Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 May 2016 00:01:56 +1000
From: Wade Mealing <wmealing@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-0758 - Linux kernel - Flaw in ASN.1 DER decoder for x509
 certificate DER files.

An issue with ASN.1 DER decoder was reported that could lead to memory
corruptions, possible privilege escalation, or complete local denial
of service via x509 certificate DER files.

Tags with indefinite length can be used to corrupt the _dp and _len
pointers in asn1_find_indefinite_length() in lib/asn1_decoder.c

The vulnerable code:

...
next_tag:
        if (unlikely(datalen - dp < 2)) {
                if (datalen == dp)
                        goto missing_eoc;
                goto data_overrun_error;
        }
...
        n = len - 0x80;
        if (unlikely(n > sizeof(size_t) - 1))
                goto length_too_long;
        if (unlikely(n > datalen - dp))
                goto data_overrun_error;
        for (len = 0; n > 0; n--) {
                len <<= 8;
                len |= data[dp++];
        }
        dp += len;
        goto next_tag;
...

The dp can be corrupted and the check at next_tag is not sufficient to
prevent this.

Red Hat would like to thank Philip Pettersson of Samsung for reporting
this issue to Red Hat.

Thanks,

Wade Mealing
Red Hat Product Security Team


References:

Upstream fix:
https://lkml.org/lkml/2016/5/12/270

Red hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1300257

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