From patchwork Mon Nov 27 07:15:28 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 10075961
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	ED5F2602BD for <patchwork-linux-crypto@patchwork.kernel.org>;
	Mon, 27 Nov 2017 07:15:58 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD129200DF
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Mon, 27 Nov 2017 07:15:58 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D17AC28CF2; Mon, 27 Nov 2017 07:15:58 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A0BD200DF
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Mon, 27 Nov 2017 07:15:58 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751227AbdK0HP5 (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Mon, 27 Nov 2017 02:15:57 -0500
Received: from mail-pf0-f194.google.com ([209.85.192.194]:41145 "EHLO
	mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750838AbdK0HP4 (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Mon, 27 Nov 2017 02:15:56 -0500
Received: by mail-pf0-f194.google.com with SMTP id j28so16974238pfk.8;
	Sun, 26 Nov 2017 23:15:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=eO/6p1GsRt/7/hqbIugaq+KKhlJR6tDDkXDUVufU1tQ=;
	b=XQQdHQQh98zdVsXGevCWT7c6dq0Qd4DukwLrp7kO5jt37j8JHkCISkNHzd0n0Xm2x/
	OyY7fpIORvaZpvsyZ8B6SqR4M4TzxZ0Ej+CnNYTz9fK2+a/PHYvwlEELXTxSmnR4ALgu
	wOM89lwlmiQ5MDyKIKvSGpTiRnblM9BNOmXW9BrLG+8/JOS61XtIeuzsdVIUPUJE2r6+
	vEcF2xybAcXrlbCxo9sr4mfaWEsP/ECduHnwdy52KICyO4rVS8LOw+LmQaPbAIdX8q/H
	TetjA7IafeWN5O6riKQ/CFxgYL9HNWrMTQdYWWOIP8h4z067avh45F27YLZ0OxJIl2/p
	QhIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=eO/6p1GsRt/7/hqbIugaq+KKhlJR6tDDkXDUVufU1tQ=;
	b=ZgVk/3gkyxWCnKalHSkdRrntn6LFppzB/q14JCt/MNX8mZt033+n+YGNBfa5S00TUE
	Y/iFaNkXvF+jpUuXCXLYzz9bIASfvOb68WFUVRjW7XDertDLC0ML+uEan1YD+lzwZj8s
	/kwfik+WfkQH+v8d7CnA90JVuZ4Kf5ZWJ1iU3Y4VRBRCYYo4I6gSx4zBkdHGsI4m04/Y
	+Ev5fjvBHlRfUJsP8+c8Ra9XRXnY6zYGnV0sxql5V861+D+eWhhGN7P8HcEWrVzMexVC
	ut3gF2uwRkWpBJA65LqeJTYwrUS515qfYuek+sbQi+49RN1KuHgcPe7RNkIOkGNVNRUa
	OlyQ==
X-Gm-Message-State: AJaThX78jlwA/YxA+IOEhaP8cRRTWLv3V1u08Rr5s4qS7OuMcq6aaylx
	HGOhxbO7XLjWXKzJTjKJV0+KtDVi
X-Google-Smtp-Source: 
 AGs4zMbr6FsLiw7V/FpXksNPqVZt0ZeGLRCADCuZIG9+NRwylWhcRjVYjHc5K/UsatopWBKCje4T2g==
X-Received: by 10.99.95.13 with SMTP id t13mr35117002pgb.448.1511766955365;
	Sun, 26 Nov 2017 23:15:55 -0800 (PST)
Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net.
	[67.185.97.198]) by smtp.gmail.com with ESMTPSA id
	a87sm50235408pfg.159.2017.11.26.23.15.54
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 26 Nov 2017 23:15:54 -0800 (PST)
From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Cc: linux-crypto@vger.kernel.org, Alexander Potapenko <glider@google.com>,
	Eric Biggers <ebiggers@google.com>, stable@vger.kernel.org
Subject: [PATCH] ASN.1: check for error from ASN1_OP_END__ACT actions
Date: Sun, 26 Nov 2017 23:15:28 -0800
Message-Id: <20171127071528.25456-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.15.0
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes).  Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.

This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).

In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest.  But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Cc: <stable@vger.kernel.org> # v3.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
---
 lib/asn1_decoder.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
index d77cdfc4b554..dc14beae2c9a 100644
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -439,6 +439,8 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder,
 			else
 				act = machine[pc + 1];
 			ret = actions[act](context, hdr, 0, data + tdp, len);
+			if (ret < 0)
+				return ret;
 		}
 		pc += asn1_op_lengths[op];
 		goto next_op;