From: Greg Kroah-Hartman Date: Tue, 4 Dec 2018 13:41:20 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.7~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d5cfe60ffd1d4bc264f8ca94e5f128100e9e8a1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: libceph-check-authorizer-reply-challenge-length-before-reading.patch libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch --- diff --git a/queue-4.14/libceph-check-authorizer-reply-challenge-length-before-reading.patch b/queue-4.14/libceph-check-authorizer-reply-challenge-length-before-reading.patch new file mode 100644 index 00000000000..313d74e1502 --- /dev/null +++ b/queue-4.14/libceph-check-authorizer-reply-challenge-length-before-reading.patch @@ -0,0 +1,36 @@ +From 130f52f2b203aa0aec179341916ffb2e905f3afd Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 27 Jul 2018 19:40:30 +0200 +Subject: libceph: check authorizer reply/challenge length before reading + +From: Ilya Dryomov + +commit 130f52f2b203aa0aec179341916ffb2e905f3afd upstream. + +Avoid scribbling over memory if the received reply/challenge is larger +than the buffer supplied with the authorizer. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -1754,6 +1754,13 @@ static int read_partial_connect(struct c + + if (con->auth) { + size = le32_to_cpu(con->in_reply.authorizer_len); ++ if (size > con->auth->authorizer_reply_buf_len) { ++ pr_err("authorizer reply too big: %d > %zu\n", size, ++ con->auth->authorizer_reply_buf_len); ++ ret = -EINVAL; ++ goto out; ++ } ++ + end += size; + ret = read_partial(con, end, size, + con->auth->authorizer_reply_buf); diff --git a/queue-4.14/libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch b/queue-4.14/libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch new file mode 100644 index 00000000000..8c6b2ad679d --- /dev/null +++ b/queue-4.14/libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch @@ -0,0 +1,34 @@ +From f1d10e04637924f2b00a0fecdd2ca4565f5cfc3f Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 27 Jul 2018 19:45:36 +0200 +Subject: libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() + +From: Ilya Dryomov + +commit f1d10e04637924f2b00a0fecdd2ca4565f5cfc3f upstream. + +Allow for extending ceph_x_authorize_reply in the future. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/auth_x.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -737,8 +737,10 @@ static int ceph_x_verify_authorizer_repl + ret = ceph_x_decrypt(&au->session_key, &p, p + CEPHX_AU_ENC_BUF_LEN); + if (ret < 0) + return ret; +- if (ret != sizeof(*reply)) +- return -EPERM; ++ if (ret < sizeof(*reply)) { ++ pr_err("bad size %d for ceph_x_authorize_reply\n", ret); ++ return -EINVAL; ++ } + + if (au->nonce + 1 != le64_to_cpu(reply->nonce_plus_one)) + ret = -EPERM; diff --git a/queue-4.14/series b/queue-4.14/series index 375a102ef9c..1921576abb2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -144,3 +144,5 @@ mm-use-swp_offset-as-key-in-shmem_replace_page.patch drivers-hv-vmbus-check-the-creation_status-in-vmbus_establish_gpadl.patch misc-mic-scif-fix-copy-paste-error-in-scif_create_remote_lookup.patch binder-fix-race-that-allows-malicious-free-of-live-buffer.patch +libceph-weaken-sizeof-check-in-ceph_x_verify_authorizer_reply.patch +libceph-check-authorizer-reply-challenge-length-before-reading.patch