Commit Graph

3041 Commits

Author SHA1 Message Date
Greg Kroah-Hartman bc7ff9b998 Merge 4.9.75 into android-4.9
Changes in 4.9.75
	tcp_bbr: reset full pipe detection on loss recovery undo
	tcp_bbr: reset long-term bandwidth sampling on loss recovery undo
	x86/boot: Add early cmdline parsing for options with arguments
	KAISER: Kernel Address Isolation
	kaiser: merged update
	kaiser: do not set _PAGE_NX on pgd_none
	kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE
	kaiser: fix build and FIXME in alloc_ldt_struct()
	kaiser: KAISER depends on SMP
	kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER
	kaiser: fix perf crashes
	kaiser: ENOMEM if kaiser_pagetable_walk() NULL
	kaiser: tidied up asm/kaiser.h somewhat
	kaiser: tidied up kaiser_add/remove_mapping slightly
	kaiser: align addition to x86/mm/Makefile
	kaiser: cleanups while trying for gold link
	kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET
	kaiser: delete KAISER_REAL_SWITCH option
	kaiser: vmstat show NR_KAISERTABLE as nr_overhead
	kaiser: enhanced by kernel and user PCIDs
	kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user
	kaiser: PCID 0 for kernel and 128 for user
	kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user
	kaiser: paranoid_entry pass cr3 need to paranoid_exit
	kaiser: kaiser_remove_mapping() move along the pgd
	kaiser: fix unlikely error in alloc_ldt_struct()
	kaiser: add "nokaiser" boot option, using ALTERNATIVE
	x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling
	x86/kaiser: Check boottime cmdline params
	kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush
	kaiser: drop is_atomic arg to kaiser_pagetable_walk()
	kaiser: asm/tlbflush.h handle noPGE at lower level
	kaiser: kaiser_flush_tlb_on_return_to_user() check PCID
	x86/paravirt: Dont patch flush_tlb_single
	x86/kaiser: Reenable PARAVIRT
	kaiser: disabled on Xen PV
	x86/kaiser: Move feature detection up
	KPTI: Rename to PAGE_TABLE_ISOLATION
	KPTI: Report when enabled
	kaiser: Set _PAGE_NX only if supported
	Linux 4.9.75

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2018-01-05 22:28:25 +01:00
Kees Cook e71fac0172 KPTI: Rename to PAGE_TABLE_ISOLATION
This renames CONFIG_KAISER to CONFIG_PAGE_TABLE_ISOLATION.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-05 15:46:35 +01:00
Borislav Petkov 2c2721754a x86/kaiser: Reenable PARAVIRT
Now that the required bits have been addressed, reenable
PARAVIRT.

Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-05 15:46:35 +01:00
Hugh Dickins 1ce27de401 kaiser: delete KAISER_REAL_SWITCH option
We fail to see what CONFIG_KAISER_REAL_SWITCH is for: it seems to be
left over from early development, and now just obscures tricky parts
of the code.  Delete it before adding PCIDs, or nokaiser boot option.

(Or if there is some good reason to keep the option, then it needs
a help text - and a "depends on KAISER", so that all those without
KAISER are not asked the question.  But we'd much rather delete it.)

Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-05 15:46:33 +01:00
Hugh Dickins 639c005dae kaiser: KAISER depends on SMP
It is absurd that KAISER should depend on SMP, but apparently nobody
has tried a UP build before: which breaks on implicit declaration of
function 'per_cpu_offset' in arch/x86/mm/kaiser.c.

Now, you would expect that to be trivially fixed up; but looking at
the System.map when that block is #ifdef'ed out of kaiser_init(),
I see that in a UP build __per_cpu_user_mapped_end is precisely at
__per_cpu_user_mapped_start, and the items carefully gathered into
that section for user-mapping on SMP, dispersed elsewhere on UP.

So, some other kind of section assignment will be needed on UP,
but implementing that is not a priority: just make KAISER depend
on SMP for now.

Also inserted a blank line before the option, tidied up the
brief Kconfig help message, and added an "If unsure, Y".

Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-05 15:46:32 +01:00
Dave Hansen 8f0baadf2b kaiser: merged update
Merged fixes and cleanups, rebased to 4.9.51 tree (no 5-level paging).

