git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commit

author	David Howells <dhowells@redhat.com>
	Tue, 23 Feb 2016 11:03:12 +0000 (11:03 +0000)
committer	Kamal Mostafa <kamal@canonical.com>
	Thu, 12 May 2016 20:34:44 +0000 (13:34 -0700)
commit	1ab41ef4d213eef908cf024c3376031d0528e22c
tree	9f0051fa8742d77b0439c392cc6b399070ff3b65	tree
parent	4558973802625490743d561b8c30b9465e805ed1	commit \| diff

UBUNTU: SAUCE: KEYS: Fix ASN.1 indefinite length object parsing

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

(1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

(2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

(3) To reduce confusion, move the initialisation of len outside of:

for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Reference: https://lkml.org/lkml/2016/5/12/270
BugLink: http://bugs.launchpad.net/bugs/1581202
Acked-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>