linux-cavium: CVE-2016-10154

smbencrypt() points a scatterlist to the stack causing DoS Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-10154 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 12:27:57 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-29 13:08:46 +0200
commit: 9898ed1ef252beccf252d05154be55d20cb0dd8c (patch)
tree: f5fb9adc71bb152686cf7362b7c94639175f6dd2
parent: 3b0e97b92f7e66158b7a5ac9461d0705d04f8b3a (diff)
download: meta-enea-bsp-arm-9898ed1ef252beccf252d05154be55d20cb0dd8c.tar.gz
2 files changed, 104 insertions, 3 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch
new file mode 100644
index 0000000..ddbeb77
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch
@@ -0,0 +1,100 @@
+From 7aa58e7ad53bd9536aa49a18ccd0778c728bf57d Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 12 Dec 2016 12:54:37 -0800
+Subject: [PATCH] cifs: Fix smbencrypt() to stop pointing a scatterlist at the
+ stack
+commit 06deeec77a5a689cc94b21a8a91a76e42176685d upstream.
+smbencrypt() points a scatterlist to the stack, which is breaks if
+CONFIG_VMAP_STACK=y.
+Fix it by switching to crypto_cipher_encrypt_one().  The new code
+should be considerably faster as an added benefit.
+This code is nearly identical to some code that Eric Biggers
+suggested.
+CVE: CVE-2016-10154
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Reported-by: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Acked-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/cifs/smbencrypt.c | 40 ++++++++--------------------------------
+ 1 file changed, 8 insertions(+), 32 deletions(-)
+diff --git a/fs/cifs/smbencrypt.c b/fs/cifs/smbencrypt.c
+index 699b786..c12bffe 100644
+--- a/fs/cifs/smbencrypt.c
+++ b/fs/cifs/smbencrypt.c
+@@ -23,7 +23,7 @@
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+ 
+-#include <crypto/skcipher.h>
+#include <linux/crypto.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
+ #include <linux/fs.h>
+@@ -69,46 +69,22 @@
+ static int
+ smbhash(unsigned char *out, const unsigned char *in, unsigned char *key)
+ {
+-       int rc;
+        unsigned char key2[8];
+-       struct crypto_skcipher *tfm_des;
+-       struct scatterlist sgin, sgout;
+-       struct skcipher_request *req;
+       struct crypto_cipher *tfm_des;
+ 
+        str_to_key(key, key2);
+ 
+-       tfm_des = crypto_alloc_skcipher("ecb(des)", 0, CRYPTO_ALG_ASYNC);
+       tfm_des = crypto_alloc_cipher("des", 0, 0);
+        if (IS_ERR(tfm_des)) {
+-               rc = PTR_ERR(tfm_des);
+-               cifs_dbg(VFS, "could not allocate des crypto API\n");
+-               goto smbhash_err;
+-       }
+-
+-       req = skcipher_request_alloc(tfm_des, GFP_KERNEL);
+-       if (!req) {
+-               rc = -ENOMEM;
+                cifs_dbg(VFS, "could not allocate des crypto API\n");
+-               goto smbhash_free_skcipher;
+               return PTR_ERR(tfm_des);
+        }
+ 
+-       crypto_skcipher_setkey(tfm_des, key2, 8);
+-
+-       sg_init_one(&sgin, in, 8);
+-       sg_init_one(&sgout, out, 8);
+       crypto_cipher_setkey(tfm_des, key2, 8);
+       crypto_cipher_encrypt_one(tfm_des, out, in);
+       crypto_free_cipher(tfm_des);
+ 
+-       skcipher_request_set_callback(req, 0, NULL, NULL);
+-       skcipher_request_set_crypt(req, &sgin, &sgout, 8, NULL);
+-
+-       rc = crypto_skcipher_encrypt(req);
+-       if (rc)
+-               cifs_dbg(VFS, "could not encrypt crypt key rc: %d\n", rc);
+-
+-       skcipher_request_free(req);
+-
+-smbhash_free_skcipher:
+-       crypto_free_skcipher(tfm_des);
+-smbhash_err:
+-       return rc;
+       return 0;
+ }
+ 
+ static int
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index a3eab1a..da39406 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -15,16 +15,17 @@ KENEABRANCH = "cavium-4.9"
 SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \
           git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \
           file://dts \
+           file://CVE-2016-10154.patch \
           file://CVE-2017-7487.patch \
-           file://CVE-2017-1000364.patch \
+           file://CVE-2017-7618.patch \
+           file://CVE-2017-7645.patch \
           file://CVE-2017-8063.patch \
           file://CVE-2017-8064.patch \
           file://CVE-2017-8066.patch \
           file://CVE-2017-8067.patch \
           file://CVE-2017-8068.patch \
           file://CVE-2017-8069.patch \
-           file://CVE-2017-7618.patch \
+           file://CVE-2017-1000364.patch \
-           file://CVE-2017-7645.patch \
           "
 LINUX_KERNEL_TYPE = "tiny"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 12:27:57 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-29 13:08:46 +0200
commit	9898ed1ef252beccf252d05154be55d20cb0dd8c (patch)
tree	f5fb9adc71bb152686cf7362b7c94639175f6dd2
parent	3b0e97b92f7e66158b7a5ac9461d0705d04f8b3a (diff)
download	meta-enea-bsp-arm-9898ed1ef252beccf252d05154be55d20cb0dd8c.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch new file mode 100644 index 0000000..ddbeb77 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch
@@ -0,0 +1,100 @@
		1	From 7aa58e7ad53bd9536aa49a18ccd0778c728bf57d Mon Sep 17 00:00:00 2001
		2	From: Andy Lutomirski <luto@kernel.org>
		3	Date: Mon, 12 Dec 2016 12:54:37 -0800
		4	Subject: [PATCH] cifs: Fix smbencrypt() to stop pointing a scatterlist at the
		5	stack
		6
		7	commit 06deeec77a5a689cc94b21a8a91a76e42176685d upstream.
