From patchwork Wed Nov  1 19:10:22 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 10036917
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E9BDA603B5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed,  1 Nov 2017 19:10:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E3778285CA
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed,  1 Nov 2017 19:10:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D819928691; Wed,  1 Nov 2017 19:10:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5075C285CA
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed,  1 Nov 2017 19:10:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754899AbdKATKm (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Wed, 1 Nov 2017 15:10:42 -0400
Received: from mail-io0-f193.google.com ([209.85.223.193]:49985 "EHLO
	mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752540AbdKATKk (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Wed, 1 Nov 2017 15:10:40 -0400
Received: by mail-io0-f193.google.com with SMTP id n137so8390689iod.6;
	Wed, 01 Nov 2017 12:10:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=Ndu5ThCsIYwsfX/ErSDqJMLJu2zM2RqijeeBdyl3h/k=;
	b=jb14v+ewV11BXhi3IXgA7THaPRURlXhXpJpj0pzcvRhg1EamLtIdJQH63Dbkj7sQWf
	8r7hHHleRti30D9q4Kkd6gaLt76lkPSPYvfcds3d80oSUF5LHrmfc3aO89ucRhSoAQQo
	aPbrIF2JqesninGtecfl9lzC5whDFw4etNdtcw3iBDpMpxdG4syHiM98PQ0mK5uIBX98
	D+yPH61frfqMGcyHXHj3Yt9iELw9lKKQ4YnFj7epdIATnCIi2kiMhFLtpCNxnuODs8hC
	2W8YbOZP/5/Npbmf4GjD9aZW/f0d2fUBD1LqQyVakEG452zBA5pIAu3h/DVRIFvMEaHw
	7cLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=Ndu5ThCsIYwsfX/ErSDqJMLJu2zM2RqijeeBdyl3h/k=;
	b=ab/h/E0AIxgv5ywiGCPh5U0N1dRQYzURFXy+w7wEGryFDJJk55gaclaN8DRzPJIviv
	TyIgfhSnTZyuwsfVk80+oxpzasYSJ5a7aky6VsDMeQyDFnEJ9BWsbRlFM2kaAAOsgLCn
	WQoT/3Mzaua3rHQirb0AXM/a+3/F4BFuROJ4EKPnrNdPZyngoyvw3qalQ5de/UkD1PiF
	cyehX+NVrlTUknG/v3KXarjXbhjEpeOQ89LtIDILrObwCqZpnFjFA6JfYiTu4SjHD8D3
	UN/AwxnR7dQJ7NsrYLVF8hy/VFZD9jW3x14wIkaMkjZNSCSa/bUd3WPEsNiNDoHkzi6z
	0mHA==
X-Gm-Message-State: AMCzsaXXVQx7VhC2TvMopTAIrVAFOn8T+7baoSc78CyDtqU3c53SX+aF
	eS/ZoiEEb9AhjqMU+tbysjkYLuTX
X-Google-Smtp-Source: 
 ABhQp+TjzcN5XQRmfyKRHZ6md+YElgyV6hoRBWC/MZQTcLJUwOx/kwhAOKoN+BDxBQFa/KpbvJ+JYQ==
X-Received: by 10.36.39.214 with SMTP id g205mr1977119ita.23.1509563439562;
	Wed, 01 Nov 2017 12:10:39 -0700 (PDT)
Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.175.88])
	by smtp.gmail.com with ESMTPSA id
	p84sm745879itc.3.2017.11.01.12.10.38
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 01 Nov 2017 12:10:39 -0700 (PDT)
From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
	Eric Biggers <ebiggers@google.com>, stable@vger.kernel.org
Subject: [PATCH] KEYS: fix out-of-bounds read during ASN.1 parsing
Date: Wed,  1 Nov 2017 12:10:22 -0700
Message-Id: <20171101191022.108942-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.15.0.403.gc27cc4dac6-goog
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

syzkaller with KASAN reported an out-of-bounds read in
asn1_ber_decoder().  It can be reproduced by the following command,
assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y:

    keyctl add asymmetric desc $'\x30\x30' @s

The bug is that the length of an ASN.1 data value isn't validated in the
case where it is encoded using the short form, causing the decoder to
read past the end of the input buffer.  Fix it by validating the length.

The bug report was:

    BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
    Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818

    CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:16 [inline]
     dump_stack+0xb3/0x10b lib/dump_stack.c:52
     print_address_description+0x79/0x2a0 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x236/0x340 mm/kasan/report.c:409
     __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
     asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
     x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89
     x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x347/0xb20 security/keys/key.c:855
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x447c89
    RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
    RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89
    RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5
    RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000
    R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
    R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Cc: <stable@vger.kernel.org> # v3.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 lib/asn1_decoder.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
index 0bd8a611eb83..fef5d2e114be 100644
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -284,6 +284,9 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder,
 				if (unlikely(len > datalen - dp))
 					goto data_overrun_error;
 			}
+		} else {
+			if (unlikely(len > datalen - dp))
+				goto data_overrun_error;
 		}
 
 		if (flags & FLAG_CONS) {