From: Lukas Wunner <lukas@wunner.de>
To: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Jarkko Sakkinen <jarkko@kernel.org>
Cc: linux-crypto@vger.kernel.org, keyrings@vger.kernel.org,
Leo Lin <leo@depthfirst.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Ignat Korchagin <ignat@linux.win>,
David Howells <dhowells@redhat.com>
Subject: [PATCH] X.509: Fix out-of-bounds access when parsing extensions
Date: Tue, 7 Apr 2026 12:58:18 +0200 [thread overview]
Message-ID: <db192bcb9467d30068c97a4007822f21aab6766f.1775512248.git.lukas@wunner.de> (raw)
Leo reports an out-of-bounds access when parsing a certificate with
empty Basic Constraints or Key Usage extension because the first byte of
the extension is read before checking its length. Fix it.
The bug can be triggered by an unprivileged user by submitting a
specially crafted certificate to the kernel through the keyrings(7) API.
Leo has demonstrated this with a proof-of-concept program responsibly
disclosed off-list.
Fixes: 30eae2b037af ("KEYS: X.509: Parse Basic Constraints for CA")
Fixes: 567671281a75 ("KEYS: X.509: Parse Key Usage")
Reported-by: Leo Lin <leo@depthfirst.com> # off-list
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Cc: stable@vger.kernel.org # v6.4+
---
crypto/asymmetric_keys/x509_cert_parser.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index b37cae9..aac2d55 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -584,10 +584,10 @@ int x509_process_extension(void *context, size_t hdrlen,
* 0x04 is where keyCertSign lands in this bit string
* 0x80 is where digitalSignature lands in this bit string
*/
- if (v[0] != ASN1_BTS)
- return -EBADMSG;
if (vlen < 4)
return -EBADMSG;
+ if (v[0] != ASN1_BTS)
+ return -EBADMSG;
if (v[2] >= 8)
return -EBADMSG;
if (v[3] & 0x80)
@@ -620,10 +620,10 @@ int x509_process_extension(void *context, size_t hdrlen,
* (Expect 0xFF if the CA is TRUE)
* vlen should match the entire extension size
*/
- if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))
- return -EBADMSG;
if (vlen < 2)
return -EBADMSG;
+ if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))
+ return -EBADMSG;
if (v[1] != vlen - 2)
return -EBADMSG;
/* Empty SEQUENCE means CA:FALSE (default value omitted per DER) */
--
2.51.0
next reply other threads:[~2026-04-07 10:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 10:58 Lukas Wunner [this message]
2026-04-12 8:45 ` [PATCH] X.509: Fix out-of-bounds access when parsing extensions Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db192bcb9467d30068c97a4007822f21aab6766f.1775512248.git.lukas@wunner.de \
--to=lukas@wunner.de \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@linux.win \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=leo@depthfirst.com \
--cc=linux-crypto@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).