From 105795d6952d48dd837d127dc15c3baaf99ef503 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Dec 2017 13:10:09 +0100 Subject: [PATCH] 3.18-stable patches added patches: don-t-leak-a-key-reference-if-request_key-tries-to-use-a-revoked-keyring.patch keys-don-t-permit-request_key-to-construct-a-new-keyring.patch mac80211-fix-addition-of-mesh-configuration-element.patch --- ...t_key-tries-to-use-a-revoked-keyring.patch | 37 ++++++++++++++++++ ...quest_key-to-construct-a-new-keyring.patch | 38 +++++++++++++++++++ ...dition-of-mesh-configuration-element.patch | 38 +++++++++++++++++++ queue-3.18/series | 3 ++ 4 files changed, 116 insertions(+) create mode 100644 queue-3.18/don-t-leak-a-key-reference-if-request_key-tries-to-use-a-revoked-keyring.patch create mode 100644 queue-3.18/keys-don-t-permit-request_key-to-construct-a-new-keyring.patch create mode 100644 queue-3.18/mac80211-fix-addition-of-mesh-configuration-element.patch diff --git a/queue-3.18/don-t-leak-a-key-reference-if-request_key-tries-to-use-a-revoked-keyring.patch b/queue-3.18/don-t-leak-a-key-reference-if-request_key-tries-to-use-a-revoked-keyring.patch new file mode 100644 index 00000000000..dfd1d8ba6e0 --- /dev/null +++ b/queue-3.18/don-t-leak-a-key-reference-if-request_key-tries-to-use-a-revoked-keyring.patch @@ -0,0 +1,37 @@ +From d0709f1e66e8066c4ac6a54620ec116aa41937c0 Mon Sep 17 00:00:00 2001 +From: David Jeffery +Date: Thu, 12 Feb 2015 16:45:31 +0000 +Subject: Don't leak a key reference if request_key() tries to use a revoked keyring + +From: David Jeffery + +commit d0709f1e66e8066c4ac6a54620ec116aa41937c0 upstream. + +If a request_key() call to allocate and fill out a key attempts to insert the +key structure into a revoked keyring, the key will leak, using memory and part +of the user's key quota until the system reboots. This is from a failure of +construct_alloc_key() to decrement the key's reference count after the attempt +to insert into the requested keyring is rejected. + +key_put() needs to be called in the link_prealloc_failed callpath to ensure +the unused key is released. + +Signed-off-by: David Jeffery +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/request_key.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -437,6 +437,7 @@ link_check_failed: + + link_prealloc_failed: + mutex_unlock(&user->cons_lock); ++ key_put(key); + kleave(" = %d [prelink]", ret); + return ret; + diff --git a/queue-3.18/keys-don-t-permit-request_key-to-construct-a-new-keyring.patch b/queue-3.18/keys-don-t-permit-request_key-to-construct-a-new-keyring.patch new file mode 100644 index 00000000000..594873ea9b7 --- /dev/null +++ b/queue-3.18/keys-don-t-permit-request_key-to-construct-a-new-keyring.patch @@ -0,0 +1,38 @@ +From 911b79cde95c7da0ec02f48105358a36636b7a71 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 19 Oct 2015 11:20:28 +0100 +Subject: KEYS: Don't permit request_key() to construct a new keyring + +From: David Howells + +commit 911b79cde95c7da0ec02f48105358a36636b7a71 upstream. + +If request_key() is used to find a keyring, only do the search part - don't +do the construction part if the keyring was not found by the search. We +don't really want keyrings in the negative instantiated state since the +rejected/negative instantiation error value in the payload is unioned with +keyring metadata. + +Now the kernel gives an error: + + request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted) + +Signed-off-by: David Howells +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/request_key.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -467,6 +467,9 @@ static struct key *construct_key_and_lin + if (ret) + goto error; + ++ if (ctx->index_key.type == &key_type_keyring) ++ return ERR_PTR(-EPERM); ++ + user = key_user_lookup(current_fsuid()); + if (!user) { + ret = -ENOMEM; diff --git a/queue-3.18/mac80211-fix-addition-of-mesh-configuration-element.patch b/queue-3.18/mac80211-fix-addition-of-mesh-configuration-element.patch new file mode 100644 index 00000000000..f36abe50b26 --- /dev/null +++ b/queue-3.18/mac80211-fix-addition-of-mesh-configuration-element.patch @@ -0,0 +1,38 @@ +From 57629915d568c522ac1422df7bba4bee5b5c7a7c Mon Sep 17 00:00:00 2001 +From: Ilan peer +Date: Mon, 26 Dec 2016 18:17:36 +0200 +Subject: mac80211: Fix addition of mesh configuration element + +From: Ilan peer + +commit 57629915d568c522ac1422df7bba4bee5b5c7a7c upstream. + +The code was setting the capabilities byte to zero, +after it was already properly set previously. Fix it. + +The bug was found while debugging hwsim mesh tests failures +that happened since the commit mentioned below. + +Fixes: 76f43b4c0a93 ("mac80211: Remove invalid flag operations in mesh TSF synchronization") +Signed-off-by: Ilan Peer +Reviewed-by: Masashi Honma +Signed-off-by: Johannes Berg +Cc: Richard Schütz +Cc: Mathias Kretschmer +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mesh.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -289,8 +289,6 @@ int mesh_add_meshconf_ie(struct ieee8021 + /* Mesh PS mode. See IEEE802.11-2012 8.4.2.100.8 */ + *pos |= ifmsh->ps_peers_deep_sleep ? + IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL : 0x00; +- *pos++ = 0x00; +- + return 0; + } + diff --git a/queue-3.18/series b/queue-3.18/series index afdef71cf8a..2c07df85b2e 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -6,3 +6,6 @@ usb-core-prevent-malicious-bnuminterfaces-overflow.patch usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch xhci-don-t-add-a-virt_dev-to-the-devs-array-before-it-s-fully-allocated.patch ext4-fix-crash-when-a-directory-s-i_size-is-too-small.patch +don-t-leak-a-key-reference-if-request_key-tries-to-use-a-revoked-keyring.patch +keys-don-t-permit-request_key-to-construct-a-new-keyring.patch +mac80211-fix-addition-of-mesh-configuration-element.patch -- 2.47.3