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-05 15:46:32 +01:00
Richard Fellner 13be4483bb KAISER: Kernel Address Isolation
This patch introduces our implementation of KAISER (Kernel Address Isolation to
have Side-channels Efficiently Removed), a kernel isolation technique to close
hardware side channels on kernel address information.

More information about the patch can be found on:

        https://github.com/IAIK/KAISER

From: Richard Fellner <richard.fellner@student.tugraz.at>
From: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Subject: [RFC, PATCH] x86_64: KAISER - do not map kernel in user mode
Date: Thu, 4 May 2017 14:26:50 +0200
Link: http://marc.info/?l=linux-kernel&m=149390087310405&w=2
Kaiser-4.10-SHA1: c4b1831d44c6144d3762ccc72f0c4e71a0c713e5

To: <linux-kernel@vger.kernel.org>
To: <kernel-hardening@lists.openwall.com>
Cc: <clementine.maurice@iaik.tugraz.at>
Cc: <moritz.lipp@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: <kirill.shutemov@linux.intel.com>
Cc: <anders.fogh@gdata-adan.de>

After several recent works [1,2,3] KASLR on x86_64 was basically
considered dead by many researchers. We have been working on an
efficient but effective fix for this problem and found that not mapping
the kernel space when running in user mode is the solution to this
problem [4] (the corresponding paper [5] will be presented at ESSoS17).

With this RFC patch we allow anybody to configure their kernel with the
flag CONFIG_KAISER to add our defense mechanism.

If there are any questions we would love to answer them.
We also appreciate any comments!

Cheers,
Daniel (+ the KAISER team from Graz University of Technology)

[1] http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
[2] https://www.blackhat.com/docs/us-16/materials/us-16-Fogh-Using-Undocumented-CPU-Behaviour-To-See-Into-Kernel-Mode-And-Break-KASLR-In-The-Process.pdf
[3] https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf
[4] https://github.com/IAIK/KAISER
[5] https://gruss.cc/files/kaiser.pdf

[patch based also on
https://raw.githubusercontent.com/IAIK/KAISER/master/KAISER/0001-KAISER-Kernel-Address-Isolation.patch]

