fix up queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch

diff --git a/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch b/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch
index dd96fe5f58d40588bb1957a99299fe1d66cb1131..9d7e7442996fde945b7f606c897e88c109602370 100644 (file)
--- a/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch
+++ b/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch
@@ -1,9 +1,12 @@
-From 428490e38b2e352812e0b765d8bceafab0ec441d Mon Sep 17 00:00:00 2001
+From Jason@zx2c4.com  Mon Oct  2 13:04:30 2017
 From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Wed, 20 Sep 2017 16:58:39 +0200
+Date: Mon,  2 Oct 2017 12:52:56 +0200
 Subject: security/keys: rewrite all of big_key crypto
+To: stable@vger.kernel.org
+Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Message-ID: <20171002105256.23071-1-Jason@zx2c4.com>
 
-From: Jason A. Donenfeld <Jason@zx2c4.com>
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
 
 commit 428490e38b2e352812e0b765d8bceafab0ec441d upstream.
 
@@ -39,6 +42,12 @@ So, to summarize, this commit fixes the following vulnerabilities:
   * Key re-use.
   * Faulty memory zeroing.
 
+[Note that in backporting this commit to 4.9, get_random_bytes_wait was
+replaced with get_random_bytes, since 4.9 does not have the former
+function. This might result in slightly worse entropy in key generation,
+but common use cases of big_keys makes that likely not a huge deal. And,
+this is the best we can do with this old kernel. Alas.]
+
 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
 Signed-off-by: David Howells <dhowells@redhat.com>
@@ -46,11 +55,12 @@ Cc: Herbert Xu <herbert@gondor.apana.org.au>
 Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
 Cc: security@kernel.org
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
 ---
+The current patch in queue-4.9 is broken. This is a better backport.
+
  security/keys/Kconfig   |    4 -
  security/keys/big_key.c |  124 ++++++++++++++++++++++--------------------------
- 2 files changed, 59 insertions(+), 69 deletions(-)
+ 2 files changed, 58 insertions(+), 70 deletions(-)
 
 --- a/security/keys/Kconfig
 +++ b/security/keys/Kconfig
@@ -209,16 +219,15 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  
                /* generate random key */
                enckey = kmalloc(ENC_KEY_SIZE, GFP_KERNEL);
-@@ -162,13 +171,12 @@ int big_key_preparse(struct key_preparse
+@@ -162,13 +171,10 @@ int big_key_preparse(struct key_preparse
                        ret = -ENOMEM;
                        goto error;
                }
 -
 -              ret = big_key_gen_enckey(enckey);
 -              if (ret)
-+              ret = get_random_bytes_wait(enckey, ENC_KEY_SIZE);
-+              if (unlikely(ret))
-                       goto err_enckey;
+-                      goto err_enckey;
++              get_random_bytes(enckey, ENC_KEY_SIZE);
  
                /* encrypt aligned data */
 -              ret = big_key_crypt(BIG_KEY_ENC, data, enclen, enckey);
@@ -226,7 +235,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
                if (ret)
                        goto err_enckey;
  
-@@ -294,7 +302,7 @@ long big_key_read(const struct key *key,
+@@ -294,7 +300,7 @@ long big_key_read(const struct key *key,
                struct file *file;
                u8 *data;
                u8 *enckey = (u8 *)key->payload.data[big_key_data];
@@ -235,7 +244,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  
                data = kmalloc(enclen, GFP_KERNEL);
                if (!data)
-@@ -342,47 +350,31 @@ error:
+@@ -342,47 +348,31 @@ error:
   */
  static int __init big_key_init(void)
  {