4.14-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 21 Feb 2019 12:36:09 +0000 (13:36 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 21 Feb 2019 12:36:09 +0000 (13:36 +0100)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 Feb 2019 12:36:09 +0000 (13:36 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 Feb 2019 12:36:09 +0000 (13:36 +0100)
diff --git a/queue-4.14/series b/queue-4.14/series

index 4dbca409516085c496187f5aef3cd8c015bcfff1..1002db3714f7a8a33577e858a5522f2390b01feb 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -17,3 +17,4 @@ net-add-header-for-usage-of-fls64.patch
  tcp-tcp_v4_err-should-be-more-careful.patch
  net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch
  tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch
+sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch
diff --git a/queue-4.14/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch b/queue-4.14/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch

new file mode 100644 (file)

index 0000000..f603002
--- /dev/null
+++ b/queue-4.14/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch
@@ -0,0 +1,167 @@
+From e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Fri, 15 Feb 2019 13:42:02 -0500
+Subject: sunrpc: fix 4 more call sites that were using stack memory with a scatterlist
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b upstream.
+
+While trying to reproduce a reported kernel panic on arm64, I discovered
+that AUTH_GSS basically doesn't work at all with older enctypes on arm64
+systems with CONFIG_VMAP_STACK enabled.  It turns out there still a few
+places using stack memory with scatterlists, causing krb5_encrypt() and
+krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG
+is enabled).
+
+Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using
+des3-cbc-sha1 and arcfour-hmac-md5.
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/gss_krb5_seqnum.c |   49 ++++++++++++++++++++++++++--------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+--- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c
++++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
+@@ -44,7 +44,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k
+                     unsigned char *cksum, unsigned char *buf)
+ {
+       struct crypto_skcipher *cipher;
+-      unsigned char plain[8];
++      unsigned char *plain;
+       s32 code;
+ 
+       dprintk("RPC:       %s:\n", __func__);
+@@ -53,6 +53,10 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k
+       if (IS_ERR(cipher))
+               return PTR_ERR(cipher);
+ 
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain)
++              return -ENOMEM;
++
+       plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
+       plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
+       plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
+@@ -69,6 +73,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k
+       code = krb5_encrypt(cipher, cksum, plain, buf, 8);
+ out:
+       crypto_free_skcipher(cipher);
++      kfree(plain);
+       return code;
+ }
+ s32
+@@ -78,12 +83,17 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
+               u32 seqnum,
+               unsigned char *cksum, unsigned char *buf)
+ {
+-      unsigned char plain[8];
++      unsigned char *plain;
++      s32 code;
+ 
+       if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
+               return krb5_make_rc4_seq_num(kctx, direction, seqnum,
+                                            cksum, buf);
+ 
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain)
++              return -ENOMEM;
++
+       plain[0] = (unsigned char) (seqnum & 0xff);
+       plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
+       plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
+@@ -94,7 +104,9 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
+       plain[6] = direction;
+       plain[7] = direction;
+ 
+-      return krb5_encrypt(key, cksum, plain, buf, 8);
++      code = krb5_encrypt(key, cksum, plain, buf, 8);
++      kfree(plain);
++      return code;
+ }
+ 
+ static s32
+@@ -102,7 +114,7 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc
+                    unsigned char *buf, int *direction, s32 *seqnum)
+ {
+       struct crypto_skcipher *cipher;
+-      unsigned char plain[8];
++      unsigned char *plain;
+       s32 code;
+ 
+       dprintk("RPC:       %s:\n", __func__);
+@@ -115,20 +127,28 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc
+       if (code)
+               goto out;
+ 
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain) {
++              code = -ENOMEM;
++              goto out;
++      }
++
+       code = krb5_decrypt(cipher, cksum, buf, plain, 8);
+       if (code)
+-              goto out;
++              goto out_plain;
+ 
+       if ((plain[4] != plain[5]) || (plain[4] != plain[6])
+                                  || (plain[4] != plain[7])) {
+               code = (s32)KG_BAD_SEQ;
+-              goto out;
++              goto out_plain;
+       }
+ 
+       *direction = plain[4];
+ 
+       *seqnum = ((plain[0] << 24) | (plain[1] << 16) |
+                                       (plain[2] << 8) | (plain[3]));
++out_plain:
++      kfree(plain);
+ out:
+       crypto_free_skcipher(cipher);
+       return code;
+@@ -141,26 +161,33 @@ krb5_get_seq_num(struct krb5_ctx *kctx,
+              int *direction, u32 *seqnum)
+ {
+       s32 code;
+-      unsigned char plain[8];
+       struct crypto_skcipher *key = kctx->seq;
++      unsigned char *plain;
+ 
+       dprintk("RPC:       krb5_get_seq_num:\n");
+ 
+       if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
+               return krb5_get_rc4_seq_num(kctx, cksum, buf,
+                                           direction, seqnum);
++      plain = kmalloc(8, GFP_NOFS);
++      if (!plain)
++              return -ENOMEM;
+ 
+       if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
+-              return code;
++              goto out;
+ 
+       if ((plain[4] != plain[5]) || (plain[4] != plain[6]) ||
+-          (plain[4] != plain[7]))
+-              return (s32)KG_BAD_SEQ;
++          (plain[4] != plain[7])) {
++              code = (s32)KG_BAD_SEQ;
++              goto out;
++      }
+ 
+       *direction = plain[4];
+ 
+       *seqnum = ((plain[0]) |
+                  (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24));
+ 
+-      return 0;
++out:
++      kfree(plain);
++      return code;
+ }
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 21 Feb 2019 12:36:09 +0000 (13:36 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 21 Feb 2019 12:36:09 +0000 (13:36 +0100)
queue-4.14/series		patch \| blob \| blame \| history
queue-4.14/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch	[new file with mode: 0644]	patch \| blob