From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 10 Dec 2015 18:01:50 +0000 (-0500)
Subject: 4.3-stable patches
X-Git-Tag: v4.3.2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=61d69c3a8710d06aedd956f85aec2a1f8aabbe91;p=thirdparty%2Fkernel%2Fstable-queue.git

4.3-stable patches

added patches:
	crypto-asymmetric_keys-remove-always-false-comparison.patch
	x.509-fix-the-time-validation.patch
---

diff --git a/queue-4.3/crypto-asymmetric_keys-remove-always-false-comparison.patch b/queue-4.3/crypto-asymmetric_keys-remove-always-false-comparison.patch
new file mode 100644
index 00000000000..f48857ef574
--- /dev/null
+++ b/queue-4.3/crypto-asymmetric_keys-remove-always-false-comparison.patch
@@ -0,0 +1,34 @@
+From 4dd17c9c8a30c8d8cd1c9d4b94f08aca4b038d3e Mon Sep 17 00:00:00 2001
+From: sudip <sudipm.mukherjee@gmail.com>
+Date: Thu, 17 Sep 2015 13:12:51 +0530
+Subject: crypto: asymmetric_keys - remove always false comparison
+
+From: sudip <sudipm.mukherjee@gmail.com>
+
+commit 4dd17c9c8a30c8d8cd1c9d4b94f08aca4b038d3e upstream.
+
+hour, min and sec are unsigned int and they can never be less than zero.
+
+Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -546,9 +546,9 @@ int x509_decode_time(time64_t *_t,  size
+ 	if (year < 1970 ||
+ 	    mon < 1 || mon > 12 ||
+ 	    day < 1 || day > mon_len ||
+-	    hour < 0 || hour > 23 ||
+-	    min < 0 || min > 59 ||
+-	    sec < 0 || sec > 59)
++	    hour > 23 ||
++	    min > 59 ||
++	    sec > 59)
+ 		goto invalid_time;
+ 	
+ 	*_t = mktime64(year, mon, day, hour, min, sec);
diff --git a/queue-4.3/x.509-fix-the-time-validation.patch b/queue-4.3/x.509-fix-the-time-validation.patch
new file mode 100644
index 00000000000..e6677d6c582
--- /dev/null
+++ b/queue-4.3/x.509-fix-the-time-validation.patch
@@ -0,0 +1,87 @@
+From cc25b994acfbc901429da682d0f73c190e960206 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 12 Nov 2015 09:36:40 +0000
+Subject: X.509: Fix the time validation [ver #2]
+
+From: David Howells <dhowells@redhat.com>
+
+commit cc25b994acfbc901429da682d0f73c190e960206 upstream.
+
+This fixes CVE-2015-5327.  It affects kernels from 4.3-rc1 onwards.
+
+Fix the X.509 time validation to use month number-1 when looking up the
+number of days in that month.  Also put the month number validation before
+doing the lookup so as not to risk overrunning the array.
+
+This can be tested by doing the following:
+
+cat <<EOF | openssl x509 -outform DER | keyctl padd asymmetric "" @s
+-----BEGIN CERTIFICATE-----
+MIIDbjCCAlagAwIBAgIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV
+BAoMCGxvY2FsLWNhMRQwEgYDVQQDDAtzaWduaW5nIGtleTAeFw0xNTA5MDEyMTMw
+MThaFw0xNjA4MzEyMTMwMThaMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQwEgYDVQQD
+DAtzaWduaW5nIGtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrn
+crcMfMeG67nagX4+m02Xk9rkmsMKI5XTUxbikROe7GSUVJ27sPVPZp4mgzoWlvhh
+jfK8CC/qhEhwep8Pgg4EJZyWOjhZb7R97ckGvLIoUC6IO3FC2ZnR7WtmWDgo2Jcj
+VlXwJdHhKU1VZwulh81O61N8IBKqz2r/kDhIWiicUCUkI/Do/RMRfKAoDBcSh86m
+gOeIAGfq62vbiZhVsX5dOE8Oo2TK5weAvwUIOR7OuGBl5AqwFlPnXQolewiHzKry
+THg9e44HfzG4Mi6wUvcJxVaQT1h5SrKD779Z5+8+wf1JLaooetcEUArvWyuxCU59
+qxA4lsTjBwl4cmEki+cCAwEAAaOBmDCBlTAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
+AwIHgDAdBgNVHQ4EFgQUyND/eKUis7ep/hXMJ8iZMdUhI+IwWQYDVR0jBFIwUIAU
+yND/eKUis7ep/hXMJ8iZMdUhI+KhLaQrMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQw
+EgYDVQQDDAtzaWduaW5nIGtleYIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAA4IB
+AQAMqm1N1yD5pimUELLhT5eO2lRdGUfTozljRxc7e2QT3RLk2TtGhg65JFFN6eml
+XS58AEPVcAsSLDlR6WpOpOLB2giM0+fV/eYFHHmh22yqTJl4YgkdUwyzPdCHNOZL
+hmSKeY9xliHb6PNrNWWtZwhYYvRaO2DX4GXOMR0Oa2O4vaYu6/qGlZOZv3U6qZLY
+wwHEJSrqeBDyMuwN+eANHpoSpiBzD77S4e+7hUDJnql4j6xzJ65+nWJ89fCrQypR
+4sN5R3aGeIh3QAQUIKpHilwek0CtEaYERgc5m+jGyKSc1rezJW62hWRTaitOc+d5
+G5hh+9YpnYcxQHEKnZ7rFNKJ
+-----END CERTIFICATE-----
+EOF
+
+If it works, it emit a key ID; if it fails, it should give a bad message
+error.
+
+Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Acked-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t,  size
+ 	if (*p != 'Z')
+ 		goto unsupported_time;
+ 
+-	mon_len = month_lengths[mon];
++	if (year < 1970 ||
++	    mon < 1 || mon > 12)
++		goto invalid_time;
++
++	mon_len = month_lengths[mon - 1];
+ 	if (mon == 2) {
+ 		if (year % 4 == 0) {
+ 			mon_len = 29;
+@@ -543,14 +547,12 @@ int x509_decode_time(time64_t *_t,  size
+ 		}
+ 	}
+ 
+-	if (year < 1970 ||
+-	    mon < 1 || mon > 12 ||
+-	    day < 1 || day > mon_len ||
++	if (day < 1 || day > mon_len ||
+ 	    hour > 23 ||
+ 	    min > 59 ||
+ 	    sec > 59)
+ 		goto invalid_time;
+-	
++
+ 	*_t = mktime64(year, mon, day, hour, min, sec);
+ 	return 0;
+