4.4-stable patches

added patches:
	cifs-enable-encryption-during-session-setup-phase.patch
	smb3-validate-negotiate-request-must-always-be-signed.patch
	tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
	tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch

diff --git a/queue-3.18/series b/queue-3.18/series
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/queue-4.4/cifs-enable-encryption-during-session-setup-phase.patch b/queue-4.4/cifs-enable-encryption-during-session-setup-phase.patch
new file mode 100644 (file)
index 0000000..cf9739a
--- /dev/null
+++ b/queue-4.4/cifs-enable-encryption-during-session-setup-phase.patch
@@ -0,0 +1,87 @@
+From cabfb3680f78981d26c078a26e5c748531257ebb Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Mon, 7 Nov 2016 18:20:50 -0800
+Subject: CIFS: Enable encryption during session setup phase
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit cabfb3680f78981d26c078a26e5c748531257ebb upstream.
+
+In order to allow encryption on SMB connection we need to exchange
+a session key and generate encryption and decryption keys.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
+Cc: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/sess.c    |   22 ++++++++++------------
+ fs/cifs/smb2pdu.c |    8 +-------
+ 2 files changed, 11 insertions(+), 19 deletions(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -344,13 +344,12 @@ void build_ntlmssp_negotiate_blob(unsign
+       /* BB is NTLMV2 session security format easier to use here? */
+       flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
+               NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
+-              NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
+-      if (ses->server->sign) {
++              NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
++              NTLMSSP_NEGOTIATE_SEAL;
++      if (ses->server->sign)
+               flags |= NTLMSSP_NEGOTIATE_SIGN;
+-              if (!ses->server->session_estab ||
+-                              ses->ntlmssp->sesskey_per_smbsess)
+-                      flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+-      }
++      if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
++              flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+ 
+       sec_blob->NegotiateFlags = cpu_to_le32(flags);
+ 
+@@ -407,13 +406,12 @@ int build_ntlmssp_auth_blob(unsigned cha
+       flags = NTLMSSP_NEGOTIATE_56 |
+               NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
+               NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
+-              NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
+-      if (ses->server->sign) {
++              NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
++              NTLMSSP_NEGOTIATE_SEAL;
++      if (ses->server->sign)
+               flags |= NTLMSSP_NEGOTIATE_SIGN;
+-              if (!ses->server->session_estab ||
+-                              ses->ntlmssp->sesskey_per_smbsess)
+-                      flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+-      }
++      if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
++              flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+ 
+       tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
+       sec_blob->NegotiateFlags = cpu_to_le32(flags);
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -832,10 +832,8 @@ ssetup_exit:
+ 
+       if (!rc) {
+               mutex_lock(&server->srv_mutex);
+-              if (server->sign && server->ops->generate_signingkey) {
++              if (server->ops->generate_signingkey) {
+                       rc = server->ops->generate_signingkey(ses);
+-                      kfree(ses->auth_key.response);
+-                      ses->auth_key.response = NULL;
+                       if (rc) {
+                               cifs_dbg(FYI,
+                                       "SMB3 session key generation failed\n");
+@@ -857,10 +855,6 @@ ssetup_exit:
+       }
+ 
+ keygen_exit:
+-      if (!server->sign) {
+-              kfree(ses->auth_key.response);
+-              ses->auth_key.response = NULL;
+-      }
+       if (spnego_key) {
+               key_invalidate(spnego_key);
+               key_put(spnego_key);

diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644 (file)
index 0000000..f0a94f8
--- /dev/null
+++ b/queue-4.4/series
@@ -0,0 +1,4 @@
+tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
+tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
+smb3-validate-negotiate-request-must-always-be-signed.patch
+cifs-enable-encryption-during-session-setup-phase.patch

diff --git a/queue-4.4/smb3-validate-negotiate-request-must-always-be-signed.patch b/queue-4.4/smb3-validate-negotiate-request-must-always-be-signed.patch
new file mode 100644 (file)
index 0000000..e4edeeb
--- /dev/null
+++ b/queue-4.4/smb3-validate-negotiate-request-must-always-be-signed.patch
@@ -0,0 +1,36 @@
+From 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Wed, 25 Oct 2017 15:58:31 -0500
+Subject: SMB3: Validate negotiate request must always be signed
+
+From: Steve French <smfrench@gmail.com>
+
+commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
+
+According to MS-SMB2 3.2.55 validate_negotiate request must
+always be signed. Some Windows can fail the request if you send it unsigned
+
+See kernel bugzilla bug 197311
+
+CC: Stable <stable@vger.kernel.org>
+Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1558,6 +1558,9 @@ SMB2_ioctl(const unsigned int xid, struc
+       } else
+               iov[0].iov_len = get_rfc1002_length(req) + 4;
+ 
++      /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
++      if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
++              req->hdr.Flags |= SMB2_FLAGS_SIGNED;
+ 
+       rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
+       rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;

