releases/4.4.98/keys-fix-null-pointer-dereference-during-asn.1-parsing.patch

   1 From 624f5ab8720b3371367327a822c267699c1823b8 Mon Sep 17 00:00:00 2001
   2 From: Eric Biggers <ebiggers@google.com>
   3 Date: Tue, 7 Nov 2017 22:29:02 +0000
   4 Subject: KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
   5
   6 From: Eric Biggers <ebiggers@google.com>
   7
   8 commit 624f5ab8720b3371367327a822c267699c1823b8 upstream.
   9
  10 syzkaller reported a NULL pointer dereference in asn1_ber_decoder().  It
  11 can be reproduced by the following command, assuming
  12 CONFIG_PKCS7_TEST_KEY=y:
  13
  14         keyctl add pkcs7_test desc '' @s
  15
  16 The bug is that if the data buffer is empty, an integer underflow occurs
  17 in the following check:
  18
  19         if (unlikely(dp >= datalen - 1))
  20                 goto data_overrun_error;
  21
  22 This results in the NULL data pointer being dereferenced.
  23
  24 Fix it by checking for 'datalen - dp < 2' instead.
  25
  26 Also fix the similar check for 'dp >= datalen - n' later in the same
  27 function.  That one possibly could result in a buffer overread.
  28
  29 The NULL pointer dereference was reproducible using the "pkcs7_test" key
  30 type but not the "asymmetric" key type because the "asymmetric" key type
  31 checks for a 0-length payload before calling into the ASN.1 decoder but
  32 the "pkcs7_test" key type does not.
  33
  34 The bug report was:
  35
  36     BUG: unable to handle kernel NULL pointer dereference at           (null)
  37     IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
  38     PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0
  39     Oops: 0000 [#1] SMP
  40     Modules linked in:
  41     CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7
  42     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
  43     task: ffff9b6b3798c040 task.stack: ffff9b6b37970000
  44     RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
  45     RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216
  46     RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c
  47     RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0
  48     RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180
  49     R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
  50     R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
  51     FS:  00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000
  52     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  53     CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0
  54     Call Trace:
  55      pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139
  56      verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216
  57      pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63
  58      key_create_or_update+0x180/0x530 security/keys/key.c:855
  59      SYSC_add_key security/keys/keyctl.c:122 [inline]
  60      SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62
  61      entry_SYSCALL_64_fastpath+0x1f/0xbe
  62     RIP: 0033:0x4585c9
  63     RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8
  64     RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9
  65     RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000
  66     RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000
  67     R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae
  68     R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000
  69     Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff
  70     RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78
  71     CR2: 0000000000000000
  72
  73 Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
  74 Reported-by: syzbot <syzkaller@googlegroups.com>
  75 Signed-off-by: Eric Biggers <ebiggers@google.com>
  76 Signed-off-by: David Howells <dhowells@redhat.com>
  77 Signed-off-by: James Morris <james.l.morris@oracle.com>
  78 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  79
  80 ---
  81  lib/asn1_decoder.c |    4 ++--
  82  1 file changed, 2 insertions(+), 2 deletions(-)
  83
  84 --- a/lib/asn1_decoder.c
  85 +++ b/lib/asn1_decoder.c
  86 @@ -227,7 +227,7 @@ next_op:
  87                 hdr = 2;
  88
  89                 /* Extract a tag from the data */
  90 -               if (unlikely(dp >= datalen - 1))
  91 +               if (unlikely(datalen - dp < 2))
  92                         goto data_overrun_error;
  93                 tag = data[dp++];
  94                 if (unlikely((tag & 0x1f) == ASN1_LONG_TAG))
  95 @@ -273,7 +273,7 @@ next_op:
  96                                 int n = len - 0x80;
  97                                 if (unlikely(n > 2))
  98                                         goto length_too_long;
  99 -                               if (unlikely(dp >= datalen - n))
 100 +                               if (unlikely(n > datalen - dp))
 101                                         goto data_overrun_error;
 102                                 hdr += n;
 103                                 for (len = 0; n > 0; n--) {