Commit d702c3408213 for kernel
commit d702c3408213bb12bd570bb97204d8340d141c51
Author: Lukas Wunner <lukas@wunner.de>
Date: Tue Apr 7 12:58:18 2026 +0200
X.509: Fix out-of-bounds access when parsing extensions
Leo reports an out-of-bounds access when parsing a certificate with
empty Basic Constraints or Key Usage extension because the first byte of
the extension is read before checking its length. Fix it.
The bug can be triggered by an unprivileged user by submitting a
specially crafted certificate to the kernel through the keyrings(7) API.
Leo has demonstrated this with a proof-of-concept program responsibly
disclosed off-list.
Fixes: 30eae2b037af ("KEYS: X.509: Parse Basic Constraints for CA")
Fixes: 567671281a75 ("KEYS: X.509: Parse Key Usage")
Reported-by: Leo Lin <leo@depthfirst.com> # off-list
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Cc: stable@vger.kernel.org # v6.4+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 37e4fb9da106..bfd10f0195e0 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -609,10 +609,10 @@ int x509_process_extension(void *context, size_t hdrlen,
* 0x04 is where keyCertSign lands in this bit string
* 0x80 is where digitalSignature lands in this bit string
*/
- if (v[0] != ASN1_BTS)
- return -EBADMSG;
if (vlen < 4)
return -EBADMSG;
+ if (v[0] != ASN1_BTS)
+ return -EBADMSG;
if (v[2] >= 8)
return -EBADMSG;
if (v[3] & 0x80)
@@ -645,10 +645,10 @@ int x509_process_extension(void *context, size_t hdrlen,
* (Expect 0xFF if the CA is TRUE)
* vlen should match the entire extension size
*/
- if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))
- return -EBADMSG;
if (vlen < 2)
return -EBADMSG;
+ if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))
+ return -EBADMSG;
if (v[1] != vlen - 2)
return -EBADMSG;
/* Empty SEQUENCE means CA:FALSE (default value omitted per DER) */