diff options
author | Li Zhou <li.zhou@windriver.com> | 2020-09-02 16:19:30 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-09-10 13:21:41 +0100 |
commit | 5cf27f353b4530808301607b184cefa29e7ca84d (patch) | |
tree | 92d61204f7eff849be69c37e84406b416dd5e56f /meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch | |
parent | 301132a6d0dbaf4b6d032681852fe1f4f3b776dc (diff) | |
download | poky-5cf27f353b4530808301607b184cefa29e7ca84d.tar.gz |
bind: Security Advisory - bind - CVE-2020-8623
Backport patch from <https://gitlab.isc.org/isc-projects/bind9/
commit/8d807cc21655eaa6e6a08afafeec3682c0f3f2ab> to solve CVE-2020-8623.
(From OE-Core rev: cfbd144e94452bc4a197b284b5ec47cfff5b0047)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch | 402 |
1 files changed, 402 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch new file mode 100644 index 0000000000..8e5412a89e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch | |||
@@ -0,0 +1,402 @@ | |||
1 | From 8d807cc21655eaa6e6a08afafeec3682c0f3f2ab Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> | ||
3 | Date: Tue, 21 Jul 2020 14:42:47 +0200 | ||
4 | Subject: [PATCH] Fix crash in pk11_numbits() when native-pkcs11 is used | ||
5 | |||
6 | When pk11_numbits() is passed a user provided input that contains all | ||
7 | zeroes (via crafted DNS message), it would crash with assertion | ||
8 | failure. Fix that by properly handling such input. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2020-8623 | ||
12 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
13 | --- | ||
14 | lib/dns/pkcs11dh_link.c | 15 ++++++- | ||
15 | lib/dns/pkcs11dsa_link.c | 8 +++- | ||
16 | lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++-------- | ||
17 | lib/isc/include/pk11/internal.h | 3 +- | ||
18 | lib/isc/pk11.c | 61 ++++++++++++++++--------- | ||
19 | 5 files changed, 121 insertions(+), 45 deletions(-) | ||
20 | |||
21 | diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c | ||
22 | index e2b60ea7c5..4cd8e32d60 100644 | ||
23 | --- a/lib/dns/pkcs11dh_link.c | ||
24 | +++ b/lib/dns/pkcs11dh_link.c | ||
25 | @@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
26 | CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; | ||
27 | CK_ATTRIBUTE *attr; | ||
28 | int special = 0; | ||
29 | + unsigned int bits; | ||
30 | isc_result_t result; | ||
31 | |||
32 | isc_buffer_remainingregion(data, &r); | ||
33 | @@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
34 | pub = r.base; | ||
35 | isc_region_consume(&r, publen); | ||
36 | |||
37 | - key->key_size = pk11_numbits(prime, plen_); | ||
38 | + result = pk11_numbits(prime, plen_, &bits); | ||
39 | + if (result != ISC_R_SUCCESS) { | ||
40 | + goto cleanup; | ||
41 | + } | ||
42 | + key->key_size = bits; | ||
43 | |||
44 | dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); | ||
45 | if (dh->repr == NULL) | ||
46 | @@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
47 | dst_private_t priv; | ||
48 | isc_result_t ret; | ||
49 | int i; | ||
50 | + unsigned int bits; | ||
51 | pk11_object_t *dh = NULL; | ||
52 | CK_ATTRIBUTE *attr; | ||
53 | isc_mem_t *mctx; | ||
54 | @@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
55 | |||
56 | attr = pk11_attribute_bytype(dh, CKA_PRIME); | ||
57 | INSIST(attr != NULL); | ||
58 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
59 | + | ||
60 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
61 | + if (ret != ISC_R_SUCCESS) { | ||
62 | + goto err; | ||
63 | + } | ||
64 | + key->key_size = bits; | ||
65 | |||
66 | return (ISC_R_SUCCESS); | ||
67 | |||
68 | diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c | ||
69 | index 12d707a112..24d4c149ff 100644 | ||
70 | --- a/lib/dns/pkcs11dsa_link.c | ||
71 | +++ b/lib/dns/pkcs11dsa_link.c | ||
72 | @@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
73 | dst_private_t priv; | ||
74 | isc_result_t ret; | ||
