lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sun,  3 Sep 2017 10:16:46 +0800
From:   "Lee, Chun-Yi" <joeyli.kernel@...il.com>
To:     David Howells <dhowells@...hat.com>
Cc:     linux-kernel@...r.kernel.org, "Lee, Chun-Yi" <jlee@...e.com>,
        Rusty Russell <rusty@...tcorp.com.au>,
        Takashi Iwai <tiwai@...e.de>,
        Pawel Wieczorkiewicz <pwieczorkiewicz@...e.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH] X.509: Fix the buffer overflow in the utility function for OID string

From: Takashi Iwai <tiwai@...e.de>

The sprint_oid() utility function doesn't properly check the buffer
size that it causes that the warning in vsnprintf() be triggered.
For example on v4.1 kernel:

[   49.612536] ------------[ cut here ]------------
[   49.612543] WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
...

We can trigger this issue by injecting maliciously crafted x509 cert
in DER format. Just using hex editor to change the length of OID to
over the length of the SEQUENCE container. For example:

    0:d=0  hl=4 l= 980 cons: SEQUENCE
    4:d=1  hl=4 l= 700 cons:  SEQUENCE
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   9 prim:   INTEGER           :9B47FAF791E7D1E3
   24:d=2  hl=2 l=  13 cons:   SEQUENCE
   26:d=3  hl=2 l=   9 prim:    OBJECT            :sha256WithRSAEncryption
   37:d=3  hl=2 l=   0 prim:    NULL
   39:d=2  hl=2 l= 121 cons:   SEQUENCE
   41:d=3  hl=2 l=  22 cons:    SET
   43:d=4  hl=2 l=  20 cons:     SEQUENCE      <=== the SEQ length is 20
   45:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
	<=== the original length is 3, change the length of OID to over the length of SEQUENCE

Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided
patch to fix it by checking the bufsize in sprint_oid().

From: Takashi Iwai <tiwai@...e.de>
Reported-by: Pawel Wieczorkiewicz <pwieczorkiewicz@...e.com>
Cc: David Howells <dhowells@...hat.com>
Cc: Rusty Russell <rusty@...tcorp.com.au>
Cc: Takashi Iwai <tiwai@...e.de>
Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@...e.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: "Lee, Chun-Yi" <jlee@...e.com>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
 lib/oid_registry.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/oid_registry.c b/lib/oid_registry.c
index 318f382..41b9e50 100644
--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -142,9 +142,9 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
 		}
 		ret += count = snprintf(buffer, bufsize, ".%lu", num);
 		buffer += count;
-		bufsize -= count;
-		if (bufsize == 0)
+		if (bufsize <= count)
 			return -ENOBUFS;
+		bufsize -= count;
 	}
 
 	return ret;
-- 
2.10.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