From: Greg Kroah-Hartman Date: Sun, 24 Feb 2019 13:22:59 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.9.161~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=72ac0542cc078ebc5e859a79c174d9c5514e7276;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: keys-always-initialize-keyring_index_key-desc_len.patch keys-user-align-the-payload-buffer.patch --- diff --git a/queue-3.18/isdn-avm-fix-string-plus-integer-warning-from-clang.patch b/queue-3.18/isdn-avm-fix-string-plus-integer-warning-from-clang.patch index af15275970b..d1112abaccc 100644 --- a/queue-3.18/isdn-avm-fix-string-plus-integer-warning-from-clang.patch +++ b/queue-3.18/isdn-avm-fix-string-plus-integer-warning-from-clang.patch @@ -27,14 +27,12 @@ Signed-off-by: Nathan Chancellor Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- - drivers/isdn/hardware/avm/b1.c | 2 +- + drivers/isdn/hardware/avm/b1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c -index 4d9b195547c5c..df2a10157720a 100644 --- a/drivers/isdn/hardware/avm/b1.c +++ b/drivers/isdn/hardware/avm/b1.c -@@ -423,7 +423,7 @@ void b1_parse_version(avmctrl_info *cinfo) +@@ -423,7 +423,7 @@ void b1_parse_version(avmctrl_info *cinf int i, j; for (j = 0; j < AVM_MAXVERSION; j++) @@ -43,6 +41,3 @@ index 4d9b195547c5c..df2a10157720a 100644 for (i = 0, j = 0; j < AVM_MAXVERSION && i < cinfo->versionlen; j++, i += cinfo->versionbuf[i] + 1) --- -2.19.1 - diff --git a/queue-3.18/keys-always-initialize-keyring_index_key-desc_len.patch b/queue-3.18/keys-always-initialize-keyring_index_key-desc_len.patch new file mode 100644 index 00000000000..7524c3446eb --- /dev/null +++ b/queue-3.18/keys-always-initialize-keyring_index_key-desc_len.patch @@ -0,0 +1,105 @@ +From ede0fa98a900e657d1fcd80b50920efc896c1a4c Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 22 Feb 2019 15:36:18 +0000 +Subject: KEYS: always initialize keyring_index_key::desc_len + +From: Eric Biggers + +commit ede0fa98a900e657d1fcd80b50920efc896c1a4c upstream. + +syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() +called from construct_alloc_key() during sys_request_key(), because the +length of the key description was never calculated. + +The problem is that we rely on ->desc_len being initialized by +search_process_keyrings(), specifically by search_nested_keyrings(). +But, if the process isn't subscribed to any keyrings that never happens. + +Fix it by always initializing keyring_index_key::desc_len as soon as the +description is set, like we already do in some places. + +The following program reproduces the BUG_ON() when it's run as root and +no session keyring has been installed. If it doesn't work, try removing +pam_keyinit.so from /etc/pam.d/login and rebooting. + + #include + #include + #include + + int main(void) + { + int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING); + + keyctl_setperm(id, KEY_OTH_WRITE); + setreuid(5000, 5000); + request_key("user", "desc", "", id); + } + +Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com +Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Cc: stable@vger.kernel.org +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/keyring.c | 4 +--- + security/keys/proc.c | 3 +-- + security/keys/request_key.c | 1 + + security/keys/request_key_auth.c | 2 +- + 4 files changed, 4 insertions(+), 6 deletions(-) + +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -628,9 +628,6 @@ static bool search_nested_keyrings(struc + BUG_ON((ctx->flags & STATE_CHECKS) == 0 || + (ctx->flags & STATE_CHECKS) == STATE_CHECKS); + +- if (ctx->index_key.description) +- ctx->index_key.desc_len = strlen(ctx->index_key.description); +- + /* Check to see if this top-level keyring is what we are looking for + * and whether it is valid or not. + */ +@@ -888,6 +885,7 @@ key_ref_t keyring_search(key_ref_t keyri + struct keyring_search_context ctx = { + .index_key.type = type, + .index_key.description = description, ++ .index_key.desc_len = strlen(description), + .cred = current_cred(), + .match_data.cmp = key_default_cmp, + .match_data.raw_data = description, +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -191,8 +191,7 @@ static int proc_keys_show(struct seq_fil + int rc; + + struct keyring_search_context ctx = { +- .index_key.type = key->type, +- .index_key.description = key->description, ++ .index_key = key->index_key, + .cred = current_cred(), + .match_data.cmp = lookup_user_key_possessed, + .match_data.raw_data = key, +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -544,6 +544,7 @@ struct key *request_key_and_link(struct + struct keyring_search_context ctx = { + .index_key.type = type, + .index_key.description = description, ++ .index_key.desc_len = strlen(description), + .cred = current_cred(), + .match_data.cmp = key_default_cmp, + .match_data.raw_data = description, +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -254,7 +254,7 @@ struct key *key_get_instantiation_authke + struct key *authkey; + key_ref_t authkey_ref; + +- sprintf(description, "%x", target_id); ++ ctx.index_key.desc_len = sprintf(description, "%x", target_id); + + authkey_ref = search_process_keyrings(&ctx); + diff --git a/queue-3.18/keys-user-align-the-payload-buffer.patch b/queue-3.18/keys-user-align-the-payload-buffer.patch new file mode 100644 index 00000000000..1c8b1437b90 --- /dev/null +++ b/queue-3.18/keys-user-align-the-payload-buffer.patch @@ -0,0 +1,43 @@ +From cc1780fc42c76c705dd07ea123f1143dc5057630 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 20 Feb 2019 13:32:11 +0000 +Subject: KEYS: user: Align the payload buffer + +From: Eric Biggers + +commit cc1780fc42c76c705dd07ea123f1143dc5057630 upstream. + +Align the payload of "user" and "logon" keys so that users of the +keyrings service can access it as a struct that requires more than +2-byte alignment. fscrypt currently does this which results in the read +of fscrypt_key::size being misaligned as it needs 4-byte alignment. + +Align to __alignof__(u64) rather than __alignof__(long) since in the +future it's conceivable that people would use structs beginning with +u64, which on some platforms would require more than 'long' alignment. + +Reported-by: Aaro Koskinen +Fixes: 2aa349f6e37c ("[PATCH] Keys: Export user-defined keyring operations") +Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Tested-by: Aaro Koskinen +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + include/keys/user-type.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/keys/user-type.h ++++ b/include/keys/user-type.h +@@ -29,7 +29,7 @@ + struct user_key_payload { + struct rcu_head rcu; /* RCU destructor */ + unsigned short datalen; /* length of this data */ +- char data[0]; /* actual data */ ++ char data[0] __aligned(__alignof__(u64)); /* actual data */ + }; + + extern struct key_type key_type_user; diff --git a/queue-3.18/series b/queue-3.18/series index fb8fa6d5342..f1271173916 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -15,3 +15,5 @@ isdn-i4l-isdn_tty-fix-some-concurrency-double-free-b.patch atm-he-fix-sign-extension-overflow-on-large-shift.patch leds-lp5523-fix-a-missing-check-of-return-value-of-l.patch isdn-avm-fix-string-plus-integer-warning-from-clang.patch +keys-user-align-the-payload-buffer.patch +keys-always-initialize-keyring_index_key-desc_len.patch