From 04f8b4d21a67f80215d3b7b18309e137f80cdd1e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 14:45:18 -0700 Subject: [PATCH] 3.14-stable patches added patches: cifs-use-server-timestamp-for-ntlmv2-authentication.patch mtd-pxa3xx_nand-add-a-default-chunk-size.patch regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch security-fix-typo-in-security_task_prctl.patch --- ...-timestamp-for-ntlmv2-authentication.patch | 123 ++++++++++++++++++ ...pxa3xx_nand-add-a-default-chunk-size.patch | 41 ++++++ ...printing-when-calculating-max-length.patch | 35 +++++ ...underflow-when-printing-access-masks.patch | 34 +++++ ...rity-fix-typo-in-security_task_prctl.patch | 29 +++++ queue-3.14/series | 5 + 6 files changed, 267 insertions(+) create mode 100644 queue-3.14/cifs-use-server-timestamp-for-ntlmv2-authentication.patch create mode 100644 queue-3.14/mtd-pxa3xx_nand-add-a-default-chunk-size.patch create mode 100644 queue-3.14/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch create mode 100644 queue-3.14/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch create mode 100644 queue-3.14/security-fix-typo-in-security_task_prctl.patch diff --git a/queue-3.14/cifs-use-server-timestamp-for-ntlmv2-authentication.patch b/queue-3.14/cifs-use-server-timestamp-for-ntlmv2-authentication.patch new file mode 100644 index 00000000000..bb2bedbb964 --- /dev/null +++ b/queue-3.14/cifs-use-server-timestamp-for-ntlmv2-authentication.patch @@ -0,0 +1,123 @@ +From 98ce94c8df762d413b3ecb849e2b966b21606d04 Mon Sep 17 00:00:00 2001 +From: Peter Seiderer +Date: Thu, 17 Sep 2015 21:40:12 +0200 +Subject: cifs: use server timestamp for ntlmv2 authentication + +From: Peter Seiderer + +commit 98ce94c8df762d413b3ecb849e2b966b21606d04 upstream. + +Linux cifs mount with ntlmssp against an Mac OS X (Yosemite +10.10.5) share fails in case the clocks differ more than +/-2h: + +digest-service: digest-request: od failed with 2 proto=ntlmv2 +digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2 + +Fix this by (re-)using the given server timestamp for the +ntlmv2 authentication (as Windows 7 does). + +A related problem was also reported earlier by Namjae Jaen (see below): + +Windows machine has extended security feature which refuse to allow +authentication when there is time difference between server time and +client time when ntlmv2 negotiation is used. This problem is prevalent +in embedded enviornment where system time is set to default 1970. + +Modern servers send the server timestamp in the TargetInfo Av_Pair +structure in the challenge message [see MS-NLMP 2.2.2.1] +In [MS-NLMP 3.1.5.1.2] it is explicitly mentioned that the client must +use the server provided timestamp if present OR current time if it is +not + +Reported-by: Namjae Jeon +Signed-off-by: Peter Seiderer +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsencrypt.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 51 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifsencrypt.c ++++ b/fs/cifs/cifsencrypt.c +@@ -441,6 +441,48 @@ find_domain_name(struct cifs_ses *ses, c + return 0; + } + ++/* Server has provided av pairs/target info in the type 2 challenge ++ * packet and we have plucked it and stored within smb session. ++ * We parse that blob here to find the server given timestamp ++ * as part of ntlmv2 authentication (or local current time as ++ * default in case of failure) ++ */ ++static __le64 ++find_timestamp(struct cifs_ses *ses) ++{ ++ unsigned int attrsize; ++ unsigned int type; ++ unsigned int onesize = sizeof(struct ntlmssp2_name); ++ unsigned char *blobptr; ++ unsigned char *blobend; ++ struct ntlmssp2_name *attrptr; ++ ++ if (!ses->auth_key.len || !ses->auth_key.response) ++ return 0; ++ ++ blobptr = ses->auth_key.response; ++ blobend = blobptr + ses->auth_key.len; ++ ++ while (blobptr + onesize < blobend) { ++ attrptr = (struct ntlmssp2_name *) blobptr; ++ type = le16_to_cpu(attrptr->type); ++ if (type == NTLMSSP_AV_EOL) ++ break; ++ blobptr += 2; /* advance attr type */ ++ attrsize = le16_to_cpu(attrptr->length); ++ blobptr += 2; /* advance attr size */ ++ if (blobptr + attrsize > blobend) ++ break; ++ if (type == NTLMSSP_AV_TIMESTAMP) { ++ if (attrsize == sizeof(u64)) ++ return *((__le64 *)blobptr); ++ } ++ blobptr += attrsize; /* advance attr value */ ++ } ++ ++ return cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME)); ++} ++ + static int calc_ntlmv2_hash(struct cifs_ses *ses, char *ntlmv2_hash, + const struct nls_table *nls_cp) + { +@@ -637,6 +679,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c + struct ntlmv2_resp *ntlmv2; + char ntlmv2_hash[16]; + unsigned char *tiblob = NULL; /* target info blob */ ++ __le64 rsp_timestamp; + + if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) { + if (!ses->domainName) { +@@ -655,6 +698,12 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c + } + } + ++ /* Must be within 5 minutes of the server (or in range +/-2h ++ * in case of Mac OS X), so simply carry over server timestamp ++ * (as Windows 7 does) ++ */ ++ rsp_timestamp = find_timestamp(ses); ++ + baselen = CIFS_SESS_KEY_SIZE + sizeof(struct ntlmv2_resp); + tilen = ses->auth_key.len; + tiblob = ses->auth_key.response; +@@ -671,8 +720,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c + (ses->auth_key.response + CIFS_SESS_KEY_SIZE); + ntlmv2->blob_signature = cpu_to_le32(0x00000101); + ntlmv2->reserved = 0; +- /* Must be within 5 minutes of the server */ +- ntlmv2->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME)); ++ ntlmv2->time = rsp_timestamp; ++ + get_random_bytes(&ntlmv2->client_chal, sizeof(ntlmv2->client_chal)); + ntlmv2->reserved2 = 0; + diff --git a/queue-3.14/mtd-pxa3xx_nand-add-a-default-chunk-size.patch b/queue-3.14/mtd-pxa3xx_nand-add-a-default-chunk-size.patch new file mode 100644 index 00000000000..accbeece55e --- /dev/null +++ b/queue-3.14/mtd-pxa3xx_nand-add-a-default-chunk-size.patch @@ -0,0 +1,41 @@ +From bc3e00f04cc1fe033a289c2fc2e5c73c0168d360 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20T=C3=A9nart?= +Date: Tue, 18 Aug 2015 10:59:10 +0200 +Subject: mtd: pxa3xx_nand: add a default chunk size + +From: =?UTF-8?q?Antoine=20T=C3=A9nart?= + +commit bc3e00f04cc1fe033a289c2fc2e5c73c0168d360 upstream. + +When keeping the configuration set by the bootloader (by using +the marvell,nand-keep-config property), the pxa3xx_nand_detect_config() +function is called and set the chunk size to 512 as a default value if +NDCR_PAGE_SZ is not set. + +In the other case, when not keeping the bootloader configuration, no +chunk size is set. Fix this by adding a default chunk size of 512. + +Fixes: 70ed85232a93 ("mtd: nand: pxa3xx: Introduce multiple page I/O +support") + +Signed-off-by: Antoine Tenart +Acked-by: Robert Jarzmik +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/pxa3xx_nand.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/nand/pxa3xx_nand.c ++++ b/drivers/mtd/nand/pxa3xx_nand.c +@@ -1463,6 +1463,9 @@ static int pxa3xx_nand_scan(struct mtd_i + if (pdata->keep_config && !pxa3xx_nand_detect_config(info)) + goto KEEP_CONFIG; + ++ /* Set a default chunk size */ ++ info->chunk_size = 512; ++ + ret = pxa3xx_nand_sensing(info); + if (ret) { + dev_info(&info->pdev->dev, "There is no chip on cs %d!