75 | int i; | ||
76 | + unsigned int bits; | ||
77 | pk11_object_t *dsa = NULL; | ||
78 | CK_ATTRIBUTE *attr; | ||
79 | isc_mem_t *mctx = key->mctx; | ||
80 | @@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
81 | |||
82 | attr = pk11_attribute_bytype(dsa, CKA_PRIME); | ||
83 | INSIST(attr != NULL); | ||
84 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
85 | + | ||
86 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
87 | + if (ret != ISC_R_SUCCESS) { | ||
88 | + goto err; | ||
89 | + } | ||
90 | + key->key_size = bits; | ||
91 | |||
92 | return (ISC_R_SUCCESS); | ||
93 | |||
94 | diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c | ||
95 | index 096c1a8e91..1d10d26564 100644 | ||
96 | --- a/lib/dns/pkcs11rsa_link.c | ||
97 | +++ b/lib/dns/pkcs11rsa_link.c | ||
98 | @@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, | ||
99 | key->key_alg == DST_ALG_RSASHA256 || | ||
100 | key->key_alg == DST_ALG_RSASHA512); | ||
101 | #endif | ||
102 | + REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); | ||
103 | |||
104 | /* | ||
105 | * Reject incorrect RSA key lengths. | ||
106 | @@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, | ||
107 | for (attr = pk11_attribute_first(rsa); | ||
108 | attr != NULL; | ||
109 | attr = pk11_attribute_next(rsa, attr)) | ||
110 | + { | ||
111 | switch (attr->type) { | ||
112 | case CKA_MODULUS: | ||
113 | INSIST(keyTemplate[5].type == attr->type); | ||
114 | @@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, | ||
115 | memmove(keyTemplate[6].pValue, attr->pValue, | ||
116 | attr->ulValueLen); | ||
117 | keyTemplate[6].ulValueLen = attr->ulValueLen; | ||
118 | - if (pk11_numbits(attr->pValue, | ||
119 | - attr->ulValueLen) > maxbits && | ||
120 | - maxbits != 0) | ||
121 | + unsigned int bits; | ||
122 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, | ||
123 | + &bits); | ||
124 | + if (ret != ISC_R_SUCCESS || | ||
125 | + (bits > maxbits && maxbits != 0)) { | ||
126 | DST_RET(DST_R_VERIFYFAILURE); | ||
127 | + } | ||
128 | break; | ||
129 | } | ||
130 | + } | ||
131 | pk11_ctx->object = CK_INVALID_HANDLE; | ||
132 | pk11_ctx->ontoken = false; | ||
133 | PK11_RET(pkcs_C_CreateObject, | ||
134 | @@ -1072,6 +1078,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
135 | keyTemplate[5].ulValueLen = attr->ulValueLen; | ||
136 | break; | ||
137 | case CKA_PUBLIC_EXPONENT: | ||
138 | + unsigned int bits; | ||
139 | INSIST(keyTemplate[6].type == attr->type); | ||
140 | keyTemplate[6].pValue = isc_mem_get(dctx->mctx, | ||
141 | attr->ulValueLen); | ||
142 | @@ -1080,10 +1087,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
143 | memmove(keyTemplate[6].pValue, attr->pValue, | ||
144 | attr->ulValueLen); | ||
145 | keyTemplate[6].ulValueLen = attr->ulValueLen; | ||
146 | - if (pk11_numbits(attr->pValue, | ||
147 | - attr->ulValueLen) | ||
148 | - > RSA_MAX_PUBEXP_BITS) | ||
149 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, | ||
150 | + &bits); | ||
151 | + if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) | ||
152 | + { | ||
153 | DST_RET(DST_R_VERIFYFAILURE); | ||
154 | + } | ||
155 | break; | ||
156 | } | ||
157 | pk11_ctx->object = CK_INVALID_HANDLE; | ||
158 | @@ -1461,6 +1470,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
159 | CK_BYTE *exponent = NULL, *modulus = NULL; | ||
160 | CK_ATTRIBUTE *attr; | ||
161 | unsigned int length; | ||
162 | + unsigned int bits; | ||
163 | + isc_result_t ret = ISC_R_SUCCESS; | ||
164 | |||
165 | isc_buffer_remainingregion(data, &r); | ||
166 | if (r.length == 0) | ||
167 | @@ -1478,9 +1489,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
168 | |||
169 | if (e_bytes == 0) { | ||
170 | if (r.length < 2) { | ||
171 | - isc_safe_memwipe(rsa, sizeof(*rsa)); | ||
172 | - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); | ||
173 | - return (DST_R_INVALIDPUBLICKEY); | ||
