diff options
Diffstat (limited to 'recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch')
-rw-r--r-- | recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch | 133 |
1 files changed, 0 insertions, 133 deletions
diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch deleted file mode 100644 index 778a99fd..00000000 --- a/recipes-kernel/linux/linux-qoriq/CVE-2016-2053.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 15430f775ee686b61569a0c3e74cf0b2ad57c8eb Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 5 Aug 2015 12:54:46 +0100 -Subject: ASN.1: Fix non-match detection failure on data overrun - -commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream. - -If the ASN.1 decoder is asked to parse a sequence of objects, non-optional -matches get skipped if there's no more data to be had rather than a -data-overrun error being reported. - -This is due to the code segment that decides whether to skip optional -matches (ie. matches that could get ignored because an element is marked -OPTIONAL in the grammar) due to a lack of data also skips non-optional -elements if the data pointer has reached the end of the buffer. - -This can be tested with the data decoder for the new RSA akcipher algorithm -that takes three non-optional integers. Currently, it skips the last -integer if there is insufficient data. - -Without the fix, #defining DEBUG in asn1_decoder.c will show something -like: - - next_op: pc=0/13 dp=0/270 C=0 J=0 - - match? 30 30 00 - - TAG: 30 266 CONS - next_op: pc=2/13 dp=4/270 C=1 J=0 - - match? 02 02 00 - - TAG: 02 257 - - LEAF: 257 - next_op: pc=5/13 dp=265/270 C=1 J=0 - - match? 02 02 00 - - TAG: 02 3 - - LEAF: 3 - next_op: pc=8/13 dp=270/270 C=1 J=0 - next_op: pc=11/13 dp=270/270 C=1 J=0 - - end cons t=4 dp=270 l=270/270 - -The next_op line for pc=8/13 should be followed by a match line. - -This is not exploitable for X.509 certificates by means of shortening the -message and fixing up the ASN.1 CONS tags because: - - (1) The relevant records being built up are cleared before use. - - (2) If the message is shortened sufficiently to remove the public key, the - ASN.1 parse of the RSA key will fail quickly due to a lack of data. - - (3) Extracted signature data is either turned into MPIs (which cope with a - 0 length) or is simpler integers specifying algoritms and suchlike - (which can validly be 0); and - - (4) The AKID and SKID extensions are optional and their removal is handled - without risking passing a NULL to asymmetric_key_generate_id(). - - (5) If the certificate is truncated sufficiently to remove the subject, - issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons - stack underflow' return. - -This is not exploitable for PKCS#7 messages by means of removal of elements -from such a message from the tail end of a sequence: - - (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable - as detailed above. - - (2) The message digest content isn't used if it shows a NULL pointer, - similarly, the authattrs aren't used if that shows a NULL pointer. - - (3) A missing signature results in a NULL MPI - which the MPI routines deal - with. - - (4) If data is NULL, it is expected that the message has detached content and - that is handled appropriately. - - (5) If the serialNumber is excised, the unconditional action associated - with it will pick up the containing SEQUENCE instead, so no NULL - pointer will be seen here. - - If both the issuer and the serialNumber are excised, the ASN.1 decode - will fail with an 'Unexpected tag' return. - - In either case, there's no way to get to asymmetric_key_generate_id() - with a NULL pointer. - - (6) Other fields are decoded to simple integers. Shortening the message - to omit an algorithm ID field will cause checks on this to fail early - in the verification process. - -This can also be tested by snipping objects off of the end of the ASN.1 stream -such that mandatory tags are removed - or even from the end of internal -SEQUENCEs. If any mandatory tag is missing, the error EBADMSG *should* be -produced. Without this patch ERANGE or ENOPKG might be produced or the parse -may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced -later, depending on what gets snipped. - -Just snipping off the final BIT_STRING or OCTET_STRING from either sample -should be a start since both are mandatory and neither will cause an EBADMSG -without the patches - -CVE: CVE-2016-2053 -Upstream-Status: Backport [kernel.org linux-stable 3.16 branch] - -Reported-by: Marcel Holtmann <marcel@holtmann.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Tested-by: Marcel Holtmann <marcel@holtmann.org> -Reviewed-by: David Woodhouse <David.Woodhouse@intel.com> -Cc: Moritz Muehlenhoff <jmm@inutil.org> -[ luis: backported to 3.16: adjusted context ] -Signed-off-by: Luis Henriques <luis.henriques@canonical.com> -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - lib/asn1_decoder.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c -index 1a000bb..d60ce8a 100644 ---- a/lib/asn1_decoder.c -+++ b/lib/asn1_decoder.c -@@ -208,9 +208,8 @@ next_op: - unsigned char tmp; - - /* Skip conditional matches if possible */ -- if ((op & ASN1_OP_MATCH__COND && -- flags & FLAG_MATCHED) || -- dp == datalen) { -+ if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) || -+ (op & ASN1_OP_MATCH__SKIP && dp == datalen)) { - pc += asn1_op_lengths[op]; - goto next_op; - } --- -cgit v0.12 - |