Re: [PATCH] X.509: Fix the time validation [ver #3]

From: Alexander Holler
Date: Thu Dec 10 2015 - 10:16:25 EST


Am 10.12.2015 um 10:23 schrieb Alexander Holler:
Am 12.11.2015 um 12:38 schrieb David Howells:
This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards.

Fix the X.509 time validation to use month number-1 when looking up the
number of days in that month. Also put the month number validation
before
doing the lookup so as not to risk overrunning the array.

I've just run into this with 4.3.1 (mon_len ended up with 0 because of
the wrong index). Which means currently build stable kernels with
signature verification might not load modules (depending on which value
the invalid index mon_len (12) ends up with.

Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems to be affected) which contains at least the patch mentioned in the subject (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).

Regards,

Alexander Holler
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/