--- /dev/null
+From 12d41a023efb01b846457ccdbbcbe2b65a87d530 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 5 Nov 2017 18:30:44 -0800
+Subject: crypto: dh - Fix double free of ctx->p
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream.
+
+When setting the secret with the software Diffie-Hellman implementation,
+if allocating 'g' failed (e.g. if it was longer than
+MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
+once later when the crypto_kpp tfm was destroyed.
+
+Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
+paths, as that correctly sets the pointers to NULL.
+
+KASAN report:
+
+ MPI: mpi too large (32760 bits)
+ ==================================================================
+ BUG: KASAN: use-after-free in mpi_free+0x131/0x170
+ Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
+
+ CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ dump_stack+0xb3/0x10b
+ ? mpi_free+0x131/0x170
+ print_address_description+0x79/0x2a0
+ ? mpi_free+0x131/0x170
+ kasan_report+0x236/0x340
+ ? akcipher_register_instance+0x90/0x90
+ __asan_report_load4_noabort+0x14/0x20
+ mpi_free+0x131/0x170
+ ? akcipher_register_instance+0x90/0x90
+ dh_exit_tfm+0x3d/0x140
+ crypto_kpp_exit_tfm+0x52/0x70
+ crypto_destroy_tfm+0xb3/0x250
+ __keyctl_dh_compute+0x640/0xe90
+ ? kasan_slab_free+0x12f/0x180
+ ? dh_data_from_key+0x240/0x240
+ ? key_create_or_update+0x1ee/0xb20
+ ? key_instantiate_and_link+0x440/0x440
+ ? lock_contended+0xee0/0xee0
+ ? kfree+0xcf/0x210
+ ? SyS_add_key+0x268/0x340
+ keyctl_dh_compute+0xb3/0xf1
+ ? __keyctl_dh_compute+0xe90/0xe90
+ ? SyS_add_key+0x26d/0x340
+ ? entry_SYSCALL_64_fastpath+0x5/0xbe
+ ? trace_hardirqs_on_caller+0x3f4/0x560
+ SyS_keyctl+0x72/0x2c0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+ RIP: 0033:0x43ccf9
+ RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
+ RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
+ RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
+ RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
+ R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
+ R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
+
+ Allocated by task 367:
+ save_stack_trace+0x16/0x20
+ kasan_kmalloc+0xeb/0x180
+ kmem_cache_alloc_trace+0x114/0x300
+ mpi_alloc+0x4b/0x230
+ mpi_read_raw_data+0xbe/0x360
+ dh_set_secret+0x1dc/0x460
+ __keyctl_dh_compute+0x623/0xe90
+ keyctl_dh_compute+0xb3/0xf1
+ SyS_keyctl+0x72/0x2c0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+ Freed by task 367:
+ save_stack_trace+0x16/0x20
+ kasan_slab_free+0xab/0x180
+ kfree+0xb5/0x210
+ mpi_free+0xcb/0x170
+ dh_set_secret+0x2d7/0x460
+ __keyctl_dh_compute+0x623/0xe90
+ keyctl_dh_compute+0xb3/0xf1
+ SyS_keyctl+0x72/0x2c0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/dh.c | 33 +++++++++++++--------------------
+ 1 file changed, 13 insertions(+), 20 deletions(-)
+
+--- a/crypto/dh.c
++++ b/crypto/dh.c
+@@ -21,19 +21,12 @@ struct dh_ctx {
+ MPI xa;
+ };
+
+-static inline void dh_clear_params(struct dh_ctx *ctx)
++static void dh_clear_ctx(struct dh_ctx *ctx)
+ {
+ mpi_free(ctx->p);
+ mpi_free(ctx->g);
+- ctx->p = NULL;
+- ctx->g = NULL;
+-}
+-
+-static void dh_free_ctx(struct dh_ctx *ctx)
+-{
+- dh_clear_params(ctx);
+ mpi_free(ctx->xa);
+- ctx->xa = NULL;
++ memset(ctx, 0, sizeof(*ctx));
+ }
+
+ /*
+@@ -71,10 +64,8 @@ static int dh_set_params(struct dh_ctx *
+ return -EINVAL;
+
+ ctx->g = mpi_read_raw_data(params->g, params->g_size);
+- if (!ctx->g) {
+- mpi_free(ctx->p);
++ if (!ctx->g)
+ return -EINVAL;
+- }
+
+ return 0;
+ }
+@@ -85,21 +76,23 @@ static int dh_set_secret(struct crypto_k
+ struct dh params;
+
+ /* Free the old MPI key if any */
+- dh_free_ctx(ctx);
++ dh_clear_ctx(ctx);
+
+ if (crypto_dh_decode_key(buf, len, ¶ms) < 0)
+- return -EINVAL;
++ goto err_clear_ctx;
+
+ if (dh_set_params(ctx, ¶ms) < 0)
+- return -EINVAL;
++ goto err_clear_ctx;
+
+ ctx->xa = mpi_read_raw_data(params.key, params.key_size);
+- if (!ctx->xa) {
+- dh_clear_params(ctx);
+- return -EINVAL;
+- }
++ if (!ctx->xa)
++ goto err_clear_ctx;
+
+ return 0;
++
++err_clear_ctx:
++ dh_clear_ctx(ctx);
++ return -EINVAL;
+ }
+
+ static int dh_compute_value(struct kpp_request *req)
+@@ -157,7 +150,7 @@ static void dh_exit_tfm(struct crypto_kp
+ {
+ struct dh_ctx *ctx = dh_get_ctx(tfm);
+
+- dh_free_ctx(ctx);
++ dh_clear_ctx(ctx);
+ }
+
+ static struct kpp_alg dh = {
--- /dev/null
+From ee34e2644a78e2561742bea8c4bdcf83cabf90a7 Mon Sep 17 00:00:00 2001
+From: Tudor-Dan Ambarus <tudor.ambarus@microchip.com>
+Date: Thu, 25 May 2017 10:18:07 +0300
+Subject: crypto: dh - fix memleak in setkey
+
+From: Tudor-Dan Ambarus <tudor.ambarus@microchip.com>
+
+commit ee34e2644a78e2561742bea8c4bdcf83cabf90a7 upstream.