174 | + DST_RET(DST_R_INVALIDPUBLICKEY); | ||
175 | } | ||
176 | e_bytes = (*r.base) << 8; | ||
177 | isc_region_consume(&r, 1); | ||
178 | @@ -1489,16 +1498,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
179 | } | ||
180 | |||
181 | if (r.length < e_bytes) { | ||
182 | - isc_safe_memwipe(rsa, sizeof(*rsa)); | ||
183 | - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); | ||
184 | - return (DST_R_INVALIDPUBLICKEY); | ||
185 | + DST_RET(DST_R_INVALIDPUBLICKEY); | ||
186 | } | ||
187 | exponent = r.base; | ||
188 | isc_region_consume(&r, e_bytes); | ||
189 | modulus = r.base; | ||
190 | mod_bytes = r.length; | ||
191 | |||
192 | - key->key_size = pk11_numbits(modulus, mod_bytes); | ||
193 | + ret = pk11_numbits(modulus, mod_bytes, &bits); | ||
194 | + if (ret != ISC_R_SUCCESS) { | ||
195 | + goto err; | ||
196 | + } | ||
197 | + key->key_size = bits; | ||
198 | |||
199 | isc_buffer_forward(data, length); | ||
200 | |||
201 | @@ -1548,9 +1559,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
202 | rsa->repr, | ||
203 | rsa->attrcnt * sizeof(*attr)); | ||
204 | } | ||
205 | + ret = ISC_R_NOMEMORY; | ||
206 | + | ||
207 | + err: | ||
208 | isc_safe_memwipe(rsa, sizeof(*rsa)); | ||
209 | isc_mem_put(key->mctx, rsa, sizeof(*rsa)); | ||
210 | - return (ISC_R_NOMEMORY); | ||
211 | + return (ret); | ||
212 | } | ||
213 | |||
214 | static isc_result_t | ||
215 | @@ -1729,6 +1743,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, | ||
216 | pk11_object_t *pubrsa; | ||
217 | pk11_context_t *pk11_ctx = NULL; | ||
218 | isc_result_t ret; | ||
219 | + unsigned int bits; | ||
220 | |||
221 | if (label == NULL) | ||
222 | return (DST_R_NOENGINE); | ||
223 | @@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, | ||
224 | |||
225 | attr = pk11_attribute_bytype(rsa, CKA_MODULUS); | ||
226 | INSIST(attr != NULL); | ||
227 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
228 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
229 | + if (ret != ISC_R_SUCCESS) { | ||
230 | + goto err; | ||
231 | + } | ||
232 | + key->key_size = bits; | ||
233 | |||
234 | return (ISC_R_SUCCESS); | ||
235 | |||
236 | @@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
237 | CK_ATTRIBUTE *attr; | ||
238 | isc_mem_t *mctx = key->mctx; | ||
239 | const char *engine = NULL, *label = NULL; | ||
240 | + unsigned int bits; | ||
241 | |||
242 | /* read private key file */ | ||
243 | ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); | ||
244 | @@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
245 | |||
246 | attr = pk11_attribute_bytype(rsa, CKA_MODULUS); | ||
247 | INSIST(attr != NULL); | ||
248 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
249 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
250 | + if (ret != ISC_R_SUCCESS) { | ||
251 | + goto err; | ||
252 | + } | ||
253 | + key->key_size = bits; | ||
254 | |||
255 | attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); | ||
256 | INSIST(attr != NULL); | ||
257 | - if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) | ||
258 | + | ||
259 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
260 | + if (ret != ISC_R_SUCCESS) { | ||
261 | + goto err; | ||
262 | + } | ||
263 | + if (bits > RSA_MAX_PUBEXP_BITS) { | ||
264 | DST_RET(ISC_R_RANGE); | ||
265 | + } | ||
266 | |||
267 | dst__privstruct_free(&priv, mctx); | ||
268 | isc_safe_memwipe(&priv, sizeof(priv)); | ||
269 | @@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, | ||
270 | pk11_context_t *pk11_ctx = NULL; | ||
271 | isc_result_t ret; | ||
272 | unsigned int i; | ||
273 | + unsigned int bits; | ||
274 | |||
275 | UNUSED(pin); | ||
276 | |||
277 | @@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, | ||
278 | |||
279 | attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); | ||
280 | INSIST(attr != NULL); | ||
281 | - if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) | ||
282 | + | ||
