| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <73423731-F3C2-483A-BDAB-3FEF5471B8EA@linux.dev>
Date: Wed, 22 Oct 2025 14:23:02 +0200
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: Lukas Wunner <lukas@...ner.de>
Cc: David Howells <dhowells@...hat.com>,
Ignat Korchagin <ignat@...udflare.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Vivek Goyal <vgoyal@...hat.com>,
keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] crypto: asymmetric_keys - prevent overflow in
asymmetric_key_generate_id
Hi Lukas,
On 13. Oct 2025, at 17:39, Lukas Wunner wrote:
> On Mon, Oct 13, 2025 at 01:40:10PM +0200, Thorsten Blum wrote:
>> Use check_add_overflow() to guard against potential integer overflows
>> when adding the binary blob lengths and the size of an asymmetric_key_id
>> structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
>> possible buffer overflow when copying data from potentially malicious
>> X.509 certificate fields that can be arbitrarily large, such as ASN.1
>> INTEGER serial numbers, issuer names, etc.
>>
>> Fixes: 7901c1a8effb ("KEYS: Implement binary asymmetric key ID handling")
>> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
>
> Reviewed-by: Lukas Wunner <lukas@...ner.de>
Thank you for your review.
I removed stable@ after your feedback to v2, but shouldn't v3 be applied
to stable as well?
Best,
Thorsten
Powered by blists - more mailing lists