP_MATCH__COND &&
+-                    flags & FLAG_MATCHED) ||
+-                   dp == datalen) {
+               if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
+                   (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
+                        pc += asn1_op_lengths[op];
+                        goto next_op;
+                }
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb
index b5a67e64f..ac0f25fee 100644
--- a/recipes-kernel/linux/linux-qoriq_4.1.bb
+++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://powerpc-fsl-Fix-build-of-the-dtb-embedded-kernel-images.patch \
    file://CVE-2016-5696-limiting-of-all-challenge.patch \
    file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
+    file://CVE-2016-2053.patch \
 "
 SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"

diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch new file mode 100644 index 000000000..778a99fdc --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch
@@ -0,0 +1,133 @@
		1	From 15430f775ee686b61569a0c3e74cf0b2ad57c8eb Mon Sep 17 00:00:00 2001
		2	From: David Howells <dhowells@redhat.com>
		3	Date: Wed, 5 Aug 2015 12:54:46 +0100
		4	Subject: ASN.1: Fix non-match detection failure on data overrun
		5
		6	commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream.
		7
		8	If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
		9	matches get skipped if there's no more data to be had rather than a
		10	data-overrun error being reported.
		11
		12	This is due to the code segment that decides whether to skip optional
		13	matches (ie. matches that could get ignored because an element is marked
		14	OPTIONAL in the grammar) due to a lack of data also skips non-optional
		15	elements if the data pointer has reached the end of the buffer.
		16
		17	This can be tested with the data decoder for the new RSA akcipher algorithm
		18	that takes three non-optional integers. Currently, it skips the last
		19	integer if there is insufficient data.
		20
		21	Without the fix, #defining DEBUG in asn1_decoder.c will show something
		22	like:
		23
		24	next_op: pc=0/13 dp=0/270 C=0 J=0
		25	- match? 30 30 00
		26	- TAG: 30 266 CONS
		27	next_op: pc=2/13 dp=4/270 C=1 J=0
		28	- match? 02 02 00
		29	- TAG: 02 257
		30	- LEAF: 257
		31	next_op: pc=5/13 dp=265/270 C=1 J=0
		32	- match? 02 02 00
		33	- TAG: 02 3
		34	- LEAF: 3
		35	next_op: pc=8/13 dp=270/270 C=1 J=0
		36	next_op: pc=11/13 dp=270/270 C=1 J=0
		37	- end cons t=4 dp=270 l=270/270
		38
		39	The next_op line for pc=8/13 should be followed by a match line.
		40
		41	This is not exploitable for X.509 certificates by means of shortening the
		42	message and fixing up the ASN.1 CONS tags because:
		43
		44	(1) The relevant records being built up are cleared before use.
		45
		46	(2) If the message is shortened sufficiently to remove the public key, the
		47	ASN.1 parse of the RSA key will fail quickly due to a lack of data.
		48
		49	(3) Extracted signature data is either turned into MPIs (which cope with a
		50	0 length) or is simpler integers specifying algoritms and suchlike
		51	(which can validly be 0); and
		52
		53	(4) The AKID and SKID extensions are optional and their removal is handled
		54	without risking passing a NULL to asymmetric_key_generate_id().
		55
		56	(5) If the certificate is truncated sufficiently to remove the subject,
		57	issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
		58	stack underflow' return.
		59
		60	This is not exploitable for PKCS#7 messages by means of removal of elements
		61	from such a message from the tail end of a sequence:
		62
		63	(1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
		64	as detailed above.
		65
		66	(2) The message digest content isn't used if it shows a NULL pointer,
		67	similarly, the authattrs aren't used if that shows a NULL pointer.
		68
		69	(3) A missing signature results in a NULL MPI - which the MPI routines deal
		70	with.
		71
		72	(4) If data is NULL, it is expected that the message has detached content and
		73	that is handled appropriately.
		74
		75	(5) If the serialNumber is excised, the unconditional action associated
		76	with it will pick up the containing SEQUENCE instead, so no NULL
		77	pointer will be seen here.
		78
		79	If both the issuer and the serialNumber are excised, the ASN.1 decode
		80	will fail with an 'Unexpected tag' return.
		81
		82	In either case, there's no way to get to asymmetric_key_generate_id()
		83	with a NULL pointer.
		84
		85	(6) Other fields are decoded to simple integers. Shortening the message
		86	to omit an algorithm ID field will cause checks on this to fail early
		87	in the verification process.
		88
		89	This can also be tested by snipping objects off of the end of the ASN.1 stream
		90	such that mandatory tags are removed - or even from the end of internal
		91	SEQUENCEs. If any mandatory tag is missing, the error EBADMSG should be
		92	produced. Without this patch ERANGE or ENOPKG might be produced or the parse
		93	may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
		94	later, depending on what gets snipped.
		95
		96	Just snipping off the final BIT_STRING or OCTET_STRING from either sample
		97	should be a start since both are mandatory and neither will cause an EBADMSG
		98	without the patches
		99
		100	CVE: CVE-2016-2053
		101	Upstream-Status: Backport [kernel.org linux-stable 3.16 branch]
		102
		103	Reported-by: Marcel Holtmann <marcel@holtmann.org>
		104	Signed-off-by: David Howells <dhowells@redhat.com>
		105	Tested-by: Marcel Holtmann <marcel@holtmann.org>
		106	Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
		107	Cc: Moritz Muehlenhoff <jmm@inutil.org>
		108	[ luis: backported to 3.16: adjusted context ]
		109	Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
		110	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		111	---
		112	lib/asn1_decoder.c \| 5 ++---
		113	1 file changed, 2 insertions(+), 3 deletions(-)
		114
		115	diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
		116	index 1a000bb..d60ce8a 100644
		117	--- a/lib/asn1_decoder.c
		118	+++ b/lib/asn1_decoder.c
		119	@@ -208,9 +208,8 @@ next_op:
		120	unsigned char tmp;
		121
		122	/* Skip conditional matches if possible */
		123	- if ((op & ASN1_OP_MATCH__COND &&
		124	- flags & FLAG_MATCHED) \|\|
		125	- dp == datalen) {
		126	+ if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) \|\|
		127	+ (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
		128	pc += asn1_op_lengths[op];
		129	goto next_op;
		130	}
		131	--
		132	cgit v0.12
		133


diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb index b5a67e64f..ac0f25fee 100644 --- a/recipes-kernel/linux/linux-qoriq_4.1.bb +++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
15	file://powerpc-fsl-Fix-build-of-the-dtb-embedded-kernel-images.patch \	15	file://powerpc-fsl-Fix-build-of-the-dtb-embedded-kernel-images.patch \
16	file://CVE-2016-5696-limiting-of-all-challenge.patch \	16	file://CVE-2016-5696-limiting-of-all-challenge.patch \
17	file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \	17	file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
		18	file://CVE-2016-2053.patch \
18	"	19	"
19	SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"	20	SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a"
20		21