From 9b5ac8914f462baebf3db3515f7625c4e22d1e6f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 26 Feb 2018 20:46:56 +0100
Subject: [PATCH] 4.9-stable patches

added patches:
	x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch
---
 ...-outermost-socket-lock-in-getsockopt.patch |  1 +
 queue-4.9/series                              |  1 +
 ...restricting-key-with-unsupported_sig.patch | 62 +++++++++++++++++++
 3 files changed, 64 insertions(+)
 create mode 100644 queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch

diff --git a/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch b/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch
index e6d3e31d6d8..eb6b0642089 100644
--- a/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch
+++ b/queue-4.9/netfilter-drop-outermost-socket-lock-in-getsockopt.patch
@@ -42,6 +42,7 @@ Reported-by: syzbot+ddde1c7b7ff7442d7f2d@syzkaller.appspotmail.com
 Suggested-by: Florian Westphal <fw@strlen.de>
 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
 ---
diff --git a/queue-4.9/series b/queue-4.9/series
index 32455d7c67b..ec070f0961f 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -25,3 +25,4 @@ drm-amdgpu-add-atpx-quirk-handling-v2.patch
 drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch
 drm-amdgpu-add-new-device-to-use-atpx-quirk.patch
 binder-add-missing-binder_unlock.patch
+x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch
diff --git a/queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch b/queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch
new file mode 100644
index 00000000000..6e055a6a23d
--- /dev/null
+++ b/queue-4.9/x.509-fix-null-dereference-when-restricting-key-with-unsupported_sig.patch
@@ -0,0 +1,62 @@
+From ebiggers3@gmail.com  Mon Feb 26 20:46:24 2018
+From: Eric Biggers <ebiggers3@gmail.com>
+Date: Mon, 26 Feb 2018 10:17:15 -0800
+Subject: X.509: fix NULL dereference when restricting key with unsupported_sig
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: keyrings@vger.kernel.org, Eric Biggers <ebiggers@google.com>, David Howells <dhowells@redhat.com>
+Message-ID: <20180226181715.194965-1-ebiggers3@gmail.com>
+
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4b34968e77ad09628cfb3c4a7daf2adc2cefc6e8 upstream.
+
+The asymmetric key type allows an X.509 certificate to be added even if
+its signature's hash algorithm is not available in the crypto API.  In
+that case 'payload.data[asym_auth]' will be NULL.  But the key
+restriction code failed to check for this case before trying to use the
+signature, resulting in a NULL pointer dereference in
+key_or_keyring_common() or in restrict_link_by_signature().
+
+Fix this by returning -ENOPKG when the signature is unsupported.
+
+Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled and
+keyctl has support for the 'restrict_keyring' command:
+
+    keyctl new_session
+    keyctl restrict_keyring @s asymmetric builtin_trusted
+    openssl req -new -sha512 -x509 -batch -nodes -outform der \
+        | keyctl padd asymmetric desc @s
+
+Fixes: a511e1af8b12 ("KEYS: Move the point of trust determination to __key_link()")
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/asymmetric_keys/restrict.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/crypto/asymmetric_keys/restrict.c
++++ b/crypto/asymmetric_keys/restrict.c
+@@ -66,8 +66,9 @@ __setup("ca_keys=", ca_keys_setup);
+  *
+  * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a
+  * matching parent certificate in the trusted list, -EKEYREJECTED if the
+- * signature check fails or the key is blacklisted and some other error if
+- * there is a matching certificate but the signature check cannot be performed.
++ * signature check fails or the key is blacklisted, -ENOPKG if the signature
++ * uses unsupported crypto, or some other error if there is a matching
++ * certificate but the signature check cannot be performed.
+  */
+ int restrict_link_by_signature(struct key *trust_keyring,
+ 			       const struct key_type *type,
+@@ -86,6 +87,8 @@ int restrict_link_by_signature(struct ke
+ 		return -EOPNOTSUPP;
+ 
+ 	sig = payload->data[asym_auth];
++	if (!sig)
++		return -ENOPKG;
+ 	if (!sig->auth_ids[0] && !sig->auth_ids[1])
+ 		return -ENOKEY;
+ 
-- 
2.47.3