| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aOtbBJtU2NixkYuE@wunner.de>
Date: Sun, 12 Oct 2025 09:38:44 +0200
From: Lukas Wunner <lukas@...ner.de>
To: Thorsten Blum <thorsten.blum@...ux.dev>
Cc: David Howells <dhowells@...hat.com>,
Ignat Korchagin <ignat@...udflare.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] crypto: asymmetric_keys - prevent overflow in
asymmetric_key_generate_id
On Tue, Oct 07, 2025 at 08:52:20PM +0200, Thorsten Blum wrote:
> +++ b/crypto/asymmetric_keys/asymmetric_type.c
> @@ -141,12 +142,13 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
> size_t len_2)
> {
> struct asymmetric_key_id *kid;
> + size_t len;
>
> - kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
> - GFP_KERNEL);
> + len = size_add(len_1, len_2);
> + kid = kmalloc(struct_size(kid, data, len), GFP_KERNEL);
> if (!kid)
> return ERR_PTR(-ENOMEM);
This should error out on overflow, rather than continuing with a
SIZE_MAX length. So how about using check_add_overflow() instead
of size_add() and returning -EOVERFLOW if that returns true?
asymmetric_key_generate_id() is invoked, among other things, with
the raw serial number from the X.509 certificate, which is an
ASN.1 INTEGER, which can be arbitrarily large. (You may want to
mention that in the commit message.) So checking for overflows
does seem to make sense to guard against maliciously crafted
certificates.
Thanks,
Lukas
Powered by blists - more mailing lists