Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 86b01b54 authored Nov 25, 2016 by Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull keys fixes from James Morris:
 "From David:

   - Fix mpi_powm()'s handling of a number with a zero exponent
     [CVE-2016-8650].

     Integrate my and Andrey's patches for mpi_powm() and use
     mpi_resize() instead of RESIZE_IF_NEEDED() - the latter adds a
     duplicate check into the execution path of a trivial case we
     don't normally expect to be taken.

   - Fix double free in X.509 error handling"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
  X.509: Fix double free in x509_cert_parse() [ver #3]

parents cd3caefb f5527fff

crypto/asymmetric_keys/x509_cert_parser.c

+0 −1

Original line number	Original line	Diff line number	Diff line
	@@ -133,7 +133,6 @@ struct x509_certificate x509_cert_parse(const void data, size_t datalen)
	return cert;		return cert;

	error_decode:		error_decode:
	kfree(cert->pub->key);
	kfree(ctx);		kfree(ctx);
	error_no_ctx:		error_no_ctx:
	x509_free_certificate(cert);		x509_free_certificate(cert);

lib/mpi/mpi-pow.c

+6 −1

Original line number	Original line	Diff line number	Diff line
	@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
	if (!esize) {		if (!esize) {
	/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0		/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
	* depending on if MOD equals 1. */		* depending on if MOD equals 1. */
	rp[0] = 1;
	res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;		res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
			if (res->nlimbs) {
			if (mpi_resize(res, 1) < 0)
			goto enomem;
			rp = res->d;
			rp[0] = 1;
			}
	res->sign = 0;		res->sign = 0;
	goto leave;		goto leave;
	}		}