Signed-off-by: Richard Fellner <richard.fellner@student.tugraz.at>
Signed-off-by: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Signed-off-by: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Signed-off-by: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-05 15:46:32 +01:00
Greg Kroah-Hartman 3f1d77ca5f Merge 4.9.69 into android-4.9
Changes in 4.9.69
	usb: gadget: udc: renesas_usb3: fix number of the pipes
	can: ti_hecc: Fix napi poll return value for repoll
	can: kvaser_usb: free buf in error paths
	can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
	can: kvaser_usb: ratelimit errors if incomplete messages are received
	can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
	can: ems_usb: cancel urb on -EPIPE and -EPROTO
	can: esd_usb2: cancel urb on -EPIPE and -EPROTO
	can: usb_8dev: cancel urb on -EPIPE and -EPROTO
	virtio: release virtio index when fail to device_register
	hv: kvp: Avoid reading past allocated blocks from KVP file
	isa: Prevent NULL dereference in isa_bus driver callbacks
	scsi: dma-mapping: always provide dma_get_cache_alignment
	scsi: use dma_get_cache_alignment() as minimum DMA alignment
	scsi: libsas: align sata_device's rps_resp on a cacheline
	efi: Move some sysfs files to be read-only by root
	efi/esrt: Use memunmap() instead of kfree() to free the remapping
	ASN.1: fix out-of-bounds read when parsing indefinite length item
	ASN.1: check for error from ASN1_OP_END__ACT actions
	KEYS: add missing permission check for request_key() destination
	X.509: reject invalid BIT STRING for subjectPublicKey
	X.509: fix comparisons of ->pkey_algo
	x86/PCI: Make broadcom_postcore_init() check acpi_disabled
	KVM: x86: fix APIC page invalidation
	btrfs: fix missing error return in btrfs_drop_snapshot
	ALSA: pcm: prevent UAF in snd_pcm_info
	ALSA: seq: Remove spurious WARN_ON() at timer check
	ALSA: usb-audio: Fix out-of-bound error
	ALSA: usb-audio: Add check return value for usb_string()
	iommu/vt-d: Fix scatterlist offset handling
	smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place
	s390: fix compat system call table
	KVM: s390: Fix skey emulation permission check
	powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
	brcmfmac: change driver unbind order of the sdio function devices
	kdb: Fix handling of kallsyms_symbol_next() return value
	drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
	media: dvb: i2c transfers over usb cannot be done from stack
	arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
	arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
	KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
	KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
	KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation
	KVM: arm/arm64: vgic-its: Check result of allocation before use
	arm64: fpsimd: Prevent registers leaking from dead tasks
	bus: arm-cci: Fix use of smp_processor_id() in preemptible context
	bus: arm-ccn: Check memory allocation failure
	bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
	bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
	crypto: talitos - fix AEAD test failures
	crypto: talitos - fix memory corruption on SEC2
	crypto: talitos - fix setkey to check key weakness
	crypto: talitos - fix AEAD for sha224 on non sha224 capable chips
	crypto: talitos - fix use of sg_link_tbl_len
	crypto: talitos - fix ctr-aes-talitos
	usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT
	ARM: BUG if jumping to usermode address in kernel mode
	ARM: avoid faulting on qemu
	thp: reduce indentation level in change_huge_pmd()
	thp: fix MADV_DONTNEED vs. numa balancing race
	mm: drop unused pmdp_huge_get_and_clear_notify()
	Revert "drm/armada: Fix compile fail"
	Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
	ARM: 8657/1: uaccess: consistently check object sizes
	vti6: Don't report path MTU below IPV6_MIN_MTU.
	ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
	x86/selftests: Add clobbers for int80 on x86_64
	x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register
	sched/fair: Make select_idle_cpu() more aggressive
	x86/hpet: Prevent might sleep splat on resume
	powerpc/64: Invalidate process table caching after setting process table
	selftest/powerpc: Fix false failures for skipped tests
	powerpc: Fix compiling a BE kernel with a powerpc64le toolchain
	lirc: fix dead lock between open and wakeup_filter
	module: set __jump_table alignment to 8
	powerpc/64: Fix checksum folding in csum_add()
	ARM: OMAP2+: Fix device node reference counts
	ARM: OMAP2+: Release device node after it is no longer needed.
	ASoC: rcar: avoid SSI_MODEx settings for SSI8
	gpio: altera: Use handle_level_irq when configured as a level_high
	HID: chicony: Add support for another ASUS Zen AiO keyboard
	usb: gadget: configs: plug memory leak
	USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
	usb: dwc3: gadget: Fix system suspend/resume on TI platforms
	usb: gadget: pxa27x: Test for a valid argument pointer
	usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver
	kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
	libata: drop WARN from protocol error in ata_sff_qc_issue()
	workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
	scsi: qla2xxx: Fix ql_dump_buffer
	scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
	irqchip/crossbar: Fix incorrect type of register size
	KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
	arm: KVM: Survive unknown traps from guests
	arm64: KVM: Survive unknown traps from guests
	KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled
	spi_ks8995: fix "BUG: key accdaa28 not in .data!"
	spi_ks8995: regs_size incorrect for some devices
	bnx2x: prevent crash when accessing PTP with interface down
	bnx2x: fix possible overrun of VFPF multicast addresses array
	bnx2x: fix detection of VLAN filtering feature for VF
	bnx2x: do not rollback VF MAC/VLAN filters we did not configure
	rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races
	ibmvnic: Fix overflowing firmware/hardware TX queue
	ibmvnic: Allocate number of rx/tx buffers agreed on by firmware
	ipv6: reorder icmpv6_init() and ip6_mr_init()
	crypto: s5p-sss - Fix completing crypto request in IRQ handler
	i2c: riic: fix restart condition
	blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue()
	zram: set physical queue limits to avoid array out of bounds accesses
	netfilter: don't track fragmented packets
	axonram: Fix gendisk handling
	drm/amd/amdgpu: fix console deadlock if late init failed
	powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
	EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
	EDAC, i5000, i5400: Fix definition of NRECMEMB register
	kbuild: pkg: use --transform option to prefix paths in tar
	coccinelle: fix parallel build with CHECK=scripts/coccicheck
	x86/mpx/selftests: Fix up weird arrays
	mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
	gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
	route: also update fnhe_genid when updating a route cache
	route: update fnhe_expires for redirect when the fnhe exists
	drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()'
	lib/genalloc.c: make the avail variable an atomic_long_t
	dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
	NFS: Fix a typo in nfs_rename()
	sunrpc: Fix rpc_task_begin trace point
	xfs: fix forgotten rcu read unlock when skipping inode reclaim
	dt-bindings: usb: fix reg-property port-number range
	block: wake up all tasks blocked in get_request()
	sparc64/mm: set fields in deferred pages
	zsmalloc: calling zs_map_object() from irq is a bug
	sctp: do not free asoc when it is already dead in sctp_sendmsg
	sctp: use the right sk after waking up from wait_buf sleep
	bpf: fix lockdep splat
	clk: uniphier: fix DAPLL2 clock rate of Pro5
	atm: horizon: Fix irq release error
	jump_label: Invoke jump_label_test() via early_initcall()
	xfrm: Copy policy family in clone_policy
	IB/mlx4: Increase maximal message size under UD QP
	IB/mlx5: Assign send CQ and recv CQ of UMR QP
	afs: Connect up the CB.ProbeUuid
	Linux 4.9.69

