4.14-stable patches

added patches:
	libceph-check-authorizer-reply-challenge-length-before-reading.patch
	libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch

diff --git a/queue-4.14/libceph-check-authorizer-reply-challenge-length-before-reading.patch b/queue-4.14/libceph-check-authorizer-reply-challenge-length-before-reading.patch
new file mode 100644 (file)
index 0000000..313d74e
--- /dev/null
+++ b/queue-4.14/libceph-check-authorizer-reply-challenge-length-before-reading.patch
@@ -0,0 +1,36 @@
+From 130f52f2b203aa0aec179341916ffb2e905f3afd Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Fri, 27 Jul 2018 19:40:30 +0200
+Subject: libceph: check authorizer reply/challenge length before reading
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 130f52f2b203aa0aec179341916ffb2e905f3afd upstream.
+
+Avoid scribbling over memory if the received reply/challenge is larger
+than the buffer supplied with the authorizer.
+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -1754,6 +1754,13 @@ static int read_partial_connect(struct c
+ 
+       if (con->auth) {
+               size = le32_to_cpu(con->in_reply.authorizer_len);
++              if (size > con->auth->authorizer_reply_buf_len) {
++                      pr_err("authorizer reply too big: %d > %zu\n", size,
++                             con->auth->authorizer_reply_buf_len);
++                      ret = -EINVAL;
++                      goto out;
++              }
++
+               end += size;
+               ret = read_partial(con, end, size,
+                                  con->auth->authorizer_reply_buf);

diff --git a/queue-4.14/libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch b/queue-4.14/libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch
new file mode 100644 (file)
index 0000000..8c6b2ad
--- /dev/null
+++ b/queue-4.14/libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch
@@ -0,0 +1,34 @@
+From f1d10e04637924f2b00a0fecdd2ca4565f5cfc3f Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Fri, 27 Jul 2018 19:45:36 +0200
+Subject: libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit f1d10e04637924f2b00a0fecdd2ca4565f5cfc3f upstream.
+
+Allow for extending ceph_x_authorize_reply in the future.
+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/auth_x.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ceph/auth_x.c
++++ b/net/ceph/auth_x.c
+@@ -737,8 +737,10 @@ static int ceph_x_verify_authorizer_repl
+       ret = ceph_x_decrypt(&au->session_key, &p, p + CEPHX_AU_ENC_BUF_LEN);
+       if (ret < 0)
+               return ret;
+-      if (ret != sizeof(*reply))
+-              return -EPERM;
++      if (ret < sizeof(*reply)) {
++              pr_err("bad size %d for ceph_x_authorize_reply\n", ret);
++              return -EINVAL;
++      }
+ 
+       if (au->nonce + 1 != le64_to_cpu(reply->nonce_plus_one))
+               ret = -EPERM;

diff --git a/queue-4.14/series b/queue-4.14/series
index 375a102ef9c6387c17799aa5657279e8fe2546b3..1921576abb23c0b73cb003b3cee34e43c896b2e1 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -144,3 +144,5 @@ mm-use-swp_offset-as-key-in-shmem_replace_page.patch
 drivers-hv-vmbus-check-the-creation_status-in-vmbus_establish_gpadl.patch
 misc-mic-scif-fix-copy-paste-error-in-scif_create_remote_lookup.patch
 binder-fix-race-that-allows-malicious-free-of-live-buffer.patch
+libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch
+libceph-check-authorizer-reply-challenge-length-before-reading.patch