1. 25 Feb, 2018 1 commit
  2. 09 Sep, 2017 1 commit
    • Takashi Iwai's avatar
      lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string · afdb05e9
      Takashi Iwai authored
      The sprint_oid() utility function doesn't properly check the buffer size
      that it causes that the warning in vsnprintf() be triggered.  For
      example on v4.1 kernel:
      
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
        ...
      
      We can trigger this issue by injecting maliciously crafted x509 cert in
      DER format.  Just using hex editor to change the length of OID to over
      the length of the SEQUENCE container.  For example:
      
          0:d=0  hl=4 l= 980 cons: SEQUENCE
          4:d=1  hl=4 l= 700 cons:  SEQUENCE
          8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
         10:d=3  hl=2 l=   1 prim:    INTEGER           :02
         13:d=2  hl=2 l=   9 prim:   INTEGER           :9B47FAF791E7D1E3
         24:d=2  hl=2 l=  13 cons:   SEQUENCE
         26:d=3  hl=2 l=   9 prim:    OBJECT            :sha256WithRSAEncryption
         37:d=3  hl=2 l=   0 prim:    NULL
         39:d=2  hl=2 l= 121 cons:   SEQUENCE
         41:d=3  hl=2 l=  22 cons:    SET
         43:d=4  hl=2 l=  20 cons:     SEQUENCE      <=== the SEQ length is 20
         45:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
      	<=== the original length is 3, change the length of OID to over the length of SEQUENCE
      
      Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided
      patch to fix it by checking the bufsize in sprint_oid().
      
      Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@suse.comSigned-off-by: 's avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: 's avatar"Lee, Chun-Yi" <jlee@suse.com>
      Reported-by: 's avatarPawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
      Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
      afdb05e9
  3. 05 May, 2013 1 commit
  4. 08 Oct, 2012 2 commits
    • David Howells's avatar
      X.509: Add utility functions to render OIDs as strings · 4f73175d
      David Howells authored
      Add a pair of utility functions to render OIDs as strings.  The first takes an
      encoded OID and turns it into a "a.b.c.d" form string:
      
      	int sprint_oid(const void *data, size_t datasize,
      		       char *buffer, size_t bufsize);
      
      The second takes an OID enum index and calls the first on the data held
      therein:
      
      	int sprint_OID(enum OID oid, char *buffer, size_t bufsize);
      Signed-off-by: 's avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: 's avatarRusty Russell <rusty@rustcorp.com.au>
      4f73175d
    • David Howells's avatar
      X.509: Implement simple static OID registry · a77ad6ea
      David Howells authored
      Implement a simple static OID registry that allows the mapping of an encoded
      OID to an enum value for ease of use.
      
      The OID registry index enum appears in the:
      
      	linux/oid_registry.h
      
      header file.  A script generates the registry from lines in the header file
      that look like:
      
      	<sp*>OID_foo,<sp*>/*<sp*>1.2.3.4<sp*>*/
      
      The actual OID is taken to be represented by the numbers with interpolated
      dots in the comment.
      
      All other lines in the header are ignored.
      
      The registry is queries by calling:
      
      	OID look_up_oid(const void *data, size_t datasize);
      
      This returns a number from the registry enum representing the OID if found or
      OID__NR if not.
      Signed-off-by: 's avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: 's avatarRusty Russell <rusty@rustcorp.com.au>
      a77ad6ea