tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

X.509: Fix out-of-bounds access when parsing extensions

Leo reports an out-of-bounds access when parsing a certificate with
empty Basic Constraints or Key Usage extension because the first byte of
the extension is read before checking its length. Fix it.

The bug can be triggered by an unprivileged user by submitting a
specially crafted certificate to the kernel through the keyrings(7) API.
Leo has demonstrated this with a proof-of-concept program responsibly
disclosed off-list.

Fixes: 30eae2b037af ("KEYS: X.509: Parse Basic Constraints for CA")
Fixes: 567671281a75 ("KEYS: X.509: Parse Key Usage")
Reported-by: Leo Lin <leo@depthfirst.com> # off-list
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Cc: stable@vger.kernel.org # v6.4+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Lukas Wunner and committed by
Herbert Xu d702c340 31d00156

+4 -4
+4 -4
crypto/asymmetric_keys/x509_cert_parser.c
··· 609 609 * 0x04 is where keyCertSign lands in this bit string 610 610 * 0x80 is where digitalSignature lands in this bit string 611 611 */ 612 - if (v[0] != ASN1_BTS) 613 - return -EBADMSG; 614 612 if (vlen < 4) 613 + return -EBADMSG; 614 + if (v[0] != ASN1_BTS) 615 615 return -EBADMSG; 616 616 if (v[2] >= 8) 617 617 return -EBADMSG; ··· 645 645 * (Expect 0xFF if the CA is TRUE) 646 646 * vlen should match the entire extension size 647 647 */ 648 - if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) 649 - return -EBADMSG; 650 648 if (vlen < 2) 649 + return -EBADMSG; 650 + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) 651 651 return -EBADMSG; 652 652 if (v[1] != vlen - 2) 653 653 return -EBADMSG;