• Eric Biggers's avatar
    ASN.1: check for error from ASN1_OP_END__ACT actions · 81a7be2c
    Eric Biggers authored
    asn1_ber_decoder() was ignoring errors from actions associated with the
    opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
    ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
    meant the pkcs7_note_signed_info() action (since that was the only user
    of those opcodes).  Fix it by checking for the error, just like the
    decoder does for actions associated with the other opcodes.
    
    This bug allowed users to leak slab memory by repeatedly trying to add a
    specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
    
    In theory, this bug could also be used to bypass module signature
    verification, by providing a PKCS#7 message that is misparsed such that
    a signature's ->authattrs do not contain its ->msgdigest.  But it
    doesn't seem practical in normal cases, due to restrictions on the
    format of the ->authattrs.
    
    Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder")
    Cc: <stable@vger.kernel.org> # v3.7+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
    81a7be2c
asn1_decoder.c 13.4 KB