diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 12:27:57 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-09-29 13:08:46 +0200 |
commit | 9898ed1ef252beccf252d05154be55d20cb0dd8c (patch) | |
tree | f5fb9adc71bb152686cf7362b7c94639175f6dd2 | |
parent | 3b0e97b92f7e66158b7a5ac9461d0705d04f8b3a (diff) | |
download | meta-enea-bsp-arm-9898ed1ef252beccf252d05154be55d20cb0dd8c.tar.gz |
linux-cavium: CVE-2016-10154
smbencrypt() points a scatterlist to the stack causing DoS
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-10154
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch | 100 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 7 |
2 files changed, 104 insertions, 3 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch new file mode 100644 index 0000000..ddbeb77 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | From 7aa58e7ad53bd9536aa49a18ccd0778c728bf57d Mon Sep 17 00:00:00 2001 | ||
2 | From: Andy Lutomirski <luto@kernel.org> | ||
3 | Date: Mon, 12 Dec 2016 12:54:37 -0800 | ||
4 | Subject: [PATCH] cifs: Fix smbencrypt() to stop pointing a scatterlist at the | ||
5 | stack | ||
6 | |||
7 | commit 06deeec77a5a689cc94b21a8a91a76e42176685d upstream. | ||
8 | |||
9 | smbencrypt() points a scatterlist to the stack, which is breaks if | ||
10 | CONFIG_VMAP_STACK=y. | ||
11 | |||
12 | Fix it by switching to crypto_cipher_encrypt_one(). The new code | ||
13 | should be considerably faster as an added benefit. | ||
14 | |||
15 | This code is nearly identical to some code that Eric Biggers | ||
16 | suggested. | ||
17 | |||
18 | CVE: CVE-2016-10154 | ||
19 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
20 | |||
21 | Reported-by: Eric Biggers <ebiggers3@gmail.com> | ||
22 | Signed-off-by: Andy Lutomirski <luto@kernel.org> | ||
23 | Acked-by: Jeff Layton <jlayton@redhat.com> | ||
24 | Signed-off-by: Steve French <smfrench@gmail.com> | ||
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | fs/cifs/smbencrypt.c | 40 ++++++++-------------------------------- | ||
29 | 1 file changed, 8 insertions(+), 32 deletions(-) | ||
30 | |||
31 | diff --git a/fs/cifs/smbencrypt.c b/fs/cifs/smbencrypt.c | ||
32 | index 699b786..c12bffe 100644 | ||
33 | --- a/fs/cifs/smbencrypt.c | ||
34 | +++ b/fs/cifs/smbencrypt.c | ||
35 | @@ -23,7 +23,7 @@ | ||
36 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
37 | */ | ||
38 | |||
39 | -#include <crypto/skcipher.h> | ||
40 | +#include <linux/crypto.h> | ||
41 | #include <linux/module.h> | ||
42 | #include <linux/slab.h> | ||
43 | #include <linux/fs.h> | ||
44 | @@ -69,46 +69,22 @@ | ||
45 | static int | ||
46 | smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) | ||
47 | { | ||
48 | - int rc; | ||
49 | unsigned char key2[8]; | ||
50 | - struct crypto_skcipher *tfm_des; | ||
51 | - struct scatterlist sgin, sgout; | ||
52 | - struct skcipher_request *req; | ||
53 | + struct crypto_cipher *tfm_des; | ||
54 | |||
55 | str_to_key(key, key2); | ||
56 | |||
57 | - tfm_des = crypto_alloc_skcipher("ecb(des)", 0, CRYPTO_ALG_ASYNC); | ||
58 | + tfm_des = crypto_alloc_cipher("des", 0, 0); | ||
59 | if (IS_ERR(tfm_des)) { | ||
60 | - rc = PTR_ERR(tfm_des); | ||
61 | - cifs_dbg(VFS, "could not allocate des crypto API\n"); | ||
62 | - goto smbhash_err; | ||
63 | - } | ||
64 | - | ||
65 | - req = skcipher_request_alloc(tfm_des, GFP_KERNEL); | ||
66 | - if (!req) { | ||
67 | - rc = -ENOMEM; | ||
68 | cifs_dbg(VFS, "could not allocate des crypto API\n"); | ||
69 | - goto smbhash_free_skcipher; | ||
70 | + return PTR_ERR(tfm_des); | ||
71 | } | ||
72 | |||
73 | - crypto_skcipher_setkey(tfm_des, key2, 8); | ||
74 | - | ||
75 | - sg_init_one(&sgin, in, 8); | ||
76 | - sg_init_one(&sgout, out, 8); | ||
77 | + crypto_cipher_setkey(tfm_des, key2, 8); | ||
78 | + crypto_cipher_encrypt_one(tfm_des, out, in); | ||
79 | + crypto_free_cipher(tfm_des); | ||
80 | |||
81 | - skcipher_request_set_callback(req, 0, NULL, NULL); | ||
82 | - skcipher_request_set_crypt(req, &sgin, &sgout, 8, NULL); | ||
83 | - | ||
84 | - rc = crypto_skcipher_encrypt(req); | ||
85 | - if (rc) | ||
86 | - cifs_dbg(VFS, "could not encrypt crypt key rc: %d\n", rc); | ||
87 | - | ||
88 | - skcipher_request_free(req); | ||
89 | - | ||
90 | -smbhash_free_skcipher: | ||
91 | - crypto_free_skcipher(tfm_des); | ||
92 | -smbhash_err: | ||
93 | - return rc; | ||
94 | + return 0; | ||
95 | } | ||
96 | |||
97 | static int | ||
98 | -- | ||
99 | 1.9.1 | ||
100 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index a3eab1a..da39406 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -15,16 +15,17 @@ KENEABRANCH = "cavium-4.9" | |||
15 | SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \ | 15 | SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \ |
16 | git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \ | 16 | git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \ |
17 | file://dts \ | 17 | file://dts \ |
18 | file://CVE-2016-10154.patch \ | ||
18 | file://CVE-2017-7487.patch \ | 19 | file://CVE-2017-7487.patch \ |
19 | file://CVE-2017-1000364.patch \ | 20 | file://CVE-2017-7618.patch \ |
21 | file://CVE-2017-7645.patch \ | ||
20 | file://CVE-2017-8063.patch \ | 22 | file://CVE-2017-8063.patch \ |
21 | file://CVE-2017-8064.patch \ | 23 | file://CVE-2017-8064.patch \ |
22 | file://CVE-2017-8066.patch \ | 24 | file://CVE-2017-8066.patch \ |
23 | file://CVE-2017-8067.patch \ | 25 | file://CVE-2017-8067.patch \ |
24 | file://CVE-2017-8068.patch \ | 26 | file://CVE-2017-8068.patch \ |
25 | file://CVE-2017-8069.patch \ | 27 | file://CVE-2017-8069.patch \ |
26 | file://CVE-2017-7618.patch \ | 28 | file://CVE-2017-1000364.patch \ |
27 | file://CVE-2017-7645.patch \ | ||
28 | " | 29 | " |
29 | 30 | ||
30 | LINUX_KERNEL_TYPE = "tiny" | 31 | LINUX_KERNEL_TYPE = "tiny" |