src/patches/linux-2.6.20.21-additional_check_on_BER_decoding.patch

   1 From: Chris Wright <chrisw@sous-sol.org>
   2 Date: Wed, 4 Jun 2008 16:16:33 +0000 (-0700)
   3 Subject: asn1: additional sanity checking during BER decoding (CVE-2008-1673)
   4 X-Git-Tag: v2.6.25.5~1
   5 X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.25.y.git;a=commitdiff_plain;h=33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c
   6
   7 asn1: additional sanity checking during BER decoding (CVE-2008-1673)
   8
   9 upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5
  10
  11 - Don't trust a length which is greater than the working buffer.
  12   An invalid length could cause overflow when calculating buffer size
  13   for decoding oid.
  14
  15 - An oid length of zero is invalid and allows for an off-by-one error when
  16   decoding oid because the first subid actually encodes first 2 subids.
  17
  18 - A primitive encoding may not have an indefinite length.
  19
  20 Thanks to Wei Wang from McAfee for report.
  21
  22 Cc: Steven French <sfrench@us.ibm.com>
  23 Cc: stable@kernel.org
  24 Acked-by: Patrick McHardy <kaber@trash.net>
  25 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  26 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  27 ---
  28 rediff for Linux-2.6.20.21 by Arne Fitzenreiter <arne_f@ipfire.org>
  29 ---
  30 From: Chris Wright <chrisw@sous-sol.org>
  31 Date: Wed, 4 Jun 2008 16:16:33 +0000 (-0700)
  32 Subject: asn1: additional sanity checking during BER decoding (CVE-2008-1673)
  33 X-Git-Tag: v2.6.25.5~1
  34 X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.25.y.git;a=commitdiff_plain;h=33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c
  35
  36 asn1: additional sanity checking during BER decoding (CVE-2008-1673)
  37
  38 upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5
  39
  40 - Don't trust a length which is greater than the working buffer.
  41   An invalid length could cause overflow when calculating buffer size
  42   for decoding oid.
  43
  44 - An oid length of zero is invalid and allows for an off-by-one error when
  45   decoding oid because the first subid actually encodes first 2 subids.
  46
  47 - A primitive encoding may not have an indefinite length.
  48
  49 Thanks to Wei Wang from McAfee for report.
  50
  51 Cc: Steven French <sfrench@us.ibm.com>
  52 Cc: stable@kernel.org
  53 Acked-by: Patrick McHardy <kaber@trash.net>
  54 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  55 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  56 ---
  57 rediff for Linux-2.6.20.21 by Arne Fitzenreiter <arne_f@ipfire.org>
  58 ---
  59 diff -Naur linux-2.6.20.21.org/fs/cifs/asn1.c linux-2.6.20.21/fs/cifs/asn1.c
  60 --- linux-2.6.20.21.org/fs/cifs/asn1.c  2007-10-17 21:31:14.000000000 +0200
  61 +++ linux-2.6.20.21/fs/cifs/asn1.c      2008-06-10 00:09:43.000000000 +0200
  62 @@ -182,6 +182,11 @@
  63                         }
  64                 }
  65         }
  66 +
  67 +       /* don't trust len bigger than ctx buffer */
  68 +       if (*len > ctx->end - ctx->pointer)
  69 +               return 0;
  70 +
  71         return 1;
  72  }
  73
  74 @@ -199,6 +204,10 @@
  75         if (!asn1_length_decode(ctx, &def, &len))
  76                 return 0;
  77
  78 +       /* primitive shall be definite, indefinite shall be constructed */
  79 +       if (*con == ASN1_PRI && !def)
  80 +               return 0;
  81 +
  82         if (def)
  83                 *eoc = ctx->pointer + len;
  84         else
  85 @@ -385,6 +394,10 @@
  86         unsigned long *optr;
  87
  88         size = eoc - ctx->pointer + 1;
  89 +
  90 +       /* first subid actually encodes first two subids */
  91 +       if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
  92 +       return 0;
  93         *oid = kmalloc(size * sizeof (unsigned long), GFP_ATOMIC);
  94         if (*oid == NULL) {
  95                 return 0;
  96 diff -Naur linux-2.6.20.21.org/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.20.21/net/ipv4/netfilter/nf_nat_snmp_basic.c
  97 --- linux-2.6.20.21.org/net/ipv4/netfilter/nf_nat_snmp_basic.c  2007-10-17 21:31:14.000000000 +0200
  98 +++ linux-2.6.20.21/net/ipv4/netfilter/nf_nat_snmp_basic.c      2008-06-10 00:03:59.000000000 +0200
  99 @@ -235,6 +235,11 @@
 100                         }
 101                 }
 102         }
 103 +
 104 +       /* don't trust len bigger than ctx buffer */
 105 +       if (*len > ctx->end - ctx->pointer)
 106 +               return 0;
 107 +
 108         return 1;
 109  }
 110
 111 @@ -253,6 +258,10 @@
 112         if (!asn1_length_decode(ctx, &def, &len))
 113                 return 0;
 114
 115 +       /* primitive shall be definite, indefinite shall be constructed */
 116 +       if (*con == ASN1_PRI && !def)
 117 +               return 0;
 118 +
 119         if (def)
 120                 *eoc = ctx->pointer + len;
 121         else
 122 @@ -437,6 +446,11 @@
 123         unsigned long *optr;
 124
 125         size = eoc - ctx->pointer + 1;
 126 +
 127 +       /* first subid actually encodes first two subids */
 128 +       if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
 129 +               return 0;
 130 +
 131         *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
 132         if (*oid == NULL) {
 133                 if (net_ratelimit())