4.9-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 26 Feb 2018 19:46:56 +0000 (20:46 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 26 Feb 2018 19:46:56 +0000 (20:46 +0100)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 26 Feb 2018 19:46:56 +0000 (20:46 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 26 Feb 2018 19:46:56 +0000 (20:46 +0100)
diff --git a/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch b/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch

index e6d3e31d6d8411a8564f5f7e537c3b322125e62f..eb6b064208969dff243e82059a27d42ef6ceb4ca 100644 (file)
--- a/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch
+++ b/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch
@@ -42,6 +42,7 @@ Reported-by: syzbot+ddde1c7b7ff7442d7f2d@syzkaller.appspotmail.com
  Suggested-by: Florian Westphal <fw@strlen.de>
  Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
  Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  
  ---
diff --git a/queue-4.9/series b/queue-4.9/series

index 32455d7c67b97991ffd22557a40d6c367d33b517..ec070f0961f02ec72eb35f822e620fc924cb7596 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -25,3 +25,4 @@ drm-amdgpu-add-atpx-quirk-handling-v2.patch
  drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch
  drm-amdgpu-add-new-device-to-use-atpx-quirk.patch
  binder-add-missing-binder_unlock.patch
+x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch
diff --git a/queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch b/queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch

new file mode 100644 (file)

index 0000000..6e055a6
--- /dev/null
+++ b/queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch
@@ -0,0 +1,62 @@
+From ebiggers3@gmail.com  Mon Feb 26 20:46:24 2018
+From: Eric Biggers <ebiggers3@gmail.com>
+Date: Mon, 26 Feb 2018 10:17:15 -0800
+Subject: X.509: fix NULL dereference when restricting key with unsupported_sig
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: keyrings@vger.kernel.org, Eric Biggers <ebiggers@google.com>, David Howells <dhowells@redhat.com>
+Message-ID: <20180226181715.194965-1-ebiggers3@gmail.com>
+
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4b34968e77ad09628cfb3c4a7daf2adc2cefc6e8 upstream.
+
+The asymmetric key type allows an X.509 certificate to be added even if
+its signature's hash algorithm is not available in the crypto API.  In
+that case 'payload.data[asym_auth]' will be NULL.  But the key
+restriction code failed to check for this case before trying to use the
+signature, resulting in a NULL pointer dereference in
+key_or_keyring_common() or in restrict_link_by_signature().
+
+Fix this by returning -ENOPKG when the signature is unsupported.
+
+Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled and
+keyctl has support for the 'restrict_keyring' command:
+
+    keyctl new_session
+    keyctl restrict_keyring @s asymmetric builtin_trusted
+    openssl req -new -sha512 -x509 -batch -nodes -outform der \
+        | keyctl padd asymmetric desc @s
+
+Fixes: a511e1af8b12 ("KEYS: Move the point of trust determination to __key_link()")
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/asymmetric_keys/restrict.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/crypto/asymmetric_keys/restrict.c
++++ b/crypto/asymmetric_keys/restrict.c
+@@ -66,8 +66,9 @@ __setup("ca_keys=", ca_keys_setup);
+  *
+  * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a
+  * matching parent certificate in the trusted list, -EKEYREJECTED if the
+- * signature check fails or the key is blacklisted and some other error if
+- * there is a matching certificate but the signature check cannot be performed.
++ * signature check fails or the key is blacklisted, -ENOPKG if the signature
++ * uses unsupported crypto, or some other error if there is a matching
++ * certificate but the signature check cannot be performed.
+  */
+ int restrict_link_by_signature(struct key *trust_keyring,
+                              const struct key_type *type,
+@@ -86,6 +87,8 @@ int restrict_link_by_signature(struct ke
+               return -EOPNOTSUPP;
+ 
+       sig = payload->data[asym_auth];
++      if (!sig)
++              return -ENOPKG;
+       if (!sig->auth_ids[0] && !sig->auth_ids[1])
+               return -ENOKEY;
+
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 26 Feb 2018 19:46:56 +0000 (20:46 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 26 Feb 2018 19:46:56 +0000 (20:46 +0100)
queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch		patch \| blob \| blame \| history
queue-4.9/series		patch \| blob \| blame \| history
queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch	[new file with mode: 0644]	patch \| blob