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-12-14 09:58:43 +01:00
Eric Biggers 982707eb4f KEYS: add missing permission check for request_key() destination
commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.

When the request_key() syscall is not passed a destination keyring, it
links the requested key (if constructed) into the "default" request-key
keyring.  This should require Write permission to the keyring.  However,
there is actually no permission check.

This can be abused to add keys to any keyring to which only Search
permission is granted.  This is because Search permission allows joining
the keyring.  keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
then will set the default request-key keyring to the session keyring.
Then, request_key() can be used to add keys to the keyring.

Both negatively and positively instantiated keys can be added using this
method.  Adding negative keys is trivial.  Adding a positive key is a
bit trickier.  It requires that either /sbin/request-key positively
instantiates the key, or that another thread adds the key to the process
keyring at just the right time, such that request_key() misses it
initially but then finds it in construct_alloc_key().

Fix this bug by checking for Write permission to the keyring in
construct_get_dest_keyring() when the default keyring is being used.

We don't do the permission check for non-default keyrings because that
was already done by the earlier call to lookup_user_key().  Also,
request_key_and_link() is currently passed a 'struct key *' rather than
a key_ref_t, so the "possessed" bit is unavailable.

We also don't do the permission check for the "requestor keyring", to
continue to support the use case described by commit 8bbf4976b5
("KEYS: Alter use of key instantiation link-to-keyring argument") where
/sbin/request-key recursively calls request_key() to add keys to the
original requestor's destination keyring.  (I don't know of any users
who actually do that, though...)

