From 9325883d9fb270cae63af5a254eb6a855813a189 Mon Sep 17 00:00:00 2001
From: Felix Conway <felix.conway@arm.com>
Date: Tue, 27 May 2025 14:54:07 +0100
Subject: [PATCH 1/3] Add test using underflow-causing PEM keyfile

Signed-off-by: Felix Conway <felix.conway@arm.com>
---
 tests/suites/test_suite_pem.data | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index 007ba104a9..1df9645650 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@@ -53,6 +53,10 @@ PEM read (malformed PEM AES-128-CBC)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
 mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:""
 
+PEM read (malformed PEM AES-128-CBC with fewer than 4 base64 chars)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,7BA38DE00F67851E4207216809C3BB15\n\n8Q-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_PEM_INVALID_DATA:""
+
 # The output sequence's length is not multiple of block size (16 bytes). This
 # proves that the pem_context->len value is properly updated based on the SEQUENCE
 # length read from the decoded ASN.1 data (i.e. extra padding, if any, is ignored).

From 6165e715899a9b370851e2868fe312d7e0a2cb83 Mon Sep 17 00:00:00 2001
From: Felix Conway <felix.conway@arm.com>
Date: Tue, 27 May 2025 16:00:48 +0100
Subject: [PATCH 2/3] Add fix for PEM underflow

Signed-off-by: Felix Conway <felix.conway@arm.com>
---
 library/pem.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/library/pem.c b/library/pem.c
index 0207601456..119fd59e12 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -243,7 +243,10 @@ exit:
 #if defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C)
 static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len)
 {
-    /* input_len > 0 is guaranteed by mbedtls_pem_read_buffer(). */
+    /* input_len > 0 is not guaranteed by mbedtls_pem_read_buffer(). */
+    if (input_len < 1) {
+        return MBEDTLS_ERR_PEM_INVALID_DATA;
+    }
     size_t pad_len = input[input_len - 1];
     size_t i;
 

From 42323eacc9ca7ca8c6f14bb2e5a8b34349f29c6a Mon Sep 17 00:00:00 2001
From: Felix Conway <felix.conway@arm.com>
Date: Tue, 27 May 2025 16:01:07 +0100
Subject: [PATCH 3/3] Add changelog

Signed-off-by: Felix Conway <felix.conway@arm.com>
---
 ChangeLog.d/pem-integer-underflow.txt | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 ChangeLog.d/pem-integer-underflow.txt

diff --git a/ChangeLog.d/pem-integer-underflow.txt b/ChangeLog.d/pem-integer-underflow.txt
new file mode 100644
index 0000000000..77274aa279
--- /dev/null
+++ b/ChangeLog.d/pem-integer-underflow.txt
@@ -0,0 +1,5 @@
+Security
+   * Fix an integer underflow that could occur when parsing malformed PEM
+     keys, which could be used by an attacker capable of feeding encrypted
+     PEM keys to a user. This could cause a crash or information disclosure.
+     Found and reported by Linh Le and Ngan Nguyen from Calif.