ASN.1: fix out-of-bounds read when parsing indefinite length item
authorEric Biggers <ebiggers@google.com>
Fri, 8 Dec 2017 15:13:27 +0000 (15:13 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 14 Dec 2017 08:52:52 +0000 (09:52 +0100)
commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.

In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
to the action functions before their lengths had been computed, using
the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH).  This resulted in
reading data past the end of the input buffer, when given a specially
crafted message.

Fix it by rearranging the code so that the indefinite length is resolved
before the action is called.

This bug was originally found by fuzzing the X.509 parser in userspace
using libFuzzer from the LLVM project.

KASAN report (cleaned up slightly):

    BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
    BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
    Read of size 128 at addr ffff880035dd9eaf by task keyctl/195

    CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0xd1/0x175 lib/dump_stack.c:53
     print_address_description+0x78/0x260 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x23f/0x350 mm/kasan/report.c:409
     memcpy+0x1f/0x50 mm/kasan/kasan.c:302
     memcpy ./include/linux/string.h:341 [inline]
     x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
     asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
     x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

    Allocated by task 195:
     __do_kmalloc_node mm/slab.c:3675 [inline]
     __kmalloc_node+0x47/0x60 mm/slab.c:3682
     kvmalloc ./include/linux/mm.h:540 [inline]
     SYSC_add_key security/keys/keyctl.c:104 [inline]
     SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
lib/asn1_decoder.c

index 1ef0cec..d77cdfc 100644 (file)
@@ -313,42 +313,47 @@ next_op:
 
        /* Decide how to handle the operation */
        switch (op) {
-       case ASN1_OP_MATCH_ANY_ACT:
-       case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
-       case ASN1_OP_COND_MATCH_ANY_ACT:
-       case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
-               ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len);
-               if (ret < 0)
-                       return ret;
-               goto skip_data;
-
-       case ASN1_OP_MATCH_ACT:
-       case ASN1_OP_MATCH_ACT_OR_SKIP:
-       case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
-               ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len);
-               if (ret < 0)
-                       return ret;
-               goto skip_data;
-
        case ASN1_OP_MATCH:
        case ASN1_OP_MATCH_OR_SKIP:
+       case ASN1_OP_MATCH_ACT:
+       case ASN1_OP_MATCH_ACT_OR_SKIP:
        case ASN1_OP_MATCH_ANY:
        case ASN1_OP_MATCH_ANY_OR_SKIP:
+       case ASN1_OP_MATCH_ANY_ACT:
+       case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
        case ASN1_OP_COND_MATCH_OR_SKIP:
+       case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
        case ASN1_OP_COND_MATCH_ANY:
        case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
-       skip_data:
+       case ASN1_OP_COND_MATCH_ANY_ACT:
+       case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
+
                if (!(flags & FLAG_CONS)) {
                        if (flags & FLAG_INDEFINITE_LENGTH) {
+                               size_t tmp = dp;
+
                                ret = asn1_find_indefinite_length(
-                                       data, datalen, &dp, &len, &errmsg);
+                                       data, datalen, &tmp, &len, &errmsg);
                                if (ret < 0)
                                        goto error;
-                       } else {
-                               dp += len;
                        }
                        pr_debug("- LEAF: %zu\n", len);
                }
+
+               if (op & ASN1_OP_MATCH__ACT) {
+                       unsigned char act;
+
+                       if (op & ASN1_OP_MATCH__ANY)
+                               act = machine[pc + 1];
+                       else
+                               act = machine[pc + 2];
+                       ret = actions[act](context, hdr, tag, data + dp, len);
+                       if (ret < 0)
+                               return ret;
+               }
+
+               if (!(flags & FLAG_CONS))
+                       dp += len;
                pc += asn1_op_lengths[op];
                goto next_op;