From 9898ed1ef252beccf252d05154be55d20cb0dd8c Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Fri, 29 Sep 2017 12:27:57 +0200
Subject: linux-cavium: CVE-2016-10154

smbencrypt() points a scatterlist to the stack causing DoS

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-10154

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 .../linux/linux-cavium/CVE-2016-10154.patch        | 100 +++++++++++++++++++++
 recipes-kernel/linux/linux-cavium_4.9.inc          |   7 +-
 2 files changed, 104 insertions(+), 3 deletions(-)
 create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch
new file mode 100644
index 0000000..ddbeb77
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10154.patch
@@ -0,0 +1,100 @@
+From 7aa58e7ad53bd9536aa49a18ccd0778c728bf57d Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 12 Dec 2016 12:54:37 -0800
+Subject: [PATCH] cifs: Fix smbencrypt() to stop pointing a scatterlist at the
+ stack
+
+commit 06deeec77a5a689cc94b21a8a91a76e42176685d upstream.
+
+smbencrypt() points a scatterlist to the stack, which is breaks if
+CONFIG_VMAP_STACK=y.
+
+Fix it by switching to crypto_cipher_encrypt_one().  The new code
+should be considerably faster as an added benefit.
+
+This code is nearly identical to some code that Eric Biggers
+suggested.
+
+CVE: CVE-2016-10154
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+
+Reported-by: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Acked-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/cifs/smbencrypt.c | 40 ++++++++--------------------------------
+ 1 file changed, 8 insertions(+), 32 deletions(-)
+
+diff --git a/fs/cifs/smbencrypt.c b/fs/cifs/smbencrypt.c
+index 699b786..c12bffe 100644
+--- a/fs/cifs/smbencrypt.c
++++ b/fs/cifs/smbencrypt.c
+@@ -23,7 +23,7 @@
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+ 
+-#include <crypto/skcipher.h>
++#include <linux/crypto.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
+ #include <linux/fs.h>
+@@ -69,46 +69,22 @@
+ static int
+ smbhash(unsigned char *out, const unsigned char *in, unsigned char *key)
+ {
+-	int rc;
+ 	unsigned char key2[8];
+-	struct crypto_skcipher *tfm_des;
+-	struct scatterlist sgin, sgout;
+-	struct skcipher_request *req;
++	struct crypto_cipher *tfm_des;
+ 
+ 	str_to_key(key, key2);
+ 
+-	tfm_des = crypto_alloc_skcipher("ecb(des)", 0, CRYPTO_ALG_ASYNC);
++	tfm_des = crypto_alloc_cipher("des", 0, 0);
+ 	if (IS_ERR(tfm_des)) {
+-		rc = PTR_ERR(tfm_des);
+-		cifs_dbg(VFS, "could not allocate des crypto API\n");
+-		goto smbhash_err;
+-	}
+-
+-	req = skcipher_request_alloc(tfm_des, GFP_KERNEL);
+-	if (!req) {
+-		rc = -ENOMEM;
+ 		cifs_dbg(VFS, "could not allocate des crypto API\n");
+-		goto smbhash_free_skcipher;
++		return PTR_ERR(tfm_des);
+ 	}
+ 
+-	crypto_skcipher_setkey(tfm_des, key2, 8);
+-
+-	sg_init_one(&sgin, in, 8);
+-	sg_init_one(&sgout, out, 8);
++	crypto_cipher_setkey(tfm_des, key2, 8);
++	crypto_cipher_encrypt_one(tfm_des, out, in);
++	crypto_free_cipher(tfm_des);
+ 
+-	skcipher_request_set_callback(req, 0, NULL, NULL);
+-	skcipher_request_set_crypt(req, &sgin, &sgout, 8, NULL);
+-
+-	rc = crypto_skcipher_encrypt(req);
+-	if (rc)
+-		cifs_dbg(VFS, "could not encrypt crypt key rc: %d\n", rc);
+-
+-	skcipher_request_free(req);
+-
+-smbhash_free_skcipher:
+-	crypto_free_skcipher(tfm_des);
+-smbhash_err:
+-	return rc;
++	return 0;
+ }
+ 
+ static int
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index a3eab1a..da39406 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -15,16 +15,17 @@ KENEABRANCH = "cavium-4.9"
 SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \
            git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \
            file://dts \
+           file://CVE-2016-10154.patch \
            file://CVE-2017-7487.patch \
-           file://CVE-2017-1000364.patch \
+           file://CVE-2017-7618.patch \
+           file://CVE-2017-7645.patch \
            file://CVE-2017-8063.patch \
            file://CVE-2017-8064.patch \
            file://CVE-2017-8066.patch \
            file://CVE-2017-8067.patch \
            file://CVE-2017-8068.patch \
            file://CVE-2017-8069.patch \
-           file://CVE-2017-7618.patch \
-           file://CVE-2017-7645.patch \
+           file://CVE-2017-1000364.patch \
            "
 
 LINUX_KERNEL_TYPE = "tiny"
-- 
cgit v1.2.3-54-g00ecf