diff --git a/queue-4.4/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.4/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
new file mode 100644 (file)
index 0000000..f16cf36
--- /dev/null
+++ b/queue-4.4/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
@@ -0,0 +1,65 @@
+From 3be23274755ee85771270a23af7691dc9b3a95db Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:28:08 -0800
+Subject: tpm: fix potential buffer overruns caused by bit glitches on the bus
+
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+
+commit 3be23274755ee85771270a23af7691dc9b3a95db upstream.
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips.  If a bit does
+flip it could cause an overrun if it's in one of the size parameters,
+so sanity check that we're not overrunning the provided buffer when
+doing a memcpy().
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-interface.c |    5 +++++
+ drivers/char/tpm/tpm2-cmd.c      |    6 ++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -1040,6 +1040,11 @@ int tpm_get_random(u32 chip_num, u8 *out
+                       break;
+ 
+               recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
++              if (recd > num_bytes) {
++                      total = -EFAULT;
++                      break;
++              }
++
+               memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);
+ 
+               dest += recd;
+--- a/drivers/char/tpm/tpm2-cmd.c
++++ b/drivers/char/tpm/tpm2-cmd.c
+@@ -622,6 +622,11 @@ static int tpm2_unseal_cmd(struct tpm_ch
+       if (!rc) {
+               data_len = be16_to_cpup(
+                       (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
++              if (data_len < MIN_KEY_SIZE ||  data_len > MAX_KEY_SIZE + 1) {
++                      rc = -EFAULT;
++                      goto out;
++              }
++
+               data = &buf.data[TPM_HEADER_SIZE + 6];
+ 
+               memcpy(payload->key, data, data_len - 1);
+@@ -629,6 +634,7 @@ static int tpm2_unseal_cmd(struct tpm_ch
+               payload->migratable = data[data_len - 1];
+       }
+ 
++out:
+       tpm_buf_destroy(&buf);
+       return rc;
+ }

diff --git a/queue-4.4/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.4/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
new file mode 100644 (file)
index 0000000..ca2b545
--- /dev/null
+++ b/queue-4.4/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
@@ -0,0 +1,51 @@
+From 6bb320ca4a4a7b5b3db8c8d7250cc40002046878 Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:32:06 -0800
+Subject: tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
+
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+
+commit 6bb320ca4a4a7b5b3db8c8d7250cc40002046878 upstream.
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips.  In all the
+driver _recv() functions, we need to use a u32 to unmarshal the
+response size, otherwise a bit flip of the 31st bit would cause the
+expected variable to go negative, which would then try to read a huge
+amount of data.  Also sanity check that the expected amount of data is
+large enough for the TPM header.
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_tis.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm_tis.c
++++ b/drivers/char/tpm/tpm_tis.c
+@@ -283,7 +283,8 @@ static int recv_data(struct tpm_chip *ch
+ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ {
+       int size = 0;
+-      int expected, status;
++      int status;
++      u32 expected;
+ 
+       if (count < TPM_HEADER_SIZE) {
+               size = -EIO;
+@@ -298,7 +299,7 @@ static int tpm_tis_recv(struct tpm_chip
+       }
+ 
+       expected = be32_to_cpu(*(__be32 *) (buf + 2));
+-      if (expected > count) {
++      if (expected > count || expected < TPM_HEADER_SIZE) {
+               size = -EIO;
+               goto out;
+       }

diff --git a/queue-4.9/series b/queue-4.9/series
new file mode 100644 (file)
index 0000000..1f28b41
--- /dev/null
+++ b/queue-4.9/series
@@ -0,0 +1,4 @@
+tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
+asoc-rsnd-check-src-mod-pointer-for-rsnd_mod_id.patch
+smb3-validate-negotiate-request-must-always-be-signed.patch
+cifs-enable-encryption-during-session-setup-phase.patch