--- /dev/null
+From f66665c09ab489a11ca490d6a82df57cfc1bea3e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:51:27 -0700
+Subject: ecryptfs: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f66665c09ab489a11ca490d6a82df57cfc1bea3e upstream.
+
+In eCryptfs, we failed to verify that the authentication token keys are
+not revoked before dereferencing their payloads, which is problematic
+because the payload of a revoked key is NULL. request_key() *does* skip
+revoked keys, but there is still a window where the key can be revoked
+before we acquire the key semaphore.
+
+Fix it by updating ecryptfs_get_key_payload_data() to return
+-EKEYREVOKED if the key payload is NULL. For completeness we check this
+for "encrypted" keys as well as "user" keys, although encrypted keys
+cannot be revoked currently.
+
+Alternatively we could use key_validate(), but since we'll also need to
+fix ecryptfs_get_key_payload_data() to validate the payload length, it
+seems appropriate to just check the payload pointer.
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Cc: Michael Halcrow <mhalcrow@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ fs/ecryptfs/ecryptfs_kernel.h | 24 +++++++++++++++++-------
+ fs/ecryptfs/keystore.c | 9 ++++++++-
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+--- a/fs/ecryptfs/ecryptfs_kernel.h
++++ b/fs/ecryptfs/ecryptfs_kernel.h
+@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context {
+ static inline struct ecryptfs_auth_tok *
+ ecryptfs_get_encrypted_key_payload_data(struct key *key)
+ {
+- if (key->type == &key_type_encrypted)
+- return (struct ecryptfs_auth_tok *)
+- (&((struct encrypted_key_payload *)key->payload.data[0])->payload_data);
+- else
++ struct encrypted_key_payload *payload;
++
++ if (key->type != &key_type_encrypted)
+ return NULL;
++
++ payload = key->payload.data[0];
++ if (!payload)
++ return ERR_PTR(-EKEYREVOKED);
++
++ return (struct ecryptfs_auth_tok *)payload->payload_data;
+ }
+
+ static inline struct key *ecryptfs_get_encrypted_key(char *sig)
+@@ -114,12 +119,17 @@ static inline struct ecryptfs_auth_tok *
+ ecryptfs_get_key_payload_data(struct key *key)
+ {
+ struct ecryptfs_auth_tok *auth_tok;
++ const struct user_key_payload *ukp;
+
+ auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
+- if (!auth_tok)
+- return (struct ecryptfs_auth_tok *)user_key_payload(key)->data;
+- else
++ if (auth_tok)
+ return auth_tok;
++
++ ukp = user_key_payload(key);
++ if (!ukp)
++ return ERR_PTR(-EKEYREVOKED);
++
++ return (struct ecryptfs_auth_tok *)ukp->data;
+ }
+
+ #define ECRYPTFS_MAX_KEYSET_SIZE 1024
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -458,7 +458,8 @@ out:
+ * @auth_tok_key: key containing the authentication token
+ * @auth_tok: authentication token
+ *
+- * Returns zero on valid auth tok; -EINVAL otherwise
++ * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or
++ * -EKEYREVOKED if the key was revoked before we acquired its semaphore.
+ */
+ static int
+ ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
+@@ -467,6 +468,12 @@ ecryptfs_verify_auth_tok_from_key(struct
+ int rc = 0;
+
+ (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
++ if (IS_ERR(*auth_tok)) {
++ rc = PTR_ERR(*auth_tok);
++ *auth_tok = NULL;
++ goto out;
++ }
++
+ if (ecryptfs_verify_version((*auth_tok)->version)) {
+ printk(KERN_ERR "Data structure version mismatch. Userspace "
+ "tools must match eCryptfs kernel module with major "
--- /dev/null
+From 723f2828a98c8ca19842042f418fb30dd8cfc0f7 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 18 Oct 2017 13:12:25 +0200
+Subject: x86/microcode/intel: Disable late loading on model 79
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 723f2828a98c8ca19842042f418fb30dd8cfc0f7 upstream.
+
+Blacklist Broadwell X model 79 for late loading due to an erratum.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Tony Luck <tony.luck@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20171018111225.25635-1-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/x86/kernel/cpu/microcode/intel.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -990,6 +990,18 @@ static int get_ucode_fw(void *to, const
+ return 0;
+ }
+
++static bool is_blacklisted(unsigned int cpu)
++{
++ struct cpuinfo_x86 *c = &cpu_data(cpu);
++
++ if (c->x86 == 6 && c->x86_model == 79) {
++ pr_err_once("late loading on model 79 is disabled.\n");
++ return true;
++ }
++
++ return false;
++}
++
+ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
+ bool refresh_fw)
+ {
+@@ -998,6 +1010,9 @@ static enum ucode_state request_microcod
+ const struct firmware *firmware;
+ enum ucode_state ret;
+
++ if (is_blacklisted(cpu))
++ return UCODE_NFOUND;
++
+ sprintf(name, "intel-ucode/%02x-%02x-%02x",
+ c->x86, c->x86_model, c->x86_mask);
+
+@@ -1022,6 +1037,9 @@ static int get_ucode_user(void *to, cons
+ static enum ucode_state
+ request_microcode_user(int cpu, const void __user *buf, size_t size)
+ {
++ if (is_blacklisted(cpu))
++ return UCODE_NFOUND;
++
+ return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
