From d8269c9f2f30f2268804f2b9f1f61ee50fc8f41c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Nov 2017 17:57:34 +0100 Subject: [PATCH] 4.9-stable patches added patches: crypto-dh-fix-double-free-of-ctx-p.patch crypto-dh-fix-memleak-in-setkey.patch ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch serial-omap-fix-efr-write-on-rts-deassertion.patch --- .../crypto-dh-fix-double-free-of-ctx-p.patch | 171 ++++++++++++++++++ .../crypto-dh-fix-memleak-in-setkey.patch | 34 ++++ ...praisal-status-is-not-integrity_pass.patch | 46 +++++ ...ing-base_port-with-activated-superio.patch | 38 ++++ ...map-fix-efr-write-on-rts-deassertion.patch | 34 ++++ queue-4.9/series | 5 + 6 files changed, 328 insertions(+) create mode 100644 queue-4.9/crypto-dh-fix-double-free-of-ctx-p.patch create mode 100644 queue-4.9/crypto-dh-fix-memleak-in-setkey.patch create mode 100644 queue-4.9/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch create mode 100644 queue-4.9/serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch create mode 100644 queue-4.9/serial-omap-fix-efr-write-on-rts-deassertion.patch diff --git a/queue-4.9/crypto-dh-fix-double-free-of-ctx-p.patch b/queue-4.9/crypto-dh-fix-double-free-of-ctx-p.patch new file mode 100644 index 00000000000..42e38af4706 --- /dev/null +++ b/queue-4.9/crypto-dh-fix-double-free-of-ctx-p.patch @@ -0,0 +1,171 @@ +From 12d41a023efb01b846457ccdbbcbe2b65a87d530 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 5 Nov 2017 18:30:44 -0800 +Subject: crypto: dh - Fix double free of ctx->p + +From: Eric Biggers + +commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream. + +When setting the secret with the software Diffie-Hellman implementation, +if allocating 'g' failed (e.g. if it was longer than +MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and +once later when the crypto_kpp tfm was destroyed. + +Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error +paths, as that correctly sets the pointers to NULL. + +KASAN report: + + MPI: mpi too large (32760 bits) + ================================================================== + BUG: KASAN: use-after-free in mpi_free+0x131/0x170 + Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367 + + CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + dump_stack+0xb3/0x10b + ? mpi_free+0x131/0x170 + print_address_description+0x79/0x2a0 + ? mpi_free+0x131/0x170 + kasan_report+0x236/0x340 + ? akcipher_register_instance+0x90/0x90 + __asan_report_load4_noabort+0x14/0x20 + mpi_free+0x131/0x170 + ? akcipher_register_instance+0x90/0x90 + dh_exit_tfm+0x3d/0x140 + crypto_kpp_exit_tfm+0x52/0x70 + crypto_destroy_tfm+0xb3/0x250 + __keyctl_dh_compute+0x640/0xe90 + ? kasan_slab_free+0x12f/0x180 + ? dh_data_from_key+0x240/0x240 + ? key_create_or_update+0x1ee/0xb20 + ? key_instantiate_and_link+0x440/0x440 + ? lock_contended+0xee0/0xee0 + ? kfree+0xcf/0x210 + ? SyS_add_key+0x268/0x340 + keyctl_dh_compute+0xb3/0xf1 + ? __keyctl_dh_compute+0xe90/0xe90 + ? SyS_add_key+0x26d/0x340 + ? entry_SYSCALL_64_fastpath+0x5/0xbe + ? trace_hardirqs_on_caller+0x3f4/0x560 + SyS_keyctl+0x72/0x2c0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + RIP: 0033:0x43ccf9 + RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa + RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9 + RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017 + RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936 + R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000 + R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000 + + Allocated by task 367: + save_stack_trace+0x16/0x20 + kasan_kmalloc+0xeb/0x180 + kmem_cache_alloc_trace+0x114/0x300 + mpi_alloc+0x4b/0x230 + mpi_read_raw_data+0xbe/0x360 + dh_set_secret+0x1dc/0x460 + __keyctl_dh_compute+0x623/0xe90 + keyctl_dh_compute+0xb3/0xf1 + SyS_keyctl+0x72/0x2c0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + + Freed by task 367: + save_stack_trace+0x16/0x20 + kasan_slab_free+0xab/0x180 + kfree+0xb5/0x210 + mpi_free+0xcb/0x170 + dh_set_secret+0x2d7/0x460 + __keyctl_dh_compute+0x623/0xe90 + keyctl_dh_compute+0xb3/0xf1 + SyS_keyctl+0x72/0x2c0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + +Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") +Signed-off-by: Eric Biggers +Reviewed-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/dh.c | 33 +++++++++++++-------------------- + 1 file changed, 13 insertions(+), 20 deletions(-) + +--- a/crypto/dh.c ++++ b/crypto/dh.c +@@ -21,19 +21,12 @@ struct dh_ctx { + MPI xa; + }; + +-static inline void dh_clear_params(struct dh_ctx *ctx) ++static void dh_clear_ctx(struct dh_ctx *ctx) + { + mpi_free(ctx->p); + mpi_free(ctx->g); +- ctx->p = NULL; +- ctx->g = NULL; +-} +- +-static void dh_free_ctx(struct dh_ctx *ctx) +-{ +- dh_clear_params(ctx); + mpi_free(ctx->xa); +- ctx->xa = NULL; ++ memset(ctx, 0, sizeof(*ctx)); + } + + /* +@@ -71,10 +64,8 @@ static int dh_set_params(struct dh_ctx * + return -EINVAL; + + ctx->g = mpi_read_raw_data(params->g, params->g_size); +- if (!ctx->g) { +- mpi_free(ctx->p); ++ if (!ctx->g) + return -EINVAL; +- } + + return 0; + } +@@ -85,21 +76,23 @@ static int dh_set_secret(struct crypto_k + struct dh params; + + /* Free the old MPI key if any */ +- dh_free_ctx(ctx); ++ dh_clear_ctx(ctx); + + if (crypto_dh_decode_key(buf, len, ¶ms) < 0) +- return -EINVAL; ++ goto err_clear_ctx; + + if (dh_set_params(ctx, ¶ms) < 0) +- return -EINVAL; ++ goto err_clear_ctx; + + ctx->xa = mpi_read_raw_data(params.key, params.key_size); +- if (!ctx->xa) { +- dh_clear_params(ctx); +- return -EINVAL; +- } ++ if (!ctx->xa) ++ goto err_clear_ctx; + + return 0; ++ ++err_clear_ctx: ++ dh_clear_ctx(ctx); ++ return -EINVAL; + } + + static int dh_compute_value(struct kpp_request *req) +@@ -157,7 +150,7 @@ static void dh_exit_tfm(struct crypto_kp + { + struct dh_ctx *ctx = dh_get_ctx(tfm); + +- dh_free_ctx(ctx); ++ dh_clear_ctx(ctx); + } + + static struct kpp_alg dh = { diff --git a/queue-4.9/crypto-dh-fix-memleak-in-setkey.patch b/queue-4.9/crypto-dh-fix-memleak-in-setkey.patch new file mode 100644 index 00000000000..cb1d295b2fe --- /dev/null +++ b/queue-4.9/crypto-dh-fix-memleak-in-setkey.patch @@ -0,0 +1,34 @@ +From ee34e2644a78e2561742bea8c4bdcf83cabf90a7 Mon Sep 17 00:00:00 2001 +From: Tudor-Dan Ambarus +Date: Thu, 25 May 2017 10:18:07 +0300 +Subject: crypto: dh - fix memleak in setkey + +From: Tudor-Dan Ambarus + +commit ee34e2644a78e2561742bea8c4bdcf83cabf90a7 upstream. + +setkey can be called multiple times during the existence +of the transformation object. In case of multiple setkey calls, +the old key was not freed and we leaked memory. +Free the old MPI key if any. + +Signed-off-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/dh.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/dh.c ++++ b/crypto/dh.c +@@ -84,6 +84,9 @@ static int dh_set_secret(struct crypto_k + struct dh_ctx *ctx = dh_get_ctx(tfm); + struct dh params; + ++ /* Free the old MPI key if any */ ++ dh_free_ctx(ctx); ++ + if (crypto_dh_decode_key(buf, len, ¶ms) < 0) + return -EINVAL; + diff --git a/queue-4.9/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch b/queue-4.9/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch new file mode 100644 index 00000000000..e55943ad14a --- /dev/null +++ b/queue-4.9/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch @@ -0,0 +1,46 @@ +From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 7 Nov 2017 11:37:07 +0100 +Subject: ima: do not update security.ima if appraisal status is not INTEGRITY_PASS + +From: Roberto Sassu + +commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream. + +Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") +moved the call of ima_file_check() from may_open() to do_filp_open() at a +point where the file descriptor is already opened. + +This breaks the assumption made by IMA that file descriptors being closed +belong to files whose access was granted by ima_file_check(). The +consequence is that security.ima and security.evm are updated with good +values, regardless of the current appraisal status. + +For example, if a file does not have security.ima, IMA will create it after +opening the file for writing, even if access is denied. Access to the file +will be allowed afterwards. + +Avoid this issue by checking the appraisal status before updating +security.ima. + +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_appraise.