\n", diff --git a/queue-3.14/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch b/queue-3.14/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch new file mode 100644 index 00000000000..7bbb89bf9fa --- /dev/null +++ b/queue-3.14/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch @@ -0,0 +1,35 @@ +From 176fc2d5770a0990eebff903ba680d2edd32e718 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Sat, 19 Sep 2015 07:12:34 -0700 +Subject: regmap: debugfs: Don't bother actually printing when calculating max length + +From: Mark Brown + +commit 176fc2d5770a0990eebff903ba680d2edd32e718 upstream. + +The in kernel snprintf() will conveniently return the actual length of +the printed string even if not given an output beffer at all so just do +that rather than relying on the user to pass in a suitable buffer, +ensuring that we don't need to worry if the buffer was truncated due to +the size of the buffer passed in. + +Reported-by: Rasmus Villemoes +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap-debugfs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -32,8 +32,7 @@ static DEFINE_MUTEX(regmap_debugfs_early + /* Calculate the length of a fixed format */ + static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size) + { +- snprintf(buf, buf_size, "%x", max_val); +- return strlen(buf); ++ return snprintf(NULL, 0, "%x", max_val); + } + + static ssize_t regmap_name_read_file(struct file *file, diff --git a/queue-3.14/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch b/queue-3.14/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch new file mode 100644 index 00000000000..95a6905b1af --- /dev/null +++ b/queue-3.14/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch @@ -0,0 +1,34 @@ +From b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Sat, 19 Sep 2015 07:00:18 -0700 +Subject: regmap: debugfs: Ensure we don't underflow when printing access masks + +From: Mark Brown + +commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 upstream. + +If a read is attempted which is smaller than the line length then we may +underflow the subtraction we're doing with the unsigned size_t type so +move some of the calculation to be additions on the right hand side +instead in order to avoid this. + +Reported-by: Rasmus Villemoes +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap-debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -432,7 +432,7 @@ static ssize_t regmap_access_read_file(s + /* If we're in the region the user is trying to read */ + if (p >= *ppos) { + /* ...but not beyond it */ +- if (buf_pos >= count - 1 - tot_len) ++ if (buf_pos + tot_len + 1 >= count) + break; + + /* Format the register */ diff --git a/queue-3.14/security-fix-typo-in-security_task_prctl.patch b/queue-3.14/security-fix-typo-in-security_task_prctl.patch new file mode 100644 index 00000000000..c00692d8dac --- /dev/null +++ b/queue-3.14/security-fix-typo-in-security_task_prctl.patch @@ -0,0 +1,29 @@ +From b7f76ea2ef6739ee484a165ffbac98deb855d3d3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 18 Sep 2015 23:41:23 +0200 +Subject: security: fix typo in security_task_prctl + +From: Jann Horn + +commit b7f76ea2ef6739ee484a165ffbac98deb855d3d3 upstream. + +Signed-off-by: Jann Horn +Reviewed-by: Andy Lutomirski +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/security.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -2452,7 +2452,7 @@ static inline int security_task_prctl(in + unsigned long arg4, + unsigned long arg5) + { +- return cap_task_prctl(option, arg2, arg3, arg3, arg5); ++ return cap_task_prctl(option, arg2, arg3, arg4, arg5); + } + + static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) diff --git a/queue-3.14/series b/queue-3.14/series index 657ee78b087..17df10c3195 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -49,3 +49,8 @@ usb-xhci-add-support-for-urb_zero_packet-to-bulk-sg-transfers.patch initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch ipvs-do-not-use-random-local-source-address-for-tunnels.patch ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch +cifs-use-server-timestamp-for-ntlmv2-authentication.patch +mtd-pxa3xx_nand-add-a-default-chunk-size.patch +regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch +regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch +security-fix-typo-in-security_task_prctl.patch -- 2.47.3