evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/lib
History
David Howells ba22ea5266 KEYS: Fix ASN.1 indefinite length object parsing 
This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

	datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

	for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Change-Id: I13b15885df9dc0c17a3e1670ae9606bf3ce4ba05
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-10-10 13:33:13 -07:00
..
842 crypto: 842 - Add CRC and validation support 2015-10-14 22:23:17 +08:00
fonts
lz4 Revert "Merge remote-tracking branch 'msm-4.4/tmp-510d0a3f' into msm-4.4" 2016-08-26 14:34:05 -07:00
lzo
mpi Revert "Merge remote-tracking branch 'msm-4.4/tmp-510d0a3f' into msm-4.4" 2016-08-26 14:34:05 -07:00
raid6
reed_solomon
xz
zlib_deflate zlib_deflate/deftree: remove bi_reverse() 2015-09-10 13:29:01 -07:00
zlib_inflate
.gitignore
argv_split.c
asn1_decoder.c KEYS: Fix ASN.1 indefinite length object parsing 2016-10-10 13:33:13 -07:00
assoc_array.c Revert "Merge remote-tracking branch 'msm-4.4/tmp-510d0a3f' into msm-4.4" 2016-08-26 14:34:05 -07:00
atomic64.c
atomic64_test.c
audit.c
bcd.c
bch.c
bitmap.c lib/bitmap.c: bitmap_parselist can accept string with whitespaces on head or tail 2015-09-10 13:29:01 -07:00
bitrev.c
bsearch.c
btree.c treewide: Remove old email address 2015-11-23 09:44:58 +01:00
bug.c
build_OID_registry
bust_spinlocks.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c
compat_audit.c
cordic.c
cpu-notifier-error-inject.c
cpu_rmap.c
cpumask.c
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc7.c
crc8.c
crc16.c
crc32.c
crc32defs.h
ctype.c
debug_info.c
debug_locks.c
debugobjects.c debugobjects: use kmemleak_not_leak for debug object memory 2016-03-23 21:23:44 -07:00
dec_and_lock.c
decompress.c
decompress_bunzip2.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_inflate.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_unlz4.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_unlzma.c lib/decompress_unlzma: Do a NULL check for pointer 2015-09-10 13:29:01 -07:00
decompress_unlzo.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_unxz.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
devres.c devres: fix a for loop bounds check 2015-10-05 04:49:54 +01:00
digsig.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
div64.c remove abs64() 2015-11-09 15:11:24 -08:00
dma-debug.c dma-debug: switch check from _text to _stext 2016-02-25 12:01:22 -08:00
dump_stack.c dump_stack: avoid potential deadlocks 2016-02-25 12:01:23 -08:00
dynamic_debug.c lib/dynamic_debug.c: use kstrdup_const 2015-11-06 17:50:42 -08:00
dynamic_queue_limits.c
earlycpio.c
extable.c Revert "Merge remote-tracking branch 'msm-4.4/tmp-510d0a3f' into msm-4.4" 2016-08-26 14:34:05 -07:00
fault-inject.c fault-inject: fix inverted interval/probability values in printk 2015-10-23 17:55:10 +09:00
fdt.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c
flex_array.c
flex_proportions.c
gcd.c
gen_crc32table.c
genalloc.c
glob.c
halfmd4.c lib/halfmd4.c: use rol32 inline function in the ROUND macro 2015-11-06 17:50:42 -08:00
hash.c Revert "net, lib: kill arch_fast_hash library bits" 2016-03-22 11:09:36 -07:00
hexdump.c lib/hexdump.c: truncate output in case of overflow 2015-11-06 17:50:42 -08:00
hweight.c
idr.c mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd 2015-11-06 17:50:42 -08:00
inflate.c
int_sqrt.c
interval_tree.c
interval_tree_test.c
iomap.c lib: iomap: Add MSM RTB support 2016-03-01 12:22:26 -08:00
iomap_copy.c
iommu-common.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2015-11-05 16:34:48 -08:00
iommu-helper.c
ioremap.c
iov_iter.c
irq_regs.c
is_single_threaded.c lib/is_single_threaded.c: change current_is_single_threaded() to use for_each_thread() 2015-11-06 17:50:42 -08:00
jedec_ddr_data.c
kasprintf.c lib/kasprintf.c: introduce kvasprintf_const 2015-11-06 17:50:42 -08:00