Fixes: 3e30148c3d ("[PATCH] Keys: Make request-key create an authorisation key")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-14 09:28:12 +01:00
Greg Kroah-Hartman fdeec8fdb7 Merge 4.9.68 into android-4.9
Changes in 4.9.68
	bcache: only permit to recovery read error when cache device is clean
	bcache: recover data from backing when data is clean
	drm/fsl-dcu: avoid disabling pixel clock twice on suspend
	drm/fsl-dcu: enable IRQ before drm_atomic_helper_resume()
	Revert "crypto: caam - get rid of tasklet"
	mm, oom_reaper: gather each vma to prevent leaking TLB entry
	uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices
	usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub
	serial: 8250_pci: Add Amazon PCI serial device ID
	s390/runtime instrumentation: simplify task exit handling
	USB: serial: option: add Quectel BG96 id
	ima: fix hash algorithm initialization
	s390/pci: do not require AIS facility
	selftests/x86/ldt_get: Add a few additional tests for limits
	staging: greybus: loopback: Fix iteration count on async path
	m68k: fix ColdFire node shift size calculation
	serial: 8250_fintek: Fix rs485 disablement on invalid ioctl()
	staging: rtl8188eu: avoid a null dereference on pmlmepriv
	spi: sh-msiof: Fix DMA transfer size check
	spi: spi-axi: fix potential use-after-free after deregistration
	mmc: sdhci-msm: fix issue with power irq
	usb: phy: tahvo: fix error handling in tahvo_usb_probe()
	serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X
	x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt()
	EDAC, sb_edac: Fix missing break in switch
	sysrq : fix Show Regs call trace on ARM
	usbip: tools: Install all headers needed for libusbip development
	perf test attr: Fix ignored test case result
	kprobes/x86: Disable preemption in ftrace-based jprobes
	tools include: Do not use poison with C++
	iio: adc: ti-ads1015: add 10% to conversion wait time
	dax: Avoid page invalidation races and unnecessary radix tree traversals
	net/mlx4_en: Fix type mismatch for 32-bit systems
	l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket lookups
	dmaengine: stm32-dma: Set correct args number for DMA request from DT
	dmaengine: stm32-dma: Fix null pointer dereference in stm32_dma_tx_status
	usb: gadget: f_fs: Fix ExtCompat descriptor validation
	libcxgb: fix error check for ip6_route_output()
	net: systemport: Utilize skb_put_padto()
	net: systemport: Pad packet before inserting TSB
	ARM: OMAP2+: Fix WL1283 Bluetooth Baud Rate
	ARM: OMAP1: DMA: Correct the number of logical channels
	vti6: fix device register to report IFLA_INFO_KIND
	be2net: fix accesses to unicast list
	be2net: fix unicast list filling
	net/appletalk: Fix kernel memory disclosure
	libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount
	net: qrtr: Mark 'buf' as little endian
	mm: fix remote numa hits statistics
	mac80211: calculate min channel width correctly
	ravb: Remove Rx overflow log messages
	nfs: Don't take a reference on fl->fl_file for LOCK operation
	drm/exynos/decon5433: update shadow registers iff there are active windows
	drm/exynos/decon5433: set STANDALONE_UPDATE_F also if planes are disabled
	KVM: arm/arm64: Fix occasional warning from the timer work function
	mac80211: prevent skb/txq mismatch
	NFSv4: Fix client recovery when server reboots multiple times
	perf/x86/intel: Account interrupts for PEBS errors
	powerpc/mm: Fix memory hotplug BUG() on radix
	qla2xxx: Fix wrong IOCB type assumption
	drm/amdgpu: fix bug set incorrect value to vce register
	drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement
	net: sctp: fix array overrun read on sctp_timer_tbl
	x86/fpu: Set the xcomp_bv when we fake up a XSAVES area
	drm/amdgpu: fix unload driver issue for virtual display
	mac80211: don't try to sleep in rate_control_rate_init()
	RDMA/qedr: Return success when not changing QP state
	RDMA/qedr: Fix RDMA CM loopback
	tipc: fix nametbl_lock soft lockup at module exit
	tipc: fix cleanup at module unload
	dmaengine: pl330: fix double lock
	tcp: correct memory barrier usage in tcp_check_space()
	i2c: i2c-cadence: Initialize configuration before probing devices
	nvmet: cancel fatal error and flush async work before free controller
	gtp: clear DF bit on GTP packet tx
	gtp: fix cross netns recv on gtp socket
	net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause
	net: thunderx: avoid dereferencing xcv when NULL
	be2net: fix initial MAC setting
	vfio/spapr: Fix missing mutex unlock when creating a window
	mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
	xen-netfront: Improve error handling during initialization
	cec: initiator should be the same as the destination for, poll
	xen-netback: vif counters from int/long to u64
	net: fec: fix multicast filtering hardware setup
	dma-buf/dma-fence: Extract __dma_fence_is_later()
	dma-buf/sw-sync: Fix the is-signaled test to handle u32 wraparound
	dma-buf/sw-sync: Prevent user overflow on timeline advance
	dma-buf/sw-sync: Reduce irqsave/irqrestore from known context
	dma-buf/sw-sync: sync_pt is private and of fixed size
	dma-buf/sw-sync: Fix locking around sync_timeline lists
	dma-buf/sw-sync: Use an rbtree to sort fences in the timeline
	dma-buf/sw_sync: move timeline_fence_ops around
	dma-buf/sw_sync: clean up list before signaling the fence
	dma-fence: Clear fence->status during dma_fence_init()
	dma-fence: Wrap querying the fence->status
	dma-fence: Introduce drm_fence_set_error() helper
	dma-buf/sw_sync: force signal all unsignaled fences on dying timeline
	dma-buf/sync_file: hold reference to fence when creating sync_file
	dma-buf: Update kerneldoc for sync_file_create
	usb: hub: Cycle HUB power when initialization fails
	usb: xhci: fix panic in xhci_free_virt_devices_depth_first
	USB: core: Add type-specific length check of BOS descriptors
	USB: Increase usbfs transfer limit
	USB: devio: Prevent integer overflow in proc_do_submiturb()
	USB: usbfs: Filter flags passed in from user space
	usb: host: fix incorrect updating of offset
	xen-netfront: avoid crashing on resume after a failure in talk_to_netback()
	Linux 4.9.68

