Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/lib
History
Eric Biggers 52ce5d2659 KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] 
commit 624f5ab8720b3371367327a822c267699c1823b8 upstream.

syzkaller reported a NULL pointer dereference in asn1_ber_decoder().  It
can be reproduced by the following command, assuming
CONFIG_PKCS7_TEST_KEY=y:

        keyctl add pkcs7_test desc '' @s

The bug is that if the data buffer is empty, an integer underflow occurs
in the following check:

        if (unlikely(dp >= datalen - 1))
                goto data_overrun_error;

This results in the NULL data pointer being dereferenced.

Fix it by checking for 'datalen - dp < 2' instead.

Also fix the similar check for 'dp >= datalen - n' later in the same
function.  That one possibly could result in a buffer overread.

The NULL pointer dereference was reproducible using the "pkcs7_test" key
type but not the "asymmetric" key type because the "asymmetric" key type
checks for a 0-length payload before calling into the ASN.1 decoder but
the "pkcs7_test" key type does not.

The bug report was:

    BUG: unable to handle kernel NULL pointer dereference at           (null)
    IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
    PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in:
    CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
    task: ffff9b6b3798c040 task.stack: ffff9b6b37970000
    RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
    RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c
    RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0
    RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    FS:  00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0
    Call Trace:
     pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139
     verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216
     pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63
     key_create_or_update+0x180/0x530 security/keys/key.c:855
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x4585c9
    RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8
    RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9
    RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000
    RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae
    R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000
    Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff
    RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78
    CR2: 0000000000000000

Fixes: 42d5ec27f8 ("X.509: Add an ASN.1 decoder")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 		2019-07-27 21:45:51 +02:00
..
lz4 lz4: fix another possible overrun 2016-05-18 14:34:38 +05:30
lzo lzo: check for length overrun in variable length encoding. 2014-10-30 09:35:11 -07:00
mpi Import latest Samsung release 2017-04-18 03:43:52 +02:00
raid6
reed_solomon
xz
zlib_deflate
zlib_inflate
.gitignore
Kconfig lib: add lz4 compressor module 2015-09-16 18:20:12 +05:30
Kconfig.debug time: Remove CONFIG_TIMER_STATS 2017-04-22 23:02:59 +02:00
Kconfig.kasan kasan: enable instrumentation of global variables 2015-05-04 14:03:57 -07:00
Kconfig.kgdb
Kconfig.kmemcheck
Makefile lib: add lz4 compressor module 2015-09-16 18:20:12 +05:30
argv_split.c
asn1_decoder.c KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] 2019-07-27 21:45:51 +02:00
atomic64.c
atomic64_test.c
audit.c
average.c
bcd.c
bch.c
bitmap.c Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
bitrev.c
bsearch.c
btree.c lib/btree.c: fix leak of whole btree nodes 2014-08-07 14:30:27 -07:00
bug.c Import latest Samsung release 2017-04-18 03:43:52 +02:00
build_OID_registry
bust_spinlocks.c
check_signature.c
checksum.c lib/checksum.c: fix build for generic csum_tcpudp_nofold 2015-02-11 14:48:17 +08:00
clz_tab.c
cmdline.c lib/cmdline.c: fix get_options() overflow while parsing ranges 2019-07-27 21:44:24 +02:00
cordic.c
cpu-notifier-error-inject.c
cpu_rmap.c irq: Allow multiple clients to register for irq affinity notification 2014-11-09 15:17:27 -08:00
cpumask.c sched/fair, cpumask: Export for_each_cpu_wrap() 2019-07-27 21:44:52 +02:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc7.c
crc8.c
crc16.c
crc32.c
crc32defs.h
ctype.c
debug_locks.c
debugobjects.c debugobjects: use kmemleak_not_leak for obj_cache 2015-05-29 19:35:14 +05:30
dec_and_lock.c
decompress.c
decompress_bunzip2.c decompress_bunzip2: off by one in get_next_block() 2015-01-27 07:52:33 -08:00
decompress_inflate.c
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c
devres.c This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
digsig.c lib/digsig: fix dereference of NULL user_key_payload 2019-07-27 21:44:22 +02:00
div64.c UPSTREAM: math64: New separate div64_u64_rem helper 2016-05-18 14:36:10 +05:30
dma-debug.c dma-debug: switch check from _text to _stext 2016-02-25 11:57:49 -08:00
dump_stack.c
dynamic_debug.c dynamic_debug: Handle kstrdup failure in dynamic_debug_init 2015-06-20 18:25:48 -07:00
dynamic_queue_limits.c
earlycpio.c
extable.c
fault-inject.c
fdt.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_last_bit.c
find_next_bit.c
flex_array.c
flex_proportions.c
gcd.c
gen_crc32table.c
genalloc.c
halfmd4.c
hexdump.c
hweight.c
idr.c idr: fix overflow bug during maximum ID calculation at maximum height 2014-06-30 20:09:42 -07:00
inflate.c
int_sqrt.c
interval_tree.c
interval_tree_test_main.c
iomap.c lib: iomap: Add MSM RTB support 2014-09-04 19:40:43 -07:00
iomap_copy.c
iommu-helper.c
ioremap.c
iovec.c
irq_regs.c
is_single_threaded.c
jedec_ddr_data.c
kasprintf.c
kfifo.c
klist.c klist: fix starting point removed bug in klist iterators 2016-02-25 11:57:47 -08:00
kobject.c
kobject_uevent.c
kstrtox.c
kstrtox.h
lcm.c
libcrc32c.c
list_debug.c
list_sort.c
llist.c
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c
lru_cache.c
md5.c
memory-notifier-error-inject.c
memweight.c
nlattr.c netlink: rate-limit leftover bytes warning and print process name 2014-06-26 15:12:37 -04:00
notifier-error-inject.c
notifier-error-inject.h
of-reconfig-notifier-error-inject.c
oid_registry.c
parser.c
pci_iomap.c
percpu_counter.c
plist.c
pm-notifier-error-inject.c
prio_heap.c
proportions.c
qmi_encdec.c This is the 3.10.84 stable release 2015-09-30 13:25:40 +05:30
qmi_encdec_priv.h
radix-tree.c radix-tree: fix race in gang lookup 2016-02-25 11:57:49 -08:00
random32.c random32: include missing header file 2017-09-08 18:50:21 +00:00
ratelimit.c Import latest Samsung release 2017-04-18 03:43:52 +02:00
rational.c
rbtree.c rbtree: add postorder iteration functions 2015-09-16 18:20:19 +05:30
rbtree_test.c
reciprocal_div.c
scatterlist.c
sha1.c
show_mem.c
smp_processor_id.c
sort.c
stmp_device.c
string.c UPSTREAM: lib/string.c: introduce strreplace() 2016-05-18 14:36:10 +05:30
string_helpers.c
strncpy_from_user.c
strnlen_user.c lib: Fix strnlen_user() to not touch memory after specified maximum 2015-06-05 23:19:54 -07:00
swiotlb.c
syscall.c
test-kstrtox.c
test-string_helpers.c
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
ucs2_string.c lib/ucs2_string: Correct ucs2 -> utf8 conversion 2016-03-16 08:41:37 -07:00
usercopy.c
uuid.c
vsprintf.c