--- /dev/null
+From 374503c6109e60f48fa9b11341b14466f07bd3f4 Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Wed, 17 May 2017 06:50:32 +0000
+Subject: ASoC: rsnd: check src mod pointer for rsnd_mod_id()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+commit 374503c6109e60f48fa9b11341b14466f07bd3f4 upstream.
+
+Without this patch, gcc 4.9.x says
+
+ sound/soc/sh/rcar/cmd.c: In function 'rsnd_cmd_init':
+ sound/soc/sh/rcar/cmd.c:85:14: warning: array subscript is below array\
+ bounds [-Warray-bounds]
+ data = path[rsnd_mod_id(src)] |
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sh/rcar/cmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/sh/rcar/cmd.c
++++ b/sound/soc/sh/rcar/cmd.c
+@@ -82,6 +82,9 @@ static int rsnd_cmd_init(struct rsnd_mod
+ [9] = 0x2,
+ };
+
++ if (unlikely(!src))
++ return -EIO;
++
+ data = path[rsnd_mod_id(src)] |
+ cmd_case[rsnd_mod_id(src)] << 16;
+ }
--- /dev/null
+From cabfb3680f78981d26c078a26e5c748531257ebb Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Mon, 7 Nov 2016 18:20:50 -0800
+Subject: CIFS: Enable encryption during session setup phase
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit cabfb3680f78981d26c078a26e5c748531257ebb upstream.
+
+In order to allow encryption on SMB connection we need to exchange
+a session key and generate encryption and decryption keys.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Cc: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ fs/cifs/sess.c | 22 ++++++++++------------
+ fs/cifs/smb2pdu.c | 12 ++----------
+ 2 files changed, 12 insertions(+), 22 deletions(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -344,13 +344,12 @@ void build_ntlmssp_negotiate_blob(unsign
+ /* BB is NTLMV2 session security format easier to use here? */
+ flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
+ NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
+- NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
+- if (ses->server->sign) {
++ NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
++ NTLMSSP_NEGOTIATE_SEAL;
++ if (ses->server->sign)
+ flags |= NTLMSSP_NEGOTIATE_SIGN;
+- if (!ses->server->session_estab ||
+- ses->ntlmssp->sesskey_per_smbsess)
+- flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+- }
++ if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
++ flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+
+ sec_blob->NegotiateFlags = cpu_to_le32(flags);
+
+@@ -407,13 +406,12 @@ int build_ntlmssp_auth_blob(unsigned cha
+ flags = NTLMSSP_NEGOTIATE_56 |
+ NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
+ NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
+- NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
+- if (ses->server->sign) {
++ NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
++ NTLMSSP_NEGOTIATE_SEAL;
++ if (ses->server->sign)
+ flags |= NTLMSSP_NEGOTIATE_SIGN;
+- if (!ses->server->session_estab ||
+- ses->ntlmssp->sesskey_per_smbsess)
+- flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+- }
++ if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
++ flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
+
+ tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
+ sec_blob->NegotiateFlags = cpu_to_le32(flags);
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -707,15 +707,13 @@ SMB2_sess_establish_session(struct SMB2_
+ struct cifs_ses *ses = sess_data->ses;
+
+ mutex_lock(&ses->server->srv_mutex);
+- if (ses->server->sign && ses->server->ops->generate_signingkey) {
++ if (ses->server->ops->generate_signingkey) {
+ rc = ses->server->ops->generate_signingkey(ses);
+- kfree(ses->auth_key.response);
+- ses->auth_key.response = NULL;
+ if (rc) {
+ cifs_dbg(FYI,
+ "SMB3 session key generation failed\n");
+ mutex_unlock(&ses->server->srv_mutex);
+- goto keygen_exit;
++ return rc;
+ }
+ }
+ if (!ses->server->session_estab) {
+@@ -729,12 +727,6 @@ SMB2_sess_establish_session(struct SMB2_
+ ses->status = CifsGood;
+ ses->need_reconnect = false;
+ spin_unlock(&GlobalMid_Lock);
+-
+-keygen_exit:
+- if (!ses->server->sign) {
+- kfree(ses->auth_key.response);
+- ses->auth_key.response = NULL;
+- }
+ return rc;
+ }
+
--- /dev/null
+From 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Wed, 25 Oct 2017 15:58:31 -0500
+Subject: SMB3: Validate negotiate request must always be signed
+
+From: Steve French <smfrench@gmail.com>
+
+commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
+
+According to MS-SMB2 3.2.55 validate_negotiate request must
+always be signed. Some Windows can fail the request if you send it unsigned
+
+See kernel bugzilla bug 197311
+
+CC: Stable <stable@vger.kernel.org>
+Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1712,6 +1712,9 @@ SMB2_ioctl(const unsigned int xid, struc
+ } else
+ iov[0].iov_len = get_rfc1002_length(req) + 4;
+
++ /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
++ req->hdr.Flags |= SMB2_FLAGS_SIGNED;
+
+ rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
+ rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
--- /dev/null
+From 3be23274755ee85771270a23af7691dc9b3a95db Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:28:08 -0800
+Subject: tpm: fix potential buffer overruns caused by bit glitches on the bus
+
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+
+commit 3be23274755ee85771270a23af7691dc9b3a95db upstream.
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. If a bit does
+flip it could cause an overrun if it's in one of the size parameters,
+so sanity check that we're not overrunning the provided buffer when
+doing a memcpy().
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-interface.c | 5 +++++
+ drivers/char/tpm/tpm2-cmd.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -1078,6 +1078,11 @@ int tpm_get_random(u32 chip_num, u8 *out
+ break;
+
+ recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
++ if (recd > num_bytes) {
++ total = -EFAULT;
++ break;
++ }
++
+ memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);
+
+ dest += recd;
+--- a/drivers/char/tpm/tpm2-cmd.c
++++ b/drivers/char/tpm/tpm2-cmd.c
+@@ -668,6 +668,11 @@ static int tpm2_unseal_cmd(struct tpm_ch
+ if (!rc) {
+ data_len = be16_to_cpup(
+ (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
++ if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE + 1) {
++ rc = -EFAULT;
++ goto out;
++ }
++
+ data = &buf.data[TPM_HEADER_SIZE + 6];
+
+ memcpy(payload->key, data, data_len - 1);
+@@ -675,6 +680,7 @@ static int tpm2_unseal_cmd(struct tpm_ch
+ payload->migratable = data[data_len - 1];
+ }
+
++out:
+ tpm_buf_destroy(&buf);
+ return rc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
