4.19-stable patches

added patches:
	netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch
	sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch

diff --git a/queue-4.19/netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch b/queue-4.19/netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch
new file mode 100644 (file)
index 0000000..3eb35f8
--- /dev/null
+++ b/queue-4.19/netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch
@@ -0,0 +1,50 @@
+From c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 6 Feb 2019 22:56:15 +0100
+Subject: netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs
+
+From: Jann Horn <jannh@google.com>
+
+commit c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc upstream.
+
+The generic ASN.1 decoder infrastructure doesn't guarantee that callbacks
+will get as much data as they expect; callbacks have to check the `datalen`
+parameter before looking at `data`. Make sure that snmp_version() and
+snmp_helper() don't read/write beyond the end of the packet data.
+
+(Also move the assignment to `pdata` down below the check to make it clear
+that it isn't necessarily a pointer we can use before the `datalen` check.)
+
+Fixes: cc2d58634e0f ("netfilter: nf_nat_snmp_basic: use asn1 decoder library")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic_main.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
+@@ -104,6 +104,8 @@ static void fast_csum(struct snmp_ctx *c
+ int snmp_version(void *context, size_t hdrlen, unsigned char tag,
+                const void *data, size_t datalen)
+ {
++      if (datalen != 1)
++              return -EINVAL;
+       if (*(unsigned char *)data > 1)
+               return -ENOTSUPP;
+       return 1;
+@@ -113,8 +115,11 @@ int snmp_helper(void *context, size_t hd
+               const void *data, size_t datalen)
+ {
+       struct snmp_ctx *ctx = (struct snmp_ctx *)context;
+-      __be32 *pdata = (__be32 *)data;
++      __be32 *pdata;
+ 
++      if (datalen != 4)
++              return -EINVAL;
++      pdata = (__be32 *)data;
+       if (*pdata == ctx->from) {
+               pr_debug("%s: %pI4 to %pI4\n", __func__,
+                        (void *)&ctx->from, (void *)&ctx->to);

diff --git a/queue-4.19/series b/queue-4.19/series
index 702bac08a00771c79c70322e10d9a9c3345518dd..5b1674144d5b8e74f25759c32d834476785194a7 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -23,3 +23,5 @@ scsi-target-core-use-kmem_cache_free-instead-of-kfree.patch
 x86_64-increase-stack-size-for-kasan_extra.patch
 mmc-meson-gx-fix-interrupt-name.patch
 pci-fix-__initdata-issue-with-pci-disable_acs_redir-parameter.patch
+sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch
+netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch

diff --git a/queue-4.19/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch b/queue-4.19/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch
new file mode 100644 (file)
index 0000000..f603002
--- /dev/null
+++ b/queue-4.19/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch
@@ -0,0 +1,167 @@
+From e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Fri, 15 Feb 2019 13:42:02 -0500
+Subject: sunrpc: fix 4 more call sites that were using stack memory with a scatterlist
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b upstream.
+
+While trying to reproduce a reported kernel panic on arm64, I discovered
+that AUTH_GSS basically doesn't work at all with older enctypes on arm64
+systems with CONFIG_VMAP_STACK enabled.  It turns out there still a few
+places using stack memory with scatterlists, causing krb5_encrypt() and
+krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG
+is enabled).
+
+Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using
+des3-cbc-sha1 and arcfour-hmac-md5.
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/gss_krb5_seqnum.c |   49 ++++++++++++++++++++++++++--------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+--- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c
++++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
+@@ -44,7 +44,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k
+                     unsigned char *cksum, unsigned char *buf)
+ {
+       struct crypto_skcipher *cipher;
+-      unsigned char plain[8];
++      unsigned char *plain;
+       s32 code;
+ 
+       dprintk("RPC:       %s:\n", __func__);
+@@ -53,6 +53,10 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k
+       if (IS_ERR(cipher))
+               return PTR_ERR(cipher);
+ 
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain)
++              return -ENOMEM;
++
+       plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
+       plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
+       plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
+@@ -69,6 +73,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k
+       code = krb5_encrypt(cipher, cksum, plain, buf, 8);
+ out:
+       crypto_free_skcipher(cipher);
++      kfree(plain);
+       return code;
+ }
+ s32
+@@ -78,12 +83,17 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
+               u32 seqnum,
+               unsigned char *cksum, unsigned char *buf)
+ {
+-      unsigned char plain[8];
++      unsigned char *plain;
++      s32 code;
+ 
+       if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
+               return krb5_make_rc4_seq_num(kctx, direction, seqnum,
+                                            cksum, buf);
+ 
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain)
++              return -ENOMEM;
++
+       plain[0] = (unsigned char) (seqnum & 0xff);
+       plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
+       plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
+@@ -94,7 +104,9 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
+       plain[6] = direction;
+       plain[7] = direction;
+ 
+-      return krb5_encrypt(key, cksum, plain, buf, 8);
++      code = krb5_encrypt(key, cksum, plain, buf, 8);
++      kfree(plain);
++      return code;
+ }
+ 
+ static s32
+@@ -102,7 +114,7 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc
+                    unsigned char *buf, int *direction, s32 *seqnum)
+ {
+       struct crypto_skcipher *cipher;
+-      unsigned char plain[8];
++      unsigned char *plain;
+       s32 code;
+ 
+       dprintk("RPC:       %s:\n", __func__);
+@@ -115,20 +127,28 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc
+       if (code)
+               goto out;
+ 
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain) {
++              code = -ENOMEM;
++              goto out;
++      }
++
+       code = krb5_decrypt(cipher, cksum, buf, plain, 8);
+       if (code)
+-              goto out;
++              goto out_plain;
+ 
+       if ((plain[4] != plain[5]) || (plain[4] != plain[6])
+                                  || (plain[4] != plain[7])) {
+               code = (s32)KG_BAD_SEQ;
+-              goto out;
++              goto out_plain;
+       }
+ 
+       *direction = plain[4];
+ 
+       *seqnum = ((plain[0] << 24) | (plain[1] << 16) |
+                                       (plain[2] << 8) | (plain[3]));
++out_plain:
++      kfree(plain);
+ out:
+       crypto_free_skcipher(cipher);
+       return code;
+@@ -141,26 +161,33 @@ krb5_get_seq_num(struct krb5_ctx *kctx,
+              int *direction, u32 *seqnum)
+ {
+       s32 code;
+-      unsigned char plain[8];
+       struct crypto_skcipher *key = kctx->seq;
++      unsigned char *plain;
+ 
+       dprintk("RPC:       krb5_get_seq_num:\n");
+ 
+       if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
+               return krb5_get_rc4_seq_num(kctx, cksum, buf,
+                                           direction, seqnum);
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain)
++              return -ENOMEM;
+ 
+       if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
+-              return code;
++              goto out;
+ 
+       if ((plain[4] != plain[5]) || (plain[4] != plain[6]) ||
+-          (plain[4] != plain[7]))
+-              return (s32)KG_BAD_SEQ;
++          (plain[4] != plain[7])) {
++              code = (s32)KG_BAD_SEQ;
++              goto out;
++      }
+ 
+       *direction = plain[4];
+ 
+       *seqnum = ((plain[0]) |
+                  (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24));
+ 
+-      return 0;
++out:
++      kfree(plain);
++      return code;
+ }