+
+setkey can be called multiple times during the existence
+of the transformation object. In case of multiple setkey calls,
+the old key was not freed and we leaked memory.
+Free the old MPI key if any.
+
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/dh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/dh.c
++++ b/crypto/dh.c
+@@ -84,6 +84,9 @@ static int dh_set_secret(struct crypto_k
+ struct dh_ctx *ctx = dh_get_ctx(tfm);
+ struct dh params;
+
++ /* Free the old MPI key if any */
++ dh_free_ctx(ctx);
++
+ if (crypto_dh_decode_key(buf, len, ¶ms) < 0)
+ return -EINVAL;
+
--- /dev/null
+From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 7 Nov 2017 11:37:07 +0100
+Subject: ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream.
+
+Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters")
+moved the call of ima_file_check() from may_open() to do_filp_open() at a
+point where the file descriptor is already opened.
+
+This breaks the assumption made by IMA that file descriptors being closed
+belong to files whose access was granted by ima_file_check(). The
+consequence is that security.ima and security.evm are updated with good
+values, regardless of the current appraisal status.
+
+For example, if a file does not have security.ima, IMA will create it after
+opening the file for writing, even if access is denied. Access to the file
+will be allowed afterwards.
+
+Avoid this issue by checking the appraisal status before updating
+security.ima.
+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_appraise.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -303,6 +303,9 @@ void ima_update_xattr(struct integrity_i
+ if (iint->flags & IMA_DIGSIG)
+ return;
+
++ if (iint->ima_file_status != INTEGRITY_PASS)
++ return;
++
+ rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo);
+ if (rc < 0)
+ return;
--- /dev/null
+From fd97e66c5529046e989a0879c3bb58fddb592c71 Mon Sep 17 00:00:00 2001
+From: "Ji-Ze Hong (Peter Hong)" <hpeter@gmail.com>
+Date: Tue, 17 Oct 2017 14:23:08 +0800
+Subject: serial: 8250_fintek: Fix finding base_port with activated SuperIO
+
+From: Ji-Ze Hong (Peter Hong) <hpeter@gmail.com>
+
+commit fd97e66c5529046e989a0879c3bb58fddb592c71 upstream.
+
+The SuperIO will be configured at boot time by BIOS, but some BIOS
+will not deactivate the SuperIO when the end of configuration. It'll
+lead to mismatch for pdata->base_port in probe_setup_port(). So we'll
+deactivate all SuperIO before activate special base_port in
+fintek_8250_enter_key().
+
+Tested on iBASE MI802.
+
+Tested-by: Ji-Ze Hong (Peter Hong) <hpeter+linux_kernel@gmail.com>
+Signed-off-by: Ji-Ze Hong (Peter Hong) <hpeter+linux_kernel@gmail.com>
+Reviewd-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_fintek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_fintek.c
++++ b/drivers/tty/serial/8250/8250_fintek.c
+@@ -54,6 +54,9 @@ static int fintek_8250_enter_key(u16 bas
+ if (!request_muxed_region(base_port, 2, "8250_fintek"))
+ return -EBUSY;
+
++ /* Force to deactive all SuperIO in this base_port */
++ outb(EXIT_KEY, base_port + ADDR_PORT);
++
+ outb(key, base_port + ADDR_PORT);
+ outb(key, base_port + ADDR_PORT);
+ return 0;
--- /dev/null
+From 2a71de2f7366fb1aec632116d0549ec56d6a3940 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sat, 21 Oct 2017 10:50:18 +0200
+Subject: serial: omap: Fix EFR write on RTS deassertion
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 2a71de2f7366fb1aec632116d0549ec56d6a3940 upstream.
+
+Commit 348f9bb31c56 ("serial: omap: Fix RTS handling") sought to enable
+auto RTS upon manual RTS assertion and disable it on deassertion.
+However it seems the latter was done incorrectly, it clears all bits in
+the Extended Features Register *except* auto RTS.
+
+Fixes: 348f9bb31c56 ("serial: omap: Fix RTS handling")
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/omap-serial.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/omap-serial.c
++++ b/drivers/tty/serial/omap-serial.c
+@@ -693,7 +693,7 @@ static void serial_omap_set_mctrl(struct
+ if ((mctrl & TIOCM_RTS) && (port->status & UPSTAT_AUTORTS))
+ up->efr |= UART_EFR_RTS;
+ else
+- up->efr &= UART_EFR_RTS;
++ up->efr &= ~UART_EFR_RTS;
+ serial_out(up, UART_EFR, up->efr);
+ serial_out(up, UART_LCR, lcr);
+
sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
fealnx-fix-building-error-on-mips.patch
net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch
+crypto-dh-fix-memleak-in-setkey.patch
+crypto-dh-fix-double-free-of-ctx-p.patch
+ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch
+serial-omap-fix-efr-write-on-rts-deassertion.patch
+serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