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-12-10 17:13:13 +01:00
Boshi Wang b0a46089fe ima: fix hash algorithm initialization
[ Upstream commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee ]

The hash_setup function always sets the hash_setup_done flag, even
when the hash algorithm is invalid.  This prevents the default hash
algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used.

This patch sets hash_setup_done flag only for valid hash algorithms.

Fixes: e7a2ad7eb6 "ima: enable support for larger default filedata hash algorithms"
Signed-off-by: Boshi Wang <wangboshi@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-09 22:01:47 +01:00
Greg Kroah-Hartman ea83e4a902 Merge 4.9.65 into android-4.9
Changes in 4.9.65
	tcp_nv: fix division by zero in tcpnv_acked()
	net: vrf: correct FRA_L3MDEV encode type
	tcp: do not mangle skb->cb[] in tcp_make_synack()
	netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
	bonding: discard lowest hash bit for 802.3ad layer3+4
	net: cdc_ether: fix divide by 0 on bad descriptors
	net: qmi_wwan: fix divide by 0 on bad descriptors
	qmi_wwan: Add missing skb_reset_mac_header-call
	net: usb: asix: fill null-ptr-deref in asix_suspend
	vlan: fix a use-after-free in vlan_device_event()
	af_netlink: ensure that NLMSG_DONE never fails in dumps
	sctp: do not peel off an assoc from one netns to another one
	fealnx: Fix building error on MIPS
	net/sctp: Always set scope_id in sctp_inet6_skb_msgname
	crypto: dh - fix memleak in setkey
	crypto: dh - Fix double free of ctx->p
	ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
	serial: omap: Fix EFR write on RTS deassertion
	serial: 8250_fintek: Fix finding base_port with activated SuperIO
	dmaengine: dmatest: warn user when dma test times out
	ocfs2: fix cluster hang after a node dies
	ocfs2: should wait dio before inode lock in ocfs2_setattr()
	ipmi: fix unsigned long underflow
	mm/page_alloc.c: broken deferred calculation
	coda: fix 'kernel memory exposure attempt' in fsync
	mm/pagewalk.c: report holes in hugetlb ranges
	Linux 4.9.65

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-11-24 08:58:15 +01:00
Roberto Sassu 2cfbb32f6c ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream.

Commit b65a9cfc2c ("Untangling ima mess, part 2: deal with counters")
moved the call of ima_file_check() from may_open() to do_filp_open() at a
point where the file descriptor is already opened.

This breaks the assumption made by IMA that file descriptors being closed
belong to files whose access was granted by ima_file_check(). The
consequence is that security.ima and security.evm are updated with good
values, regardless of the current appraisal status.

For example, if a file does not have security.ima, IMA will create it after
opening the file for writing, even if access is denied. Access to the file
will be allowed afterwards.

