• Eric Biggers's avatar
    ASN.1: fix out-of-bounds read when parsing indefinite length item · e0058f3a
    Eric Biggers authored
    In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
    to the action functions before their lengths had been computed, using
    the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH).  This resulted in
    reading data past the end of the input buffer, when given a specially
    crafted message.
    
    Fix it by rearranging the code so that the indefinite length is resolved
    before the action is called.
    
    This bug was originally found by fuzzing the X.509 parser in userspace
    using libFuzzer from the LLVM project.
    
    KASAN report (cleaned up slightly):
    
        BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
        BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
        Read of size 128 at addr ffff880035dd9eaf by task keyctl/195
    
        CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bb #26
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:17 [inline]
         dump_stack+0xd1/0x175 lib/dump_stack.c:53
         print_address_description+0x78/0x260 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x23f/0x350 mm/kasan/report.c:409
         memcpy+0x1f/0x50 mm/kasan/kasan.c:302
         memcpy ./include/linux/string.h:341 [inline]
         x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
         asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
         x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
         x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
         asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
         key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
         SYSC_add_key security/keys/keyctl.c:122 [inline]
         SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
         entry_SYSCALL_64_fastpath+0x1f/0x96
    
        Allocated by task 195:
         __do_kmalloc_node mm/slab.c:3675 [inline]
         __kmalloc_node+0x47/0x60 mm/slab.c:3682
         kvmalloc ./include/linux/mm.h:540 [inline]
         SYSC_add_key security/keys/keyctl.c:104 [inline]
         SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
         entry_SYSCALL_64_fastpath+0x1f/0x96
    
    Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder")
    Reported-by: default avatarAlexander Potapenko <glider@google.com>
    Cc: <stable@vger.kernel.org> # v3.7+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    e0058f3a
asn1_decoder.c 13.3 KB