Re: [PATCH] X.509: Fix the time validation [ver #3]

[David Howells]

Greg Kroah-Hartman  wrote:

> David, any reason you didn't put a cc: stable in the commit for it to be
> picked up in the stable releases?

I did cc it to stable.

David
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Josh Boyer]

On Fri, Dec 11, 2015 at 6:13 AM, David Howells  wrote:
> Greg Kroah-Hartman  wrote:
>
>> David, any reason you didn't put a cc: stable in the commit for it to be
>> picked up in the stable releases?
>
> I did cc it to stable.

You had the stable list in the CC field when you sent the patch, but
the CC: sta...@vger.kernel.org tag is missing in the commit body.
Greg's scripts key off the later.  Just cc'ing the list when you send
the email does nothing.

FWIW, I asked James if it should have been CC'd to stable when he sent
the pull request to Linus and I never got a reply.

josh
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Alexander Holler]

Am 12.11.2015 um 12:38 schrieb David Howells:

This fixes CVE-2015-5327.  It affects kernels from 4.3-rc1 onwards.

Fix the X.509 time validation to use month number-1 when looking up the
number of days in that month.  Also put the month number validation before
doing the lookup so as not to risk overrunning the array.


I've just run into this with 4.3.1 (mon_len ended up with 0 because of 
the wrong index). Which means currently build stable kernels with 
signature verification might not load modules (depending on which value 
the invalid index mon_len (12) ends up with.


Regards,

Alexander Holler

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Greg Kroah-Hartman]

On Thu, Dec 10, 2015 at 07:00:46PM +0100, Alexander Holler wrote:
> Am 10.12.2015 um 16:34 schrieb Alexander Holler:
> >Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman:
> >>On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:
> >
> >>>Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3
> >>>seems
> >>>to be affected) which contains at least the patch mentioned in the
> >>>subject
> >>>(58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).
> >>
> >>58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
> >>Linus's tree, where did you get that git commit id?
> >
> >Uh, hmm, maybe I've picked the wrong commit number when I've used git
> >gui blame to find the original commit. Might have been one from my own
> >trees which are based on mainline. Sorry, having had a second look, the
> >one I've cherry-picked from mainline was
> >cc25b994acfbc901429da682d0f73c190e960206
> 
> To give my motivation for that mail (and that "quickly"): it's highly
> annoying to end up with a box which does not have network and, as in my
> case, even without working input devices because modules weren't loaded. And
> other people don't might be able to find the problem (and existing patch) as
> quick as I did and might end up even more annoyed than I was for a short
> period of time. ;)

We already have one other report of this problem hitting them.  I've now
released 4.3.2-rc1, with a "quick" review period of 24 hours before I
release 4.3.2 with just this fix.  If you could verify I didn't mess
anything up I would appreciate it.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Alexander Holler]

Am 10.12.2015 um 19:09 schrieb Greg Kroah-Hartman:


We already have one other report of this problem hitting them.  I've now
released 4.3.2-rc1, with a "quick" review period of 24 hours before I
release 4.3.2 with just this fix.  If you could verify I didn't mess
anything up I would appreciate it.


After applying those two patches from 4.3.2-rc1 you've posted instead of 
the one I've cherry-picked, git diff ended up with no difference to the 
source of the kernel I'm currently running. Reading those two patches 
also looks good.


Thanks a lot.

Alexander Holler

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Alexander Holler]

Am 10.12.2015 um 16:34 schrieb Alexander Holler:

Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman:

On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:



Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3
seems
to be affected) which contains at least the patch mentioned in the
subject
(58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).


58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
Linus's tree, where did you get that git commit id?


