oss-sec mailing list archives
CVE-2016-0758 - Linux kernel - Flaw in ASN.1 DER decoder for x509 certificate DER files.
From: Wade Mealing <wmealing () redhat com>
Date: Fri, 13 May 2016 00:01:56 +1000
An issue with ASN.1 DER decoder was reported that could lead to memory corruptions, possible privilege escalation, or complete local denial of service via x509 certificate DER files. Tags with indefinite length can be used to corrupt the _dp and _len pointers in asn1_find_indefinite_length() in lib/asn1_decoder.c The vulnerable code: ... next_tag: if (unlikely(datalen - dp < 2)) { if (datalen == dp) goto missing_eoc; goto data_overrun_error; } ... n = len - 0x80; if (unlikely(n > sizeof(size_t) - 1)) goto length_too_long; if (unlikely(n > datalen - dp)) goto data_overrun_error; for (len = 0; n > 0; n--) { len <<= 8; len |= data[dp++]; } dp += len; goto next_tag; ... The dp can be corrupted and the check at next_tag is not sufficient to prevent this. Red Hat would like to thank Philip Pettersson of Samsung for reporting this issue to Red Hat. Thanks, Wade Mealing Red Hat Product Security Team References: Upstream fix: https://lkml.org/lkml/2016/5/12/270 Red hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1300257
Current thread:
- CVE-2016-0758 - Linux kernel - Flaw in ASN.1 DER decoder for x509 certificate DER files. Wade Mealing (May 12)