Kconfig Merge remote-tracking branch 'origin/tmp-917a9a9133a6' into lsk 2016-07-12 11:40:49 -07:00
Kconfig.debug lib: spinlock: Change MSM_WATCHDOG_V2 to QCOM_WATCHDOG_V2 2016-09-22 17:32:41 -07:00
Kconfig.kasan kasan: Kconfig: Add KASAN_SANITIZE_ALL 2016-03-22 11:10:48 -07:00
Kconfig.kgdb
Kconfig.kmemcheck
Kconfig.ubsan UBSAN: run-time undefined behavior sanity checker 2016-03-22 11:09:57 -07:00
kfifo.c
klist.c klist: fix starting point removed bug in klist iterators 2016-02-25 12:01:16 -08:00
kobject.c lib/kobject.c: use kvasprintf_const for formatting ->name 2015-11-06 17:50:42 -08:00
kobject_uevent.c
kstrtox.c kstrto*: accept "-0" for signed conversion 2015-09-10 13:29:01 -07:00
kstrtox.h
lcm.c
libcrc32c.c crypto: crc32c - Fix crc32c soft dependency 2016-02-17 12:31:04 -08:00
list_debug.c kernel/lib: add additional debug capabilites for data corruption 2016-03-22 11:16:29 -07:00
list_sort.c
llist.c lib/llist.c: fix data race in llist_del_first 2015-11-06 17:50:42 -08:00
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c
lockref.c
lru_cache.c
Makefile lib: Makefile: Ignore Kasan errors reported from the find_bit 2016-05-05 15:05:52 -07:00
md5.c
memory-notifier-error-inject.c
memweight.c
net_utils.c
nlattr.c
nmi_backtrace.c ARM: 8439/1: Fix backtrace generation when IPI is masked 2015-10-03 16:40:51 +01:00
notifier-error-inject.c
notifier-error-inject.h
of-reconfig-notifier-error-inject.c
oid_registry.c
once.c once: make helper generic for calling functions once 2015-10-08 05:26:36 -07:00
parser.c
pci_iomap.c libnvdimm for 4.3: 2015-09-08 14:35:59 -07:00
percpu-refcount.c
percpu_counter.c
percpu_ida.c mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM 2015-11-06 17:50:42 -08:00
percpu_test.c
plist.c
pm-notifier-error-inject.c
proportions.c treewide: Remove old email address 2015-11-23 09:44:58 +01:00
qmi_encdec.c soc: qcom: Add snapshot of QMI 2016-03-22 11:08:08 -07:00
qmi_encdec_priv.h soc: qcom: Add snapshot of QMI 2016-03-22 11:08:08 -07:00
radix-tree.c radix-tree: add radix_tree_gang_lookup_index 2016-03-23 21:15:18 -07:00
random32.c random32: add prandom_init_once helper for own rngs 2015-10-08 05:26:38 -07:00
ratelimit.c
rational.c
rbtree.c
rbtree_test.c
reciprocal_div.c
rhashtable.c rhashtable: Kill harmless RCU warning in rhashtable_walk_init 2015-12-18 23:44:18 -05:00
scatterlist.c
seq_buf.c
sg_split.c
sha1.c
show_mem.c lib/show_mem.c: correct reserved memory calculation 2015-09-08 15:35:28 -07:00
smp_processor_id.c
sort.c
stmp_device.c
string.c lib/string.c: add ULL suffix to the constant definition 2015-11-10 16:32:11 -08:00
string_helpers.c string_helpers: fix precision loss for some inputs 2016-02-25 12:01:21 -08:00
strncpy_from_user.c lib: do_strncpy_from_user: Fix return error code for get_user failures 2016-04-19 19:43:56 -07:00
strnlen_user.c
swiotlb.c
syscall.c
test-hexdump.c
test-kstrtox.c kstrto*: accept "-0" for signed conversion 2015-09-10 13:29:01 -07:00
test-string_helpers.c Revert "Merge remote-tracking branch 'msm-4.4/tmp-510d0a3f' into msm-4.4" 2016-08-26 14:34:05 -07:00
test_bpf.c bpf: add mod default A and X test cases 2015-11-05 00:05:50 -05:00
test_firmware.c
test_kasan.c lib: test_kasan: add some testcases 2015-11-05 19:34:48 -08:00
test_module.c
test_printf.c test_printf: test printf family at runtime 2015-11-06 17:50:42 -08:00
test_rhashtable.c
test_static_key_base.c
test_static_keys.c
test_user_copy.c
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
ubsan.c UBSAN: run-time undefined behavior sanity checker 2016-03-22 11:09:57 -07:00
ubsan.h UBSAN: run-time undefined behavior sanity checker 2016-03-22 11:09:57 -07:00
ucs2_string.c lib/ucs2_string: Correct ucs2 -> utf8 conversion 2016-03-03 15:07:09 -08:00
usercopy.c
uuid.c
vsprintf.c lib/vsprintf.c: update documentation 2015-11-06 17:50:42 -08:00