Uh, hmm, maybe I've picked the wrong commit number when I've used git
gui blame to find the original commit. Might have been one from my own
trees which are based on mainline. Sorry, having had a second look, the
one I've cherry-picked from mainline was
cc25b994acfbc901429da682d0f73c190e960206


To give my motivation for that mail (and that "quickly"): it's highly 
annoying to end up with a box which does not have network and, as in my 
case, even without working input devices because modules weren't loaded. 
And other people don't might be able to find the problem (and existing 
patch) as quick as I did and might end up even more annoyed than I was 
for a short period of time. ;)



Regards,

Alexander Holler


--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Alexander Holler]

Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman:

On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:



Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems
to be affected) which contains at least the patch mentioned in the subject
(58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).


58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
Linus's tree, where did you get that git commit id?


Uh, hmm, maybe I've picked the wrong commit number when I've used git 
gui blame to find the original commit. Might have been one from my own 
trees which are based on mainline. Sorry, having had a second look, the 
one I've cherry-picked from mainline was 
cc25b994acfbc901429da682d0f73c190e960206


Regards,

Alexander Holler
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Alexander Holler]

Am 10.12.2015 um 10:23 schrieb Alexander Holler:

Am 12.11.2015 um 12:38 schrieb David Howells:

This fixes CVE-2015-5327.  It affects kernels from 4.3-rc1 onwards.

Fix the X.509 time validation to use month number-1 when looking up the
number of days in that month.  Also put the month number validation
before
doing the lookup so as not to risk overrunning the array.


I've just run into this with 4.3.1 (mon_len ended up with 0 because of
the wrong index). Which means currently build stable kernels with
signature verification might not load modules (depending on which value
the invalid index mon_len (12) ends up with.


Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 
seems to be affected) which contains at least the patch mentioned in the 
subject (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).


Regards,

Alexander Holler
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Fix the time validation [ver #3]

[Greg Kroah-Hartman]

On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:
> Am 10.12.2015 um 10:23 schrieb Alexander Holler:
> >Am 12.11.2015 um 12:38 schrieb David Howells:
> >>This fixes CVE-2015-5327.  It affects kernels from 4.3-rc1 onwards.
> >>
> >>Fix the X.509 time validation to use month number-1 when looking up the
> >>number of days in that month.  Also put the month number validation
> >>before
> >>doing the lookup so as not to risk overrunning the array.
> >
> >I've just run into this with 4.3.1 (mon_len ended up with 0 because of
> >the wrong index). Which means currently build stable kernels with
> >signature verification might not load modules (depending on which value
> >the invalid index mon_len (12) ends up with.
> 
> Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems
> to be affected) which contains at least the patch mentioned in the subject
> (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).

58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
Linus's tree, where did you get that git commit id?

David, any reason you didn't put a cc: stable in the commit for it to be
picked up in the stable releases?

thanks,

greg k-h

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] X.509: Fix the time validation [ver #3]

[David Howells]

This fixes CVE-2015-5327.  It affects kernels from 4.3-rc1 onwards.

Fix the X.509 time validation to use month number-1 when looking up the
number of days in that month.  Also put the month number validation before
doing the lookup so as not to risk overrunning the array.

This can be tested by doing the following:

cat <
Signed-off-by: David Howells 
Tested-by: Mimi Zohar 
Acked-by: David Woodhouse 
---

 crypto/asymmetric_keys/x509_cert_parser.c |   12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c 
b/crypto/asymmetric_keys/x509_cert_parser.c
index 3000ea3b6687..021d39c0ba75 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
if (*p != 'Z')
goto unsupported_time;
 
-   mon_len = month_lengths[mon];
+   if (year < 1970 ||
+   mon < 1 || mon > 12)
+   goto invalid_time;
+
+   mon_len = month_lengths[mon - 1];
if (mon == 2) {
if (year % 4 == 0) {
mon_len = 29;
@@ -543,14 +547,12 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
}
}
 
-   if (year < 1970 ||
-   mon < 1 || mon > 12 ||
-   day < 1 || day > mon_len ||
+   if (day < 1 || day > mon_len ||
hour > 23 ||
min > 59 ||
sec > 59)
goto invalid_time;
-   
+
*_t = mktime64(year, mon, day, hour, min, sec);
return 0;
 

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html