diff options
Diffstat (limited to 'recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch')
-rw-r--r-- | recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch deleted file mode 100644 index 5447552f..00000000 --- a/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch +++ /dev/null @@ -1,98 +0,0 @@ -From af00ae6ef5a2c73f21ba215c476570b7772a14fb Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 23 Feb 2016 11:03:12 +0000 -Subject: KEYS: Fix ASN.1 indefinite length object parsing - -commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream. - -This fixes CVE-2016-0758. - -In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, -it isn't validated against the remaining amount of data before being added -to the cursor. With a sufficiently large size indicated, the check: - - datalen - dp < 2 - -may then fail due to integer overflow. - -Fix this by checking the length indicated against the amount of remaining -data in both places a definite length is determined. - -Whilst we're at it, make the following changes: - - (1) Check the maximum size of extended length does not exceed the capacity - of the variable it's being stored in (len) rather than the type that - variable is assumed to be (size_t). - - (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the - integer 0. - - (3) To reduce confusion, move the initialisation of len outside of: - - for (len = 0; n > 0; n--) { - - since it doesn't have anything to do with the loop counter n. - -CVE: CVE-2016-0758. -Upstream-Status: Backport [backported from kernel.org 3.16 branch] - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com> -Acked-by: David Woodhouse <David.Woodhouse@intel.com> -Acked-by: Peter Jones <pjones@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - lib/asn1_decoder.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c -index d60ce8a..806c5b6 100644 ---- a/lib/asn1_decoder.c -+++ b/lib/asn1_decoder.c -@@ -69,7 +69,7 @@ next_tag: - - /* Extract a tag from the data */ - tag = data[dp++]; -- if (tag == 0) { -+ if (tag == ASN1_EOC) { - /* It appears to be an EOC. */ - if (data[dp++] != 0) - goto invalid_eoc; -@@ -91,10 +91,8 @@ next_tag: - - /* Extract the length */ - len = data[dp++]; -- if (len <= 0x7f) { -- dp += len; -- goto next_tag; -- } -+ if (len <= 0x7f) -+ goto check_length; - - if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { - /* Indefinite length */ -@@ -105,14 +103,18 @@ next_tag: - } - - n = len - 0x80; -- if (unlikely(n > sizeof(size_t) - 1)) -+ if (unlikely(n > sizeof(len) - 1)) - goto length_too_long; - if (unlikely(n > datalen - dp)) - goto data_overrun_error; -- for (len = 0; n > 0; n--) { -+ len = 0; -+ for (; n > 0; n--) { - len <<= 8; - len |= data[dp++]; - } -+check_length: -+ if (len > datalen - dp) -+ goto data_overrun_error; - dp += len; - goto next_tag; - --- -cgit v0.12 - |