• Takashi Iwai's avatar
    lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string · afdb05e9
    Takashi Iwai authored
    The sprint_oid() utility function doesn't properly check the buffer size
    that it causes that the warning in vsnprintf() be triggered.  For
    example on v4.1 kernel:
    
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
      ...
    
    We can trigger this issue by injecting maliciously crafted x509 cert in
    DER format.  Just using hex editor to change the length of OID to over
    the length of the SEQUENCE container.  For example:
    
        0:d=0  hl=4 l= 980 cons: SEQUENCE
        4:d=1  hl=4 l= 700 cons:  SEQUENCE
        8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
       10:d=3  hl=2 l=   1 prim:    INTEGER           :02
       13:d=2  hl=2 l=   9 prim:   INTEGER           :9B47FAF791E7D1E3
       24:d=2  hl=2 l=  13 cons:   SEQUENCE
       26:d=3  hl=2 l=   9 prim:    OBJECT            :sha256WithRSAEncryption
       37:d=3  hl=2 l=   0 prim:    NULL
       39:d=2  hl=2 l= 121 cons:   SEQUENCE
       41:d=3  hl=2 l=  22 cons:    SET
       43:d=4  hl=2 l=  20 cons:     SEQUENCE      <=== the SEQ length is 20
       45:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
    	<=== the original length is 3, change the length of OID to over the length of SEQUENCE
    
    Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided
    patch to fix it by checking the bufsize in sprint_oid().
    
    Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@suse.comSigned-off-by: 's avatarTakashi Iwai <tiwai@suse.de>
    Signed-off-by: 's avatar"Lee, Chun-Yi" <jlee@suse.com>
    Reported-by: 's avatarPawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
    Cc: David Howells <dhowells@redhat.com>
    Cc: Rusty Russell <rusty@rustcorp.com.au>
    Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
    Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
    afdb05e9