From: Greg Kroah-Hartman Date: Thu, 21 Feb 2019 12:36:09 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.136~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=852c1e78a0a94018a291e09d5e3f802b63d1fd83;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch --- diff --git a/queue-4.14/series b/queue-4.14/series index 4dbca409516..1002db3714f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -17,3 +17,4 @@ net-add-header-for-usage-of-fls64.patch tcp-tcp_v4_err-should-be-more-careful.patch net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch +sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch diff --git a/queue-4.14/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch b/queue-4.14/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch new file mode 100644 index 00000000000..f60300228f0 --- /dev/null +++ b/queue-4.14/sunrpc-fix-4-more-call-sites-that-were-using-stack-memory-with-a-scatterlist.patch @@ -0,0 +1,167 @@ +From e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Fri, 15 Feb 2019 13:42:02 -0500 +Subject: sunrpc: fix 4 more call sites that were using stack memory with a scatterlist + +From: Scott Mayhew + +commit e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b upstream. + +While trying to reproduce a reported kernel panic on arm64, I discovered +that AUTH_GSS basically doesn't work at all with older enctypes on arm64 +systems with CONFIG_VMAP_STACK enabled. It turns out there still a few +places using stack memory with scatterlists, causing krb5_encrypt() and +krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG +is enabled). + +Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using +des3-cbc-sha1 and arcfour-hmac-md5. + +Signed-off-by: Scott Mayhew +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/gss_krb5_seqnum.c | 49 ++++++++++++++++++++++++++-------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +--- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c ++++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c +@@ -44,7 +44,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k + unsigned char *cksum, unsigned char *buf) + { + struct crypto_skcipher *cipher; +- unsigned char plain[8]; ++ unsigned char *plain; + s32 code; + + dprintk("RPC: %s:\n", __func__); +@@ -53,6 +53,10 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k + if (IS_ERR(cipher)) + return PTR_ERR(cipher); + ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) ++ return -ENOMEM; ++ + plain[0] = (unsigned char) ((seqnum >> 24) & 0xff); + plain[1] = (unsigned char) ((seqnum >> 16) & 0xff); + plain[2] = (unsigned char) ((seqnum >> 8) & 0xff); +@@ -69,6 +73,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *k + code = krb5_encrypt(cipher, cksum, plain, buf, 8); + out: + crypto_free_skcipher(cipher); ++ kfree(plain); + return code; + } + s32 +@@ -78,12 +83,17 @@ krb5_make_seq_num(struct krb5_ctx *kctx, + u32 seqnum, + unsigned char *cksum, unsigned char *buf) + { +- unsigned char plain[8]; ++ unsigned char *plain; ++ s32 code; + + if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC) + return krb5_make_rc4_seq_num(kctx, direction, seqnum, + cksum, buf); + ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) ++ return -ENOMEM; ++ + plain[0] = (unsigned char) (seqnum & 0xff); + plain[1] = (unsigned char) ((seqnum >> 8) & 0xff); + plain[2] = (unsigned char) ((seqnum >> 16) & 0xff); +@@ -94,7 +104,9 @@ krb5_make_seq_num(struct krb5_ctx *kctx, + plain[6] = direction; + plain[7] = direction; + +- return krb5_encrypt(key, cksum, plain, buf, 8); ++ code = krb5_encrypt(key, cksum, plain, buf, 8); ++ kfree(plain); ++ return code; + } + + static s32 +@@ -102,7 +114,7 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc + unsigned char *buf, int *direction, s32 *seqnum) + { + struct crypto_skcipher *cipher; +- unsigned char plain[8]; ++ unsigned char *plain; + s32 code; + + dprintk("RPC: %s:\n", __func__); +@@ -115,20 +127,28 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kc + if (code) + goto out; + ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) { ++ code = -ENOMEM; ++ goto out; ++ } ++ + code = krb5_decrypt(cipher, cksum, buf, plain, 8); + if (code) +- goto out; ++ goto out_plain; + + if ((plain[4] != plain[5]) || (plain[4] != plain[6]) + || (plain[4] != plain[7])) { + code = (s32)KG_BAD_SEQ; +- goto out; ++ goto out_plain; + } + + *direction = plain[4]; + + *seqnum = ((plain[0] << 24) | (plain[1] << 16) | + (plain[2] << 8) | (plain[3])); ++out_plain: ++ kfree(plain); + out: + crypto_free_skcipher(cipher); + return code; +@@ -141,26 +161,33 @@ krb5_get_seq_num(struct krb5_ctx *kctx, + int *direction, u32 *seqnum) + { + s32 code; +- unsigned char plain[8]; + struct crypto_skcipher *key = kctx->seq; ++ unsigned char *plain; + + dprintk("RPC: krb5_get_seq_num:\n"); + + if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC) + return krb5_get_rc4_seq_num(kctx, cksum, buf, + direction, seqnum); ++ plain = kmalloc(8, GFP_NOFS); ++ if (!plain) ++ return -ENOMEM; + + if ((code = krb5_decrypt(key, cksum, buf, plain, 8))) +- return code; ++ goto out; + + if ((plain[4] != plain[5]) || (plain[4] != plain[6]) || +- (plain[4] != plain[7])) +- return (s32)KG_BAD_SEQ; ++ (plain[4] != plain[7])) { ++ code = (s32)KG_BAD_SEQ; ++ goto out; ++ } + + *direction = plain[4]; + + *seqnum = ((plain[0]) | + (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24)); + +- return 0; ++out: ++ kfree(plain); ++ return code; + }