25 Feb, 2018
1 commit
-
[ Upstream commit 8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1 ]
Callers of sprint_oid() do not check its return value before printing
the result. In the case where the OID is zero-length, -EBADMSG was
being returned without anything being written to the buffer, resulting
in uninitialized stack memory being printed. Fix this by writing
"(bad)" to the buffer in the cases where -EBADMSG is returned.Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings")
Signed-off-by: Eric Biggers
Signed-off-by: David Howells
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
09 Sep, 2017
1 commit
-
The sprint_oid() utility function doesn't properly check the buffer size
that it causes that the warning in vsnprintf() be triggered. For
example on v4.1 kernel:------------[ cut here ]------------
WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
...We can trigger this issue by injecting maliciously crafted x509 cert in
DER format. Just using hex editor to change the length of OID to over
the length of the SEQUENCE container. For example:0:d=0 hl=4 l= 980 cons: SEQUENCE
4:d=1 hl=4 l= 700 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 9 prim: INTEGER :9B47FAF791E7D1E3
24:d=2 hl=2 l= 13 cons: SEQUENCE
26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
37:d=3 hl=2 l= 0 prim: NULL
39:d=2 hl=2 l= 121 cons: SEQUENCE
41:d=3 hl=2 l= 22 cons: SET
43:d=4 hl=2 l= 20 cons: SEQUENCE
Signed-off-by: "Lee, Chun-Yi"
Reported-by: Pawel Wieczorkiewicz
Cc: David Howells
Cc: Rusty Russell
Cc: Pawel Wieczorkiewicz
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
06 May, 2013
1 commit
-
Give the OID registry file module information so that it doesn't taint the
kernel when compiled as a module and loaded.Reported-by: Dros Adamson
Signed-off-by: David Howells
cc: Trond Myklebust
cc: stable@vger.kernel.org
cc: linux-nfs@vger.kernel.org
Signed-off-by: Linus Torvalds
08 Oct, 2012
2 commits
-
Add a pair of utility functions to render OIDs as strings. The first takes an
encoded OID and turns it into a "a.b.c.d" form string:int sprint_oid(const void *data, size_t datasize,
char *buffer, size_t bufsize);The second takes an OID enum index and calls the first on the data held
therein:int sprint_OID(enum OID oid, char *buffer, size_t bufsize);
Signed-off-by: David Howells
Signed-off-by: Rusty Russell -
Implement a simple static OID registry that allows the mapping of an encoded
OID to an enum value for ease of use.The OID registry index enum appears in the:
linux/oid_registry.h
header file. A script generates the registry from lines in the header file
that look like:OID_foo,/*1.2.3.4*/
The actual OID is taken to be represented by the numbers with interpolated
dots in the comment.All other lines in the header are ignored.
The registry is queries by calling:
OID look_up_oid(const void *data, size_t datasize);
This returns a number from the registry enum representing the OID if found or
OID__NR if not.Signed-off-by: David Howells
Signed-off-by: Rusty Russell