a7y18lte-ubports/android_kernel_samsung_universal7885
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5afbd223e6
android_kernel_samsung_univ.../lib
History
David Howells 5afbd223e6 KEYS: Fix ASN.1 indefinite length object parsing 
[ Upstream commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa ]

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

	datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

	for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-09-15 08:27:50 +02:00
..
842
fonts
lz4 lib: lz4: fixed zram with lz4 on big endian machines 2016-05-04 14:48:41 -07:00
lzo
mpi lib/mpi: Endianness fix 2016-05-04 14:48:51 -07:00
raid6
reed_solomon
xz
zlib_deflate
zlib_inflate
.gitignore
argv_split.c
asn1_decoder.c KEYS: Fix ASN.1 indefinite length object parsing 2016-09-15 08:27:50 +02:00
assoc_array.c assoc_array: don't call compare_object() on a node 2016-05-04 14:48:40 -07:00
atomic64_test.c
atomic64.c
audit.c
bcd.c
bch.c
bitmap.c
bitrev.c
bsearch.c
btree.c treewide: Remove old email address 2015-11-23 09:44:58 +01:00
bug.c
build_OID_registry
bust_spinlocks.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c
compat_audit.c
cordic.c
cpu_rmap.c
cpu-notifier-error-inject.c
cpumask.c
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc7.c
crc8.c
crc16.c
crc32.c
crc32defs.h
ctype.c
debug_info.c
debug_locks.c
debugobjects.c
dec_and_lock.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlz4.c
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c
decompress.c
devres.c
digsig.c
div64.c remove abs64() 2015-11-09 15:11:24 -08:00
dma-debug.c dma-debug: avoid spinlock recursion when disabling dma-debug 2016-06-07 18:14:37 -07:00
dump_stack.c dump_stack: avoid potential deadlocks 2016-02-25 12:01:23 -08:00
dynamic_debug.c lib/dynamic_debug.c: use kstrdup_const 2015-11-06 17:50:42 -08:00
dynamic_queue_limits.c
earlycpio.c
extable.c
fault-inject.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
fdt.c
find_bit.c
flex_array.c
flex_proportions.c
gcd.c
gen_crc32table.c
genalloc.c
glob.c
halfmd4.c lib/halfmd4.c: use rol32 inline function in the ROUND macro 2015-11-06 17:50:42 -08:00
hexdump.c lib/hexdump.c: truncate output in case of overflow 2015-11-06 17:50:42 -08:00
hweight.c
idr.c mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd 2015-11-06 17:50:42 -08:00
inflate.c
int_sqrt.c
interval_tree_test.c
interval_tree.c
iomap_copy.c
iomap.c
iommu-common.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2015-11-05 16:34:48 -08:00
iommu-helper.c
ioremap.c
iov_iter.c
irq_regs.c
is_single_threaded.c lib/is_single_threaded.c: change current_is_single_threaded() to use for_each_thread() 2015-11-06 17:50:42 -08:00
jedec_ddr_data.c
kasprintf.c lib/kasprintf.c: introduce kvasprintf_const 2015-11-06 17:50:42 -08:00
Kconfig lib: sw842: select crc32 2016-03-03 15:07:24 -08:00
Kconfig.debug Nothing exciting, minor tweaks and cleanups. 2015-11-09 15:53:39 -08:00
Kconfig.kasan mm, slub, kasan: enable user tracking by default with KASAN=y 2015-11-05 19:34:48 -08:00
Kconfig.kgdb
Kconfig.kmemcheck
kfifo.c
klist.c klist: fix starting point removed bug in klist iterators 2016-02-25 12:01:16 -08:00
kobject_uevent.c
kobject.c lib/kobject.c: use kvasprintf_const for formatting ->name 2015-11-06 17:50:42 -08:00
kstrtox.c
kstrtox.h
lcm.c
libcrc32c.c crypto: crc32c - Fix crc32c soft dependency 2016-02-17 12:31:04 -08:00
list_debug.c
list_sort.c
llist.c lib/llist.c: fix data race in llist_del_first 2015-11-06 17:50:42 -08:00
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c
lockref.c
lru_cache.c
Makefile test_printf: test printf family at runtime 2015-11-06 17:50:42 -08:00
md5.c
memory-notifier-error-inject.c
memweight.c
net_utils.c
nlattr.c
nmi_backtrace.c
notifier-error-inject.c
notifier-error-inject.h
of-reconfig-notifier-error-inject.c
oid_registry.c
once.c
parser.c
pci_iomap.c
percpu_counter.c
percpu_ida.c mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM 2015-11-06 17:50:42 -08:00
percpu_test.c
percpu-refcount.c
plist.c
pm-notifier-error-inject.c
proportions.c treewide: Remove old email address 2015-11-23 09:44:58 +01:00
radix-tree.c radix-tree: fix race in gang lookup 2016-02-25 12:01:23 -08:00
random32.c
ratelimit.c
rational.c
rbtree_test.c
rbtree.c
reciprocal_div.c
rhashtable.c rhashtable: Kill harmless RCU warning in rhashtable_walk_init 2015-12-18 23:44:18 -05:00
scatterlist.c
seq_buf.c
sg_split.c
sha1.c
show_mem.c
smp_processor_id.c
sort.c
stmp_device.c
string_helpers.c string_helpers: fix precision loss for some inputs 2016-02-25 12:01:21 -08:00
string.c lib/string.c: add ULL suffix to the constant definition 2015-11-10 16:32:11 -08:00
strncpy_from_user.c
strnlen_user.c
swiotlb.c
syscall.c
test_bpf.c bpf: add mod default A and X test cases 2015-11-05 00:05:50 -05:00
test_firmware.c
test_kasan.c lib: test_kasan: add some testcases 2015-11-05 19:34:48 -08:00
test_module.c
test_printf.c test_printf: test printf family at runtime 2015-11-06 17:50:42 -08:00
test_rhashtable.c
test_static_key_base.c
test_static_keys.c
test_user_copy.c
test-hexdump.c
test-kstrtox.c
test-string_helpers.c lib/test-string_helpers.c: fix and improve string_get_size() tests 2016-05-11 11:21:26 +02:00
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
ucs2_string.c lib/ucs2_string: Correct ucs2 -> utf8 conversion 2016-03-03 15:07:09 -08:00
usercopy.c
uuid.c
vsprintf.c lib/vsprintf.c: update documentation 2015-11-06 17:50:42 -08:00