crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.

Fixes: 7901c1a8effb ("KEYS: Implement binary asymmetric key ID handling")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Thorsten Blum and committed by

Herbert Xu 5 months ago df0845cf 77cd9210

+9 -3

1 changed file

expand all

crypto

asymmetric_keys

asymmetric_type.c

+9 -3

crypto/asymmetric_keys/asymmetric_type.c

··· 11 11 #include <crypto/public_key.h> 12 12 #include <linux/seq_file.h> 13 13 #include <linux/module.h> 14 + #include <linux/overflow.h> 14 15 #include <linux/slab.h> 15 16 #include <linux/ctype.h> 16 17 #include <keys/system_keyring.h> ··· 142 141 size_t len_2) 143 142 { 144 143 struct asymmetric_key_id *kid; 144 + size_t kid_sz; 145 + size_t len; 145 146 146 - kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2, 147 - GFP_KERNEL); 147 + if (check_add_overflow(len_1, len_2, &len)) 148 + return ERR_PTR(-EOVERFLOW); 149 + if (check_add_overflow(sizeof(struct asymmetric_key_id), len, &kid_sz)) 150 + return ERR_PTR(-EOVERFLOW); 151 + kid = kmalloc(kid_sz, GFP_KERNEL); 148 152 if (!kid) 149 153 return ERR_PTR(-ENOMEM); 150 - kid->len = len_1 + len_2; 154 + kid->len = len; 151 155 memcpy(kid->data, val_1, len_1); 152 156 memcpy(kid->data + len_1, val_2, len_2); 153 157 return kid;