--- /dev/null
+From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 7 Nov 2017 11:37:07 +0100
+Subject: ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream.
+
+Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters")
+moved the call of ima_file_check() from may_open() to do_filp_open() at a
+point where the file descriptor is already opened.
+
+This breaks the assumption made by IMA that file descriptors being closed
+belong to files whose access was granted by ima_file_check(). The
+consequence is that security.ima and security.evm are updated with good
+values, regardless of the current appraisal status.
+
+For example, if a file does not have security.ima, IMA will create it after
+opening the file for writing, even if access is denied. Access to the file
+will be allowed afterwards.
+
+Avoid this issue by checking the appraisal status before updating
+security.ima.
+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_appraise.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -320,6 +320,9 @@ void ima_update_xattr(struct integrity_i
+ if (iint->flags & IMA_DIGSIG)
+ return;
+
++ if (iint->ima_file_status != INTEGRITY_PASS)
++ return;
++
+ rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo);
+ if (rc < 0)
+ return;
--- /dev/null
+From fd97e66c5529046e989a0879c3bb58fddb592c71 Mon Sep 17 00:00:00 2001
+From: "Ji-Ze Hong (Peter Hong)" <hpeter@gmail.com>
+Date: Tue, 17 Oct 2017 14:23:08 +0800
+Subject: serial: 8250_fintek: Fix finding base_port with activated SuperIO
+
+From: Ji-Ze Hong (Peter Hong) <hpeter@gmail.com>
+
+commit fd97e66c5529046e989a0879c3bb58fddb592c71 upstream.
+
+The SuperIO will be configured at boot time by BIOS, but some BIOS
+will not deactivate the SuperIO when the end of configuration. It'll
+lead to mismatch for pdata->base_port in probe_setup_port(). So we'll
+deactivate all SuperIO before activate special base_port in
+fintek_8250_enter_key().
+
+Tested on iBASE MI802.
+
+Tested-by: Ji-Ze Hong (Peter Hong) <hpeter+linux_kernel@gmail.com>
+Signed-off-by: Ji-Ze Hong (Peter Hong) <hpeter+linux_kernel@gmail.com>
+Reviewd-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_fintek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_fintek.c
++++ b/drivers/tty/serial/8250/8250_fintek.c
+@@ -118,6 +118,9 @@ static int fintek_8250_enter_key(u16 bas
+ if (!request_muxed_region(base_port, 2, "8250_fintek"))
+ return -EBUSY;
+
++ /* Force to deactive all SuperIO in this base_port */
++ outb(EXIT_KEY, base_port + ADDR_PORT);
++
+ outb(key, base_port + ADDR_PORT);
+ outb(key, base_port + ADDR_PORT);
+ return 0;
--- /dev/null
+From 2a71de2f7366fb1aec632116d0549ec56d6a3940 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sat, 21 Oct 2017 10:50:18 +0200
+Subject: serial: omap: Fix EFR write on RTS deassertion
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 2a71de2f7366fb1aec632116d0549ec56d6a3940 upstream.
+
+Commit 348f9bb31c56 ("serial: omap: Fix RTS handling") sought to enable
+auto RTS upon manual RTS assertion and disable it on deassertion.
+However it seems the latter was done incorrectly, it clears all bits in
+the Extended Features Register *except* auto RTS.
+
+Fixes: 348f9bb31c56 ("serial: omap: Fix RTS handling")
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/omap-serial.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/omap-serial.c
++++ b/drivers/tty/serial/omap-serial.c
+@@ -693,7 +693,7 @@ static void serial_omap_set_mctrl(struct
+ if ((mctrl & TIOCM_RTS) && (port->status & UPSTAT_AUTORTS))
+ up->efr |= UART_EFR_RTS;
+ else
+- up->efr &= UART_EFR_RTS;
++ up->efr &= ~UART_EFR_RTS;
+ serial_out(up, UART_EFR, up->efr);
+ serial_out(up, UART_LCR, lcr);
+
sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
fealnx-fix-building-error-on-mips.patch
net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch
+ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch
+serial-omap-fix-efr-write-on-rts-deassertion.patch
+serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch
+tpm-dev-common-reject-too-short-writes.patch
--- /dev/null
+From ee70bc1e7b63ac8023c9ff9475d8741e397316e7 Mon Sep 17 00:00:00 2001
+From: Alexander Steffen <Alexander.Steffen@infineon.com>
+Date: Fri, 8 Sep 2017 17:21:32 +0200
+Subject: tpm-dev-common: Reject too short writes
+
+From: Alexander Steffen <Alexander.Steffen@infineon.com>
+
+commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream.
+
+tpm_transmit() does not offer an explicit interface to indicate the number
+of valid bytes in the communication buffer. Instead, it relies on the
+commandSize field in the TPM header that is encoded within the buffer.
+Therefore, ensure that a) enough data has been written to the buffer, so
+that the commandSize field is present and b) the commandSize field does not
+announce more data than has been written to the buffer.
+
+This should have been fixed with CVE-2011-1161 long ago, but apparently
+a correct version of that patch never made it into the kernel.
+
+Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-dev-common.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/char/tpm/tpm-dev-common.c
++++ b/drivers/char/tpm/tpm-dev-common.c
+@@ -110,6 +110,12 @@ ssize_t tpm_common_write(struct file *fi
+ return -EFAULT;
+ }
+
++ if (in_size < 6 ||
++ in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) {
++ mutex_unlock(&priv->buffer_mutex);
++ return -EINVAL;
++ }
++
+ /* atomic tpm command send and result receive. We only hold the ops
+ * lock during this period so that the tpm can be unregistered even if
+ * the char dev is held open.
projects / thirdparty / kernel / stable-queue.git / commitdiff
