diff options
-rw-r--r-- | recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch | 98 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_4.1.bb | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch new file mode 100644 index 00000000..5447552f --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq/CVE-2016-0758.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From af00ae6ef5a2c73f21ba215c476570b7772a14fb Mon Sep 17 00:00:00 2001 | ||
2 | From: David Howells <dhowells@redhat.com> | ||
3 | Date: Tue, 23 Feb 2016 11:03:12 +0000 | ||
4 | Subject: KEYS: Fix ASN.1 indefinite length object parsing | ||
5 | |||
6 | commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream. | ||
7 | |||
8 | This fixes CVE-2016-0758. | ||
9 | |||
10 | In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, | ||
11 | it isn't validated against the remaining amount of data before being added | ||
12 | to the cursor. With a sufficiently large size indicated, the check: | ||
13 | |||
14 | datalen - dp < 2 | ||
15 | |||
16 | may then fail due to integer overflow. | ||
17 | |||
18 | Fix this by checking the length indicated against the amount of remaining | ||
19 | data in both places a definite length is determined. | ||
20 | |||
21 | Whilst we're at it, make the following changes: | ||
22 | |||
23 | (1) Check the maximum size of extended length does not exceed the capacity | ||
24 | of the variable it's being stored in (len) rather than the type that | ||
25 | variable is assumed to be (size_t). | ||
26 | |||
27 | (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the | ||
28 | integer 0. | ||
29 | |||
30 | (3) To reduce confusion, move the initialisation of len outside of: | ||
31 | |||
32 | for (len = 0; n > 0; n--) { | ||
33 | |||
34 | since it doesn't have anything to do with the loop counter n. | ||
35 | |||
36 | CVE: CVE-2016-0758. | ||
37 | Upstream-Status: Backport [backported from kernel.org 3.16 branch] | ||
38 | |||
39 | Signed-off-by: David Howells <dhowells@redhat.com> | ||
40 | Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com> | ||
41 | Acked-by: David Woodhouse <David.Woodhouse@intel.com> | ||
42 | Acked-by: Peter Jones <pjones@redhat.com> | ||
43 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
44 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
45 | --- | ||
46 | lib/asn1_decoder.c | 16 +++++++++------- | ||
47 | 1 file changed, 9 insertions(+), 7 deletions(-) | ||
48 | |||
49 | diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c | ||
50 | index d60ce8a..806c5b6 100644 | ||
51 | --- a/lib/asn1_decoder.c | ||
52 | +++ b/lib/asn1_decoder.c | ||
53 | @@ -69,7 +69,7 @@ next_tag: | ||
54 | |||
55 | /* Extract a tag from the data */ | ||
56 | tag = data[dp++]; | ||
57 | - if (tag == 0) { | ||
58 | + if (tag == ASN1_EOC) { | ||
59 | /* It appears to be an EOC. */ | ||
60 | if (data[dp++] != 0) | ||
61 | goto invalid_eoc; | ||
62 | @@ -91,10 +91,8 @@ next_tag: | ||
63 | |||
64 | /* Extract the length */ | ||
65 | len = data[dp++]; | ||
66 | - if (len <= 0x7f) { | ||
67 | - dp += len; | ||
68 | - goto next_tag; | ||
69 | - } | ||
70 | + if (len <= 0x7f) | ||
71 | + goto check_length; | ||
72 | |||
73 | if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { | ||
74 | /* Indefinite length */ | ||
75 | @@ -105,14 +103,18 @@ next_tag: | ||
76 | } | ||
77 | |||
78 | n = len - 0x80; | ||
79 | - if (unlikely(n > sizeof(size_t) - 1)) | ||
80 | + if (unlikely(n > sizeof(len) - 1)) | ||
81 | goto length_too_long; | ||
82 | if (unlikely(n > datalen - dp)) | ||
83 | goto data_overrun_error; | ||
84 | - for (len = 0; n > 0; n--) { | ||
85 | + len = 0; | ||
86 | + for (; n > 0; n--) { | ||
87 | len <<= 8; | ||
88 | len |= data[dp++]; | ||
89 | } | ||
90 | +check_length: | ||
91 | + if (len > datalen - dp) | ||
92 | + goto data_overrun_error; | ||
93 | dp += len; | ||
94 | goto next_tag; | ||
95 | |||
96 | -- | ||
97 | cgit v0.12 | ||
98 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb index ac0f25fe..c97104e9 100644 --- a/recipes-kernel/linux/linux-qoriq_4.1.bb +++ b/recipes-kernel/linux/linux-qoriq_4.1.bb | |||
@@ -16,6 +16,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ | |||
16 | file://CVE-2016-5696-limiting-of-all-challenge.patch \ | 16 | file://CVE-2016-5696-limiting-of-all-challenge.patch \ |
17 | file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ | 17 | file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ |
18 | file://CVE-2016-2053.patch \ | 18 | file://CVE-2016-2053.patch \ |
19 | file://CVE-2016-0758.patch \ | ||
19 | " | 20 | " |
20 | SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a" | 21 | SRCREV = "667e6ba9ca2150b3cabdd0c07b57d1b88ef3b86a" |
21 | 22 | ||