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -303,6 +303,9 @@ void ima_update_xattr(struct integrity_i + if (iint->flags & IMA_DIGSIG) + return; + ++ if (iint->ima_file_status != INTEGRITY_PASS) ++ return; ++ + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo); + if (rc < 0) + return; diff --git a/queue-4.9/serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch b/queue-4.9/serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch new file mode 100644 index 00000000000..1ed22784fa2 --- /dev/null +++ b/queue-4.9/serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch @@ -0,0 +1,38 @@ +From fd97e66c5529046e989a0879c3bb58fddb592c71 Mon Sep 17 00:00:00 2001 +From: "Ji-Ze Hong (Peter Hong)" +Date: Tue, 17 Oct 2017 14:23:08 +0800 +Subject: serial: 8250_fintek: Fix finding base_port with activated SuperIO + +From: Ji-Ze Hong (Peter Hong) + +commit fd97e66c5529046e989a0879c3bb58fddb592c71 upstream. + +The SuperIO will be configured at boot time by BIOS, but some BIOS +will not deactivate the SuperIO when the end of configuration. It'll +lead to mismatch for pdata->base_port in probe_setup_port(). So we'll +deactivate all SuperIO before activate special base_port in +fintek_8250_enter_key(). + +Tested on iBASE MI802. + +Tested-by: Ji-Ze Hong (Peter Hong) +Signed-off-by: Ji-Ze Hong (Peter Hong) +Reviewd-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_fintek.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/8250/8250_fintek.c ++++ b/drivers/tty/serial/8250/8250_fintek.c +@@ -54,6 +54,9 @@ static int fintek_8250_enter_key(u16 bas + if (!request_muxed_region(base_port, 2, "8250_fintek")) + return -EBUSY; + ++ /* Force to deactive all SuperIO in this base_port */ ++ outb(EXIT_KEY, base_port + ADDR_PORT); ++ + outb(key, base_port + ADDR_PORT); + outb(key, base_port + ADDR_PORT); + return 0; diff --git a/queue-4.9/serial-omap-fix-efr-write-on-rts-deassertion.patch b/queue-4.9/serial-omap-fix-efr-write-on-rts-deassertion.patch new file mode 100644 index 00000000000..0c9fba9bb10 --- /dev/null +++ b/queue-4.9/serial-omap-fix-efr-write-on-rts-deassertion.patch @@ -0,0 +1,34 @@ +From 2a71de2f7366fb1aec632116d0549ec56d6a3940 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sat, 21 Oct 2017 10:50:18 +0200 +Subject: serial: omap: Fix EFR write on RTS deassertion + +From: Lukas Wunner + +commit 2a71de2f7366fb1aec632116d0549ec56d6a3940 upstream. + +Commit 348f9bb31c56 ("serial: omap: Fix RTS handling") sought to enable +auto RTS upon manual RTS assertion and disable it on deassertion. +However it seems the latter was done incorrectly, it clears all bits in +the Extended Features Register *except* auto RTS. + +Fixes: 348f9bb31c56 ("serial: omap: Fix RTS handling") +Cc: Peter Hurley +Signed-off-by: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/omap-serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/omap-serial.c ++++ b/drivers/tty/serial/omap-serial.c +@@ -693,7 +693,7 @@ static void serial_omap_set_mctrl(struct + if ((mctrl & TIOCM_RTS) && (port->status & UPSTAT_AUTORTS)) + up->efr |= UART_EFR_RTS; + else +- up->efr &= UART_EFR_RTS; ++ up->efr &= ~UART_EFR_RTS; + serial_out(up, UART_EFR, up->efr); + serial_out(up, UART_LCR, lcr); + diff --git a/queue-4.9/series b/queue-4.9/series index 94c3cc455d6..ad9421168c0 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,8 @@ af_netlink-ensure-that-nlmsg_done-never-fails-in-dumps.patch sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch fealnx-fix-building-error-on-mips.patch net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch +crypto-dh-fix-memleak-in-setkey.patch +crypto-dh-fix-double-free-of-ctx-p.patch +ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch +serial-omap-fix-efr-write-on-rts-deassertion.patch +serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch -- 2.47.3