From: Greg Kroah-Hartman Date: Thu, 21 Feb 2019 12:36:26 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v3.18.136~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=16f3f6ecd5f6594e111240d6296092386a8f168d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch --- diff --git a/queue-4.19/netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch b/queue-4.19/netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch new file mode 100644 index 00000000000..3eb35f86e2c --- /dev/null +++ b/queue-4.19/netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch @@ -0,0 +1,50 @@ +From c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 6 Feb 2019 22:56:15 +0100 +Subject: netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs + +From: Jann Horn + +commit c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc upstream. + +The generic ASN.1 decoder infrastructure doesn't guarantee that callbacks +will get as much data as they expect; callbacks have to check the `datalen` +parameter before looking at `data`. Make sure that snmp_version() and +snmp_helper() don't read/write beyond the end of the packet data. + +(Also move the assignment to `pdata` down below the check to make it clear +that it isn't necessarily a pointer we can use before the `datalen` check.) + +Fixes: cc2d58634e0f ("netfilter: nf_nat_snmp_basic: use asn1 decoder library") +Signed-off-by: Jann Horn +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/nf_nat_snmp_basic_main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c ++++ b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c +@@ -104,6 +104,8 @@ static void fast_csum(struct snmp_ctx *c + int snmp_version(void *context, size_t hdrlen, unsigned char tag, + const void *data, size_t datalen) + { ++ if (datalen != 1) ++ return -EINVAL; + if (*(unsigned char *)data > 1) + return -ENOTSUPP; + return 1; +@@ -113,8 +115,11 @@ int snmp_helper(void *context, size_t hd + const void *data, size_t datalen) + { + struct snmp_ctx *ctx = (struct snmp_ctx *)context; +- __be32 *pdata = (__be32 *)data; ++ __be32 *pdata; + ++ if (datalen != 4) ++ return -EINVAL; ++ pdata = (__be32 *)data; + if (*pdata == ctx->from) { + pr_debug("%s: %pI4 to %pI4\n", __func__, + (void *)&ctx->from, (void *)&ctx->to); diff --git a/queue-4.19/series b/queue-4.19/series index 702bac08a00..5b1674144d5 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -23,3 +23,5 @@ scsi-target-core-use-kmem_cache_free-instead-of-kfree.patch x86_64-increase-stack-size-for-kasan_extra.patch mmc-meson-gx-fix-interrupt-name.patch pci-fix-__initdata-issue-with-pci-disable_acs_redir-parameter.patch +sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch +netfilter-nf_nat_snmp_basic-add-missing-length-checks-in-asn.1-cbs.patch diff --git a/queue-4.19/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch b/queue-4.19/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch new file mode 100644 index 00000000000..f60300228f0 --- /dev/null +++ b/queue-4.19/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch @@ -0,0 +1,167 @@ +From e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Fri, 15 Feb 2019 13:42:02 -0500 +Subject: sunrpc: fix 4 more call sites that were using stack memory with a scatterlist + +From: Scott Mayhew + +commit e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b upstream. + +While trying to reproduce a reported kernel panic on arm64, I discovered +that AUTH_GSS basically doesn't work at all with older enctypes on arm64 +systems with CONFIG_VMAP_STACK enabled. It turns out there still a few +places using stack memory with scatterlists, causing krb5_encrypt() and +krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG +is enabled). + +Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using +des3-cbc-sha1 and arcfour-hmac-md5. + +Signed-off-by: Scott Mayhew +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/gss_krb5_seqnum.c | 49 ++++++++++++++++++++++++++-------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +--- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c ++++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c +@@ -44,7 +44,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k + unsigned char *cksum, unsigned char *buf) + { + struct crypto_skcipher *cipher; +- unsigned char plain[8]; ++ unsigned char *plain; + s32 code; + + dprintk("RPC: %s:\n", __func__); +@@ -53,6 +53,10 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k + if (IS_ERR(cipher)) + return PTR_ERR(cipher); + ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) ++ return -ENOMEM; ++ + plain[0] = (unsigned char) ((seqnum >> 24) & 0xff); + plain[1] = (unsigned char) ((seqnum >> 16) & 0xff); + plain[2] = (unsigned char) ((seqnum >> 8) & 0xff); +@@ -69,6 +73,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k + code = krb5_encrypt(cipher, cksum, plain, buf, 8); + out: + crypto_free_skcipher(cipher); ++ kfree(plain); + return code; + } + s32 +@@ -78,12 +83,17 @@ krb5_make_seq_num(struct krb5_ctx *kctx, + u32 seqnum, + unsigned char *cksum, unsigned char *buf) + { +- unsigned char plain[8]; ++ unsigned char *plain; ++ s32 code; + + if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC) + return krb5_make_rc4_seq_num(kctx, direction, seqnum, + cksum, buf); + ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) ++ return -ENOMEM; ++ + plain[0] = (unsigned char) (seqnum & 0xff); + plain[1] = (unsigned char) ((seqnum >> 8) & 0xff); + plain[2] = (unsigned char) ((seqnum >> 16) & 0xff); +@@ -94,7 +104,9 @@ krb5_make_seq_num(struct krb5_ctx *kctx, + plain[6] = direction; + plain[7] = direction; + +- return krb5_encrypt(key, cksum, plain, buf, 8); ++ code = krb5_encrypt(key, cksum, plain, buf, 8); ++ kfree(plain); ++ return code; + } + + static s32 +@@ -102,7 +114,7 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc + unsigned char *buf, int *direction, s32 *seqnum) + { + struct crypto_skcipher *cipher; +- unsigned char plain[8]; ++ unsigned char *plain; + s32 code; + + dprintk("RPC: %s:\n", __func__); +@@ -115,20 +127,28 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc + if (code) + goto out; + ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) { ++ code = -ENOMEM; ++ goto out; ++ } ++ + code = krb5_decrypt(cipher, cksum, buf, plain, 8); + if (code) +- goto out; ++ goto out_plain; + + if ((plain[4] != plain[5]) || (plain[4] != plain[6]) + || (plain[4] != plain[7])) { + code = (s32)KG_BAD_SEQ; +- goto out; ++ goto out_plain; + } + + *direction = plain[4]; + + *seqnum = ((plain[0] << 24) | (plain[1] << 16) | + (plain[2] << 8) | (plain[3])); ++out_plain: ++ kfree(plain); + out: + crypto_free_skcipher(cipher); + return code; +@@ -141,26 +161,33 @@ krb5_get_seq_num(struct krb5_ctx *kctx, + int *direction, u32 *seqnum) + { + s32 code; +- unsigned char plain[8]; + struct crypto_skcipher *key = kctx->seq; ++ unsigned char *plain; + + dprintk("RPC: krb5_get_seq_num:\n"); + + if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC) + return krb5_get_rc4_seq_num(kctx, cksum, buf, + direction, seqnum); ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) ++ return -ENOMEM; + + if ((code = krb5_decrypt(key, cksum, buf, plain, 8))) +- return code; ++ goto out; + + if ((plain[4] != plain[5]) || (plain[4] != plain[6]) || +- (plain[4] != plain[7])) +- return (s32)KG_BAD_SEQ; ++ (plain[4] != plain[7])) { ++ code = (s32)KG_BAD_SEQ; ++ goto out; ++ } + + *direction = plain[4]; + + *seqnum = ((plain[0]) | + (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24)); + +- return 0; ++out: ++ kfree(plain); ++ return code; + }