283 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
284 | + if (ret != ISC_R_SUCCESS) { | ||
285 | + goto err; | ||
286 | + } | ||
287 | + if (bits > RSA_MAX_PUBEXP_BITS) { | ||
288 | DST_RET(ISC_R_RANGE); | ||
289 | + } | ||
290 | |||
291 | attr = pk11_attribute_bytype(rsa, CKA_MODULUS); | ||
292 | INSIST(attr != NULL); | ||
293 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
294 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
295 | + if (ret != ISC_R_SUCCESS) { | ||
296 | + goto err; | ||
297 | + } | ||
298 | + key->key_size = bits; | ||
299 | |||
300 | pk11_return_session(pk11_ctx); | ||
301 | isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); | ||
302 | diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h | ||
303 | index aa8907ab08..7cc8ec812b 100644 | ||
304 | --- a/lib/isc/include/pk11/internal.h | ||
305 | +++ b/lib/isc/include/pk11/internal.h | ||
306 | @@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size); | ||
307 | |||
308 | CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); | ||
309 | |||
310 | -unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); | ||
311 | +isc_result_t | ||
312 | +pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); | ||
313 | |||
314 | CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); | ||
315 | |||
316 | diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c | ||
317 | index 012afd968a..4e4052044b 100644 | ||
318 | --- a/lib/isc/pk11.c | ||
319 | +++ b/lib/isc/pk11.c | ||
320 | @@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) { | ||
321 | return (token->slotid); | ||
322 | } | ||
323 | |||
324 | -unsigned int | ||
325 | -pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { | ||
326 | +isc_result_t | ||
327 | +pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { | ||
328 | unsigned int bitcnt, i; | ||
329 | CK_BYTE top; | ||
330 | |||
331 | - if (bytecnt == 0) | ||
332 | - return (0); | ||
333 | + if (bytecnt == 0) { | ||
334 | + *bits = 0; | ||
335 | + return (ISC_R_SUCCESS); | ||
336 | + } | ||
337 | bitcnt = bytecnt * 8; | ||
338 | for (i = 0; i < bytecnt; i++) { | ||
339 | top = data[i]; | ||
340 | @@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { | ||
341 | bitcnt -= 8; | ||
342 | continue; | ||
343 | } | ||
344 | - if (top & 0x80) | ||
345 | - return (bitcnt); | ||
346 | - if (top & 0x40) | ||
347 | - return (bitcnt - 1); | ||
348 | - if (top & 0x20) | ||
349 | - return (bitcnt - 2); | ||
350 | - if (top & 0x10) | ||
351 | - return (bitcnt - 3); | ||
352 | - if (top & 0x08) | ||
353 | - return (bitcnt - 4); | ||
354 | - if (top & 0x04) | ||
355 | - return (bitcnt - 5); | ||
356 | - if (top & 0x02) | ||
357 | - return (bitcnt - 6); | ||
358 | - if (top & 0x01) | ||
359 | - return (bitcnt - 7); | ||
360 | + if (top & 0x80) { | ||
361 | + *bits = bitcnt; | ||
362 | + return (ISC_R_SUCCESS); | ||
363 | + } | ||
364 | + if (top & 0x40) { | ||
365 | + *bits = bitcnt - 1; | ||
366 | + return (ISC_R_SUCCESS); | ||
367 | + } | ||
368 | + if (top & 0x20) { | ||
369 | + *bits = bitcnt - 2; | ||
370 | + return (ISC_R_SUCCESS); | ||
371 | + } | ||
372 | + if (top & 0x10) { | ||
373 | + *bits = bitcnt - 3; | ||
374 | + return (ISC_R_SUCCESS); | ||
375 | + } | ||
376 | + if (top & 0x08) { | ||
377 | + *bits = bitcnt - 4; | ||
378 | + return (ISC_R_SUCCESS); | ||
379 | + } | ||
380 | + if (top & 0x04) { | ||
381 | + *bits = bitcnt - 5; | ||
382 | + return (ISC_R_SUCCESS); | ||
383 | + } | ||
384 | + if (top & 0x02) { | ||
385 | + *bits = bitcnt - 6; | ||
386 | + return (ISC_R_SUCCESS); | ||
387 | + } | ||
388 | + if (top & 0x01) { | ||
389 | + *bits = bitcnt - 7; | ||
390 | + return (ISC_R_SUCCESS); | ||
391 | + } | ||
392 | break; | ||
393 | } | ||
394 | - INSIST(0); | ||
395 | - ISC_UNREACHABLE(); | ||
396 | + return (ISC_R_RANGE); | ||
397 | } | ||
398 | |||
399 | CK_ATTRIBUTE * | ||
400 | -- | ||
401 | 2.17.1 | ||
402 | |||