From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 31 Oct 2017 08:34:22 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.79~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f4d4f10cb90aa88647d4e2a5e0d3101a22f86b16;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	ecryptfs-fix-dereference-of-null-user_key_payload.patch
---

diff --git a/queue-3.18/ecryptfs-fix-dereference-of-null-user_key_payload.patch b/queue-3.18/ecryptfs-fix-dereference-of-null-user_key_payload.patch
new file mode 100644
index 00000000000..65181ffe8cd
--- /dev/null
+++ b/queue-3.18/ecryptfs-fix-dereference-of-null-user_key_payload.patch
@@ -0,0 +1,107 @@
+From f66665c09ab489a11ca490d6a82df57cfc1bea3e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:51:27 -0700
+Subject: ecryptfs: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f66665c09ab489a11ca490d6a82df57cfc1bea3e upstream.
+
+In eCryptfs, we failed to verify that the authentication token keys are
+not revoked before dereferencing their payloads, which is problematic
+because the payload of a revoked key is NULL.  request_key() *does* skip
+revoked keys, but there is still a window where the key can be revoked
+before we acquire the key semaphore.
+
+Fix it by updating ecryptfs_get_key_payload_data() to return
+-EKEYREVOKED if the key payload is NULL.  For completeness we check this
+for "encrypted" keys as well as "user" keys, although encrypted keys
+cannot be revoked currently.
+
+Alternatively we could use key_validate(), but since we'll also need to
+fix ecryptfs_get_key_payload_data() to validate the payload length, it
+seems appropriate to just check the payload pointer.
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Cc: Michael Halcrow <mhalcrow@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ fs/ecryptfs/ecryptfs_kernel.h |   25 +++++++++++++++++--------
+ fs/ecryptfs/keystore.c        |    9 ++++++++-
+ 2 files changed, 25 insertions(+), 9 deletions(-)
+
+--- a/fs/ecryptfs/ecryptfs_kernel.h
++++ b/fs/ecryptfs/ecryptfs_kernel.h
+@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context {
+ static inline struct ecryptfs_auth_tok *
+ ecryptfs_get_encrypted_key_payload_data(struct key *key)
+ {
+-	if (key->type == &key_type_encrypted)
+-		return (struct ecryptfs_auth_tok *)
+-			(&((struct encrypted_key_payload *)key->payload.data)->payload_data);
+-	else
++	struct encrypted_key_payload *payload;
++
++	if (key->type != &key_type_encrypted)
+ 		return NULL;
++
++	payload = key->payload.data;
++	if (!payload)
++		return ERR_PTR(-EKEYREVOKED);
++
++	return (struct ecryptfs_auth_tok *)payload->payload_data;
+ }
+ 
+ static inline struct key *ecryptfs_get_encrypted_key(char *sig)
+@@ -114,13 +119,17 @@ static inline struct ecryptfs_auth_tok *
+ ecryptfs_get_key_payload_data(struct key *key)
+ {
+ 	struct ecryptfs_auth_tok *auth_tok;
++	struct user_key_payload *ukp;
+ 
+ 	auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
+-	if (!auth_tok)
+-		return (struct ecryptfs_auth_tok *)
+-			(((struct user_key_payload *)key->payload.data)->data);
+-	else
++	if (auth_tok)
+ 		return auth_tok;
++
++	ukp = key->payload.data;
++	if (!ukp)
++		return ERR_PTR(-EKEYREVOKED);
++
++	return (struct ecryptfs_auth_tok *)ukp->data;
+ }
+ 
+ #define ECRYPTFS_MAX_KEYSET_SIZE 1024
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -458,7 +458,8 @@ out:
+  * @auth_tok_key: key containing the authentication token
+  * @auth_tok: authentication token
+  *
+- * Returns zero on valid auth tok; -EINVAL otherwise
++ * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or
++ * -EKEYREVOKED if the key was revoked before we acquired its semaphore.
+  */
+ static int
+ ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
+@@ -467,6 +468,12 @@ ecryptfs_verify_auth_tok_from_key(struct
+ 	int rc = 0;
+ 
+ 	(*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
++	if (IS_ERR(*auth_tok)) {
++		rc = PTR_ERR(*auth_tok);
++		*auth_tok = NULL;
++		goto out;
++	}
++
+ 	if (ecryptfs_verify_version((*auth_tok)->version)) {
+ 		printk(KERN_ERR "Data structure version mismatch. Userspace "
+ 		       "tools must match eCryptfs kernel module with major "
diff --git a/queue-3.18/series b/queue-3.18/series
index d23dd01c769..f9447edcd07 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -8,3 +8,4 @@ assoc_array-fix-a-buggy-node-splitting-case.patch
 scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch
 scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch
 can-kvaser_usb-correct-return-value-in-printout.patch
+ecryptfs-fix-dereference-of-null-user_key_payload.patch