From: Greg Kroah-Hartman Date: Mon, 2 Oct 2017 11:06:25 +0000 (+0200) Subject: fix up queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch X-Git-Tag: v3.18.73~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=674ef26861e882333c20faecee999d308ca6b36f;p=thirdparty%2Fkernel%2Fstable-queue.git fix up queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch --- diff --git a/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch b/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch index dd96fe5f58d..9d7e7442996 100644 --- a/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch +++ b/queue-4.9/security-keys-rewrite-all-of-big_key-crypto.patch @@ -1,9 +1,12 @@ -From 428490e38b2e352812e0b765d8bceafab0ec441d Mon Sep 17 00:00:00 2001 +From Jason@zx2c4.com Mon Oct 2 13:04:30 2017 From: "Jason A. Donenfeld" -Date: Wed, 20 Sep 2017 16:58:39 +0200 +Date: Mon, 2 Oct 2017 12:52:56 +0200 Subject: security/keys: rewrite all of big_key crypto +To: stable@vger.kernel.org +Cc: "Jason A. Donenfeld" +Message-ID: <20171002105256.23071-1-Jason@zx2c4.com> -From: Jason A. Donenfeld +From: "Jason A. Donenfeld" commit 428490e38b2e352812e0b765d8bceafab0ec441d upstream. @@ -39,6 +42,12 @@ So, to summarize, this commit fixes the following vulnerabilities: * Key re-use. * Faulty memory zeroing. +[Note that in backporting this commit to 4.9, get_random_bytes_wait was +replaced with get_random_bytes, since 4.9 does not have the former +function. This might result in slightly worse entropy in key generation, +but common use cases of big_keys makes that likely not a huge deal. And, +this is the best we can do with this old kernel. Alas.] + Signed-off-by: Jason A. Donenfeld Reviewed-by: Eric Biggers Signed-off-by: David Howells @@ -46,11 +55,12 @@ Cc: Herbert Xu Cc: Kirill Marinushkin Cc: security@kernel.org Signed-off-by: Greg Kroah-Hartman - --- +The current patch in queue-4.9 is broken. This is a better backport. + security/keys/Kconfig | 4 - security/keys/big_key.c | 124 ++++++++++++++++++++++-------------------------- - 2 files changed, 59 insertions(+), 69 deletions(-) + 2 files changed, 58 insertions(+), 70 deletions(-) --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -209,16 +219,15 @@ Signed-off-by: Greg Kroah-Hartman /* generate random key */ enckey = kmalloc(ENC_KEY_SIZE, GFP_KERNEL); -@@ -162,13 +171,12 @@ int big_key_preparse(struct key_preparse +@@ -162,13 +171,10 @@ int big_key_preparse(struct key_preparse ret = -ENOMEM; goto error; } - - ret = big_key_gen_enckey(enckey); - if (ret) -+ ret = get_random_bytes_wait(enckey, ENC_KEY_SIZE); -+ if (unlikely(ret)) - goto err_enckey; +- goto err_enckey; ++ get_random_bytes(enckey, ENC_KEY_SIZE); /* encrypt aligned data */ - ret = big_key_crypt(BIG_KEY_ENC, data, enclen, enckey); @@ -226,7 +235,7 @@ Signed-off-by: Greg Kroah-Hartman if (ret) goto err_enckey; -@@ -294,7 +302,7 @@ long big_key_read(const struct key *key, +@@ -294,7 +300,7 @@ long big_key_read(const struct key *key, struct file *file; u8 *data; u8 *enckey = (u8 *)key->payload.data[big_key_data]; @@ -235,7 +244,7 @@ Signed-off-by: Greg Kroah-Hartman data = kmalloc(enclen, GFP_KERNEL); if (!data) -@@ -342,47 +350,31 @@ error: +@@ -342,47 +348,31 @@ error: */ static int __init big_key_init(void) {