mirror of
https://github.com/torvalds/linux.git
synced 2024-12-11 21:52:04 +00:00
afdb05e9d6
The sprint_oid() utility function doesn't properly check the buffer size that it causes that the warning in vsnprintf() be triggered. For example on v4.1 kernel: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0() ... We can trigger this issue by injecting maliciously crafted x509 cert in DER format. Just using hex editor to change the length of OID to over the length of the SEQUENCE container. For example: 0:d=0 hl=4 l= 980 cons: SEQUENCE 4:d=1 hl=4 l= 700 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 9 prim: INTEGER :9B47FAF791E7D1E3 24:d=2 hl=2 l= 13 cons: SEQUENCE 26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 37:d=3 hl=2 l= 0 prim: NULL 39:d=2 hl=2 l= 121 cons: SEQUENCE 41:d=3 hl=2 l= 22 cons: SET 43:d=4 hl=2 l= 20 cons: SEQUENCE <=== the SEQ length is 20 45:d=5 hl=2 l= 3 prim: OBJECT :organizationName <=== the original length is 3, change the length of OID to over the length of SEQUENCE Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided patch to fix it by checking the bufsize in sprint_oid(). Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@suse.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com> Reported-by: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com> Cc: David Howells <dhowells@redhat.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
176 lines
3.8 KiB
C
176 lines
3.8 KiB
C
/* ASN.1 Object identifier (OID) registry
|
|
*
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public Licence
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the Licence, or (at your option) any later version.
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/export.h>
|
|
#include <linux/oid_registry.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/bug.h>
|
|
#include "oid_registry_data.c"
|
|
|
|
MODULE_DESCRIPTION("OID Registry");
|
|
MODULE_AUTHOR("Red Hat, Inc.");
|
|
MODULE_LICENSE("GPL");
|
|
|
|
/**
|
|
* look_up_OID - Find an OID registration for the specified data
|
|
* @data: Binary representation of the OID
|
|
* @datasize: Size of the binary representation
|
|
*/
|
|
enum OID look_up_OID(const void *data, size_t datasize)
|
|
{
|
|
const unsigned char *octets = data;
|
|
enum OID oid;
|
|
unsigned char xhash;
|
|
unsigned i, j, k, hash;
|
|
size_t len;
|
|
|
|
/* Hash the OID data */
|
|
hash = datasize - 1;
|
|
|
|
for (i = 0; i < datasize; i++)
|
|
hash += octets[i] * 33;
|
|
hash = (hash >> 24) ^ (hash >> 16) ^ (hash >> 8) ^ hash;
|
|
hash &= 0xff;
|
|
|
|
/* Binary search the OID registry. OIDs are stored in ascending order
|
|
* of hash value then ascending order of size and then in ascending
|
|
* order of reverse value.
|
|
*/
|
|
i = 0;
|
|
k = OID__NR;
|
|
while (i < k) {
|
|
j = (i + k) / 2;
|
|
|
|
xhash = oid_search_table[j].hash;
|
|
if (xhash > hash) {
|
|
k = j;
|
|
continue;
|
|
}
|
|
if (xhash < hash) {
|
|
i = j + 1;
|
|
continue;
|
|
}
|
|
|
|
oid = oid_search_table[j].oid;
|
|
len = oid_index[oid + 1] - oid_index[oid];
|
|
if (len > datasize) {
|
|
k = j;
|
|
continue;
|
|
}
|
|
if (len < datasize) {
|
|
i = j + 1;
|
|
continue;
|
|
}
|
|
|
|
/* Variation is most likely to be at the tail end of the
|
|
* OID, so do the comparison in reverse.
|
|
*/
|
|
while (len > 0) {
|
|
unsigned char a = oid_data[oid_index[oid] + --len];
|
|
unsigned char b = octets[len];
|
|
if (a > b) {
|
|
k = j;
|
|
goto next;
|
|
}
|
|
if (a < b) {
|
|
i = j + 1;
|
|
goto next;
|
|
}
|
|
}
|
|
return oid;
|
|
next:
|
|
;
|
|
}
|
|
|
|
return OID__NR;
|
|
}
|
|
EXPORT_SYMBOL_GPL(look_up_OID);
|
|
|
|
/*
|
|
* sprint_OID - Print an Object Identifier into a buffer
|
|
* @data: The encoded OID to print
|
|
* @datasize: The size of the encoded OID
|
|
* @buffer: The buffer to render into
|
|
* @bufsize: The size of the buffer
|
|
*
|
|
* The OID is rendered into the buffer in "a.b.c.d" format and the number of
|
|
* bytes is returned. -EBADMSG is returned if the data could not be intepreted
|
|
* and -ENOBUFS if the buffer was too small.
|
|
*/
|
|
int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
|
|
{
|
|
const unsigned char *v = data, *end = v + datasize;
|
|
unsigned long num;
|
|
unsigned char n;
|
|
size_t ret;
|
|
int count;
|
|
|
|
if (v >= end)
|
|
return -EBADMSG;
|
|
|
|
n = *v++;
|
|
ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
|
|
buffer += count;
|
|
bufsize -= count;
|
|
if (bufsize == 0)
|
|
return -ENOBUFS;
|
|
|
|
while (v < end) {
|
|
num = 0;
|
|
n = *v++;
|
|
if (!(n & 0x80)) {
|
|
num = n;
|
|
} else {
|
|
num = n & 0x7f;
|
|
do {
|
|
if (v >= end)
|
|
return -EBADMSG;
|
|
n = *v++;
|
|
num <<= 7;
|
|
num |= n & 0x7f;
|
|
} while (n & 0x80);
|
|
}
|
|
ret += count = snprintf(buffer, bufsize, ".%lu", num);
|
|
buffer += count;
|
|
if (bufsize <= count)
|
|
return -ENOBUFS;
|
|
bufsize -= count;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(sprint_oid);
|
|
|
|
/**
|
|
* sprint_OID - Print an Object Identifier into a buffer
|
|
* @oid: The OID to print
|
|
* @buffer: The buffer to render into
|
|
* @bufsize: The size of the buffer
|
|
*
|
|
* The OID is rendered into the buffer in "a.b.c.d" format and the number of
|
|
* bytes is returned.
|
|
*/
|
|
int sprint_OID(enum OID oid, char *buffer, size_t bufsize)
|
|
{
|
|
int ret;
|
|
|
|
BUG_ON(oid >= OID__NR);
|
|
|
|
ret = sprint_oid(oid_data + oid_index[oid],
|
|
oid_index[oid + 1] - oid_index[oid],
|
|
buffer, bufsize);
|
|
BUG_ON(ret == -EBADMSG);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(sprint_OID);
|