From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jul 2015 19:53:12 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v4.1.4~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b94c1a060987d6ddba752459ac93fcf5e206a74d;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	evm-labeling-pseudo-filesystems-exception.patch
	ima-fix-ima_show_template_data_ascii.patch
	keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
---

diff --git a/queue-3.14/evm-labeling-pseudo-filesystems-exception.patch b/queue-3.14/evm-labeling-pseudo-filesystems-exception.patch
new file mode 100644
index 00000000000..3fedc669c6d
--- /dev/null
+++ b/queue-3.14/evm-labeling-pseudo-filesystems-exception.patch
@@ -0,0 +1,44 @@
+From 5101a1850bb7ccbf107929dee9af0cd2f400940f Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Tue, 21 Apr 2015 13:59:31 -0400
+Subject: evm: labeling pseudo filesystems exception
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream.
+
+To prevent offline stripping of existing file xattrs and relabeling of
+them at runtime, EVM allows only newly created files to be labeled.  As
+pseudo filesystems are not persistent, stripping of xattrs is not a
+concern.
+
+Some LSMs defer file labeling on pseudo filesystems.  This patch
+permits the labeling of existing files on pseudo files systems.
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -275,6 +275,17 @@ static int evm_protect_xattr(struct dent
+ 		iint = integrity_iint_find(dentry->d_inode);
+ 		if (iint && (iint->flags & IMA_NEW_FILE))
+ 			return 0;
++
++		/* exception for pseudo filesystems */
++		if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
++		    || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
++			return 0;
++
++		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
++				    dentry->d_inode, dentry->d_name.name,
++				    "update_metadata",
++				    integrity_status_msg[evm_status],
++				    -EPERM, 0);
+ 	}
+ out:
+ 	if (evm_status != INTEGRITY_PASS)
diff --git a/queue-3.14/ima-fix-ima_show_template_data_ascii.patch b/queue-3.14/ima-fix-ima_show_template_data_ascii.patch
new file mode 100644
index 00000000000..b0694e9edd0
--- /dev/null
+++ b/queue-3.14/ima-fix-ima_show_template_data_ascii.patch
@@ -0,0 +1,62 @@
+From 45b26133b97871896b8c5241d59f4ff7839db7b2 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Thu, 11 Jun 2015 11:54:42 -0400
+Subject: ima: fix ima_show_template_data_ascii()
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 45b26133b97871896b8c5241d59f4ff7839db7b2 upstream.
+
+This patch fixes a bug introduced in "4d7aeee ima: define new template
+ima-ng and template fields d-ng and n-ng".
+
+Changelog:
+- change int to uint32 (Roberto Sassu's suggestion)
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Roberto Sassu <rsassu@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima.h              |    2 +-
+ security/integrity/ima/ima_fs.c           |    4 ++--
+ security/integrity/ima/ima_template_lib.c |    3 ++-
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -106,7 +106,7 @@ void ima_add_violation(struct file *file
+ 		       const char *op, const char *cause);
+ int ima_init_crypto(void);
+ void ima_putc(struct seq_file *m, void *data, int datalen);
+-void ima_print_digest(struct seq_file *m, u8 *digest, int size);
++void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
+ struct ima_template_desc *ima_template_desc_current(void);
+ int ima_init_template(void);
+ 
+--- a/security/integrity/ima/ima_fs.c
++++ b/security/integrity/ima/ima_fs.c
+@@ -186,9 +186,9 @@ static const struct file_operations ima_
+ 	.release = seq_release,
+ };
+ 
+-void ima_print_digest(struct seq_file *m, u8 *digest, int size)
++void ima_print_digest(struct seq_file *m, u8 *digest, u32 size)
+ {
+-	int i;
++	u32 i;
+ 
+ 	for (i = 0; i < size; i++)
+ 		seq_printf(m, "%02x", *(digest + i));
+--- a/security/integrity/ima/ima_template_lib.c
++++ b/security/integrity/ima/ima_template_lib.c
+@@ -79,7 +79,8 @@ static void ima_show_template_data_ascii
+ 					 enum data_formats datafmt,
+ 					 struct ima_field_data *field_data)
+ {
+-	u8 *buf_ptr = field_data->data, buflen = field_data->len;
++	u8 *buf_ptr = field_data->data;
++	u32 buflen = field_data->len;
+ 
+ 	switch (datafmt) {
+ 	case DATA_FMT_DIGEST_WITH_ALGO:
diff --git a/queue-3.14/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch b/queue-3.14/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
new file mode 100644
index 00000000000..b7360001a3c
--- /dev/null
+++ b/queue-3.14/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
@@ -0,0 +1,47 @@
+From ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 27 Jul 2015 15:23:43 +0100
+Subject: KEYS: ensure we free the assoc array edit if edit is valid
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 upstream.
+
+__key_link_end is not freeing the associated array edit structure
+and this leads to a 512 byte memory leak each time an identical
+existing key is added with add_key().
+
+The reason the add_key() system call returns okay is that
+key_create_or_update() calls __key_link_begin() before checking to see
+whether it can update a key directly rather than adding/replacing - which
+it turns out it can.  Thus __key_link() is not called through
+__key_instantiate_and_link() and __key_link_end() must cancel the edit.
+
+CVE-2015-1333
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyring.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1151,9 +1151,11 @@ void __key_link_end(struct key *keyring,
+ 	if (index_key->type == &key_type_keyring)
+ 		up_write(&keyring_serialise_link_sem);
+ 
+-	if (edit && !edit->dead_leaf) {
+-		key_payload_reserve(keyring,
+-				    keyring->datalen - KEYQUOTA_LINK_BYTES);
++	if (edit) {
++		if (!edit->dead_leaf) {
++			key_payload_reserve(keyring,
++				keyring->datalen - KEYQUOTA_LINK_BYTES);
++		}
+ 		assoc_array_cancel_edit(edit);
+ 	}
+ 	up_write(&keyring->sem);
diff --git a/queue-3.14/series b/queue-3.14/series
index 851edbe6067..b7a914d231c 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -79,3 +79,6 @@ drm-radeon-add-a-dpm-quirk-for-sapphire-radeon-r9-270x-2gb-gddr5.patch
 drm-add-a-check-for-x-y-in-drm_mode_setcrtc.patch
 xfs-fix-remote-symlinks-on-v5-crc-filesystems.patch
 vtpm-set-virtual-device-before-passing-to-ibmvtpm_reset_crq.patch
+keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
+ima-fix-ima_show_template_data_ascii.patch
+evm-labeling-pseudo-filesystems-exception.patch