git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Biggers <ebiggers@google.com>
	Fri, 8 Dec 2017 15:13:27 +0000 (15:13 +0000)
committer	David Howells <dhowells@redhat.com>
	Fri, 8 Dec 2017 15:13:27 +0000 (15:13 +0000)
commit	dac34e0eedf706b6c53ab9e1cc34c656be5a5717
tree	b1857871d87c93b0134c9f3bdb8ff92fe097030f	tree \| snapshot
parent	996c6b63e2dccee407976d4edf9621f75a5c0e4a	commit \| diff

ASN.1: check for error from ASN1_OP_END__ACT actions

asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes).  Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.

This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).

In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest.  But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.

Fixes: 24892fe3a0b1 ("X.509: Add an ASN.1 decoder")
Cc: <stable@vger.kernel.org> # v3.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>