		8
		9	smbencrypt() points a scatterlist to the stack, which is breaks if
		10	CONFIG_VMAP_STACK=y.
		11
		12	Fix it by switching to crypto_cipher_encrypt_one(). The new code
		13	should be considerably faster as an added benefit.
		14
		15	This code is nearly identical to some code that Eric Biggers
		16	suggested.
		17
		18	CVE: CVE-2016-10154
		19	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		20
		21	Reported-by: Eric Biggers <ebiggers3@gmail.com>
		22	Signed-off-by: Andy Lutomirski <luto@kernel.org>
		23	Acked-by: Jeff Layton <jlayton@redhat.com>
		24	Signed-off-by: Steve French <smfrench@gmail.com>
		25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		27	---
		28	fs/cifs/smbencrypt.c \| 40 ++++++++--------------------------------
		29	1 file changed, 8 insertions(+), 32 deletions(-)
		30
		31	diff --git a/fs/cifs/smbencrypt.c b/fs/cifs/smbencrypt.c
		32	index 699b786..c12bffe 100644
		33	--- a/fs/cifs/smbencrypt.c
		34	+++ b/fs/cifs/smbencrypt.c
		35	@@ -23,7 +23,7 @@
		36	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
		37	*/
		38
		39	-#include <crypto/skcipher.h>
		40	+#include <linux/crypto.h>
		41	#include <linux/module.h>
		42	#include <linux/slab.h>
		43	#include <linux/fs.h>
		44	@@ -69,46 +69,22 @@
		45	static int
		46	smbhash(unsigned char out, const unsigned char in, unsigned char *key)
		47	{
		48	- int rc;
		49	unsigned char key2[8];
		50	- struct crypto_skcipher *tfm_des;
		51	- struct scatterlist sgin, sgout;
		52	- struct skcipher_request *req;
		53	+ struct crypto_cipher *tfm_des;
		54
		55	str_to_key(key, key2);
		56
		57	- tfm_des = crypto_alloc_skcipher("ecb(des)", 0, CRYPTO_ALG_ASYNC);
		58	+ tfm_des = crypto_alloc_cipher("des", 0, 0);
		59	if (IS_ERR(tfm_des)) {
		60	- rc = PTR_ERR(tfm_des);
		61	- cifs_dbg(VFS, "could not allocate des crypto API\n");
		62	- goto smbhash_err;
		63	- }
		64	-
		65	- req = skcipher_request_alloc(tfm_des, GFP_KERNEL);
		66	- if (!req) {
		67	- rc = -ENOMEM;
		68	cifs_dbg(VFS, "could not allocate des crypto API\n");
		69	- goto smbhash_free_skcipher;
		70	+ return PTR_ERR(tfm_des);
		71	}
		72
		73	- crypto_skcipher_setkey(tfm_des, key2, 8);
		74	-
		75	- sg_init_one(&sgin, in, 8);
		76	- sg_init_one(&sgout, out, 8);
		77	+ crypto_cipher_setkey(tfm_des, key2, 8);
		78	+ crypto_cipher_encrypt_one(tfm_des, out, in);
		79	+ crypto_free_cipher(tfm_des);
		80
		81	- skcipher_request_set_callback(req, 0, NULL, NULL);
		82	- skcipher_request_set_crypt(req, &sgin, &sgout, 8, NULL);
		83	-
		84	- rc = crypto_skcipher_encrypt(req);
		85	- if (rc)
		86	- cifs_dbg(VFS, "could not encrypt crypt key rc: %d\n", rc);
		87	-
		88	- skcipher_request_free(req);
		89	-
		90	-smbhash_free_skcipher:
		91	- crypto_free_skcipher(tfm_des);
		92	-smbhash_err:
		93	- return rc;
		94	+ return 0;
		95	}
		96
		97	static int
		98	--
		99	1.9.1
		100


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index a3eab1a..da39406 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -15,16 +15,17 @@ KENEABRANCH = "cavium-4.9"
15	SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \	15	SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \
16	git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \	16	git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \
17	file://dts \	17	file://dts \
		18	file://CVE-2016-10154.patch \
18	file://CVE-2017-7487.patch \	19	file://CVE-2017-7487.patch \
19	file://CVE-2017-1000364.patch \	20	file://CVE-2017-7618.patch \
		21	file://CVE-2017-7645.patch \
20	file://CVE-2017-8063.patch \	22	file://CVE-2017-8063.patch \
21	file://CVE-2017-8064.patch \	23	file://CVE-2017-8064.patch \
22	file://CVE-2017-8066.patch \	24	file://CVE-2017-8066.patch \
23	file://CVE-2017-8067.patch \	25	file://CVE-2017-8067.patch \
24	file://CVE-2017-8068.patch \	26	file://CVE-2017-8068.patch \
25	file://CVE-2017-8069.patch \	27	file://CVE-2017-8069.patch \
26	file://CVE-2017-7618.patch \	28	file://CVE-2017-1000364.patch \
27	file://CVE-2017-7645.patch \
28	"	29	"
29		30
30	LINUX_KERNEL_TYPE = "tiny"	31	LINUX_KERNEL_TYPE = "tiny"