Avoid this issue by checking the appraisal status before updating
security.ima.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-24 08:33:41 +01:00
Greg Kroah-Hartman 44a3afcce1 Merge 4.9.63 into android-4.9
Changes in 4.9.63
	gso: fix payload length when gso_size is zero
	tun/tap: sanitize TUNSETSNDBUF input
	ipv6: addrconf: increment ifp refcount before ipv6_del_addr()
	netlink: do not set cb_running if dump's start() errs
	net: call cgroup_sk_alloc() earlier in sk_clone_lock()
	tcp: fix tcp_mtu_probe() vs highest_sack
	l2tp: check ps->sock before running pppol2tp_session_ioctl()
	tun: call dev_get_valid_name() before register_netdevice()
	sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
	tcp/dccp: fix ireq->opt races
	packet: avoid panic in packet_getsockopt()
	soreuseport: fix initialization race
	ipv6: flowlabel: do not leave opt->tot_len with garbage
	sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND
	tcp/dccp: fix lockdep splat in inet_csk_route_req()
	tcp/dccp: fix other lockdep splats accessing ireq_opt
	net/unix: don't show information about sockets from other namespaces
	tap: double-free in error path in tap_open()
	ipip: only increase err_count for some certain type icmp in ipip_err
	ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
	ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit
	tun: allow positive return values on dev_get_valid_name() call
	sctp: reset owner sk for data chunks on out queues when migrating a sock
	net_sched: avoid matching qdisc with zero handle
	ppp: fix race in ppp device destruction
	mac80211: accept key reinstall without changing anything
	mac80211: use constant time comparison with keys
	mac80211: don't compare TKIP TX MIC key in reinstall prevention
	usb: usbtest: fix NULL pointer dereference
	Input: ims-psu - check if CDC union descriptor is sane
	ALSA: seq: Cancel pending autoload work at unbinding device
	Revert "ARM: dts: imx53-qsb-common: fix FEC pinmux config"
	netfilter: nat: avoid use of nf_conn_nat extension
	netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable"
	security/keys: add CONFIG_KEYS_COMPAT to Kconfig
	brcmfmac: remove setting IBSS mode when stopping AP
	target/iscsi: Fix iSCSI task reassignment handling
	qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2)
	misc: panel: properly restore atomic counter on error path
	Linux 4.9.63

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-11-18 17:25:57 +01:00
Bilal Amarni 31c8c49428 security/keys: add CONFIG_KEYS_COMPAT to Kconfig
commit 47b2c3fff4932e6fc17ce13d51a43c6969714e20 upstream.

CONFIG_KEYS_COMPAT is defined in arch-specific Kconfigs and is missing for
several 64-bit architectures : mips, parisc, tile.

At the moment and for those architectures, calling in 32-bit userspace the
keyctl syscall would return an ENOSYS error.

This patch moves the CONFIG_KEYS_COMPAT option to security/keys/Kconfig, to
make sure the compatibility wrapper is registered by default for any 64-bit
architecture as long as it is configured with CONFIG_COMPAT.

[DH: Modified to remove arm64 compat enablement also as requested by Eric
 Biggers]

Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
cc: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Cc: James Cowgill <james.cowgill@mips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-18 11:22:24 +01:00
Greg Kroah-Hartman a6d71ba679 Merge 4.9.62 into android-4.9
Changes in 4.9.62
	adv7604: Initialize drive strength to default when using DT
	video: fbdev: pmag-ba-fb: Remove bad `__init' annotation
	PCI: mvebu: Handle changes to the bridge windows while enabled
	sched/core: Add missing update_rq_clock() call in sched_move_task()
	xen/netback: set default upper limit of tx/rx queues to 8
	ARM: dts: imx53-qsb-common: fix FEC pinmux config
	dt-bindings: clockgen: Add compatible string for LS1012A
	EDAC, amd64: Add x86cpuid sanity check during init
	PM / OPP: Error out on failing to add static OPPs for v1 bindings
	clk: samsung: exynos5433: Add IDs for PHYCLK_MIPIDPHY0_* clocks
	drm: drm_minor_register(): Clean up debugfs on failure
	KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
	iommu/arm-smmu-v3: Clear prior settings when updating STEs
	pinctrl: baytrail: Fix debugfs offset output
	powerpc/corenet: explicitly disable the SDHC controller on kmcoge4
	cxl: Force psl data-cache flush during device shutdown
	ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6
	arm64: dma-mapping: Only swizzle DMA ops for IOMMU_DOMAIN_DMA
	crypto: vmx - disable preemption to enable vsx in aes_ctr.c
	drm: mali-dp: fix Lx_CONTROL register fields clobber
	iio: trigger: free trigger resource correctly
	iio: pressure: ms5611: claim direct mode during oversampling changes
	iio: magnetometer: mag3110: claim direct mode during raw writes
	iio: proximity: sx9500: claim direct mode during raw proximity reads
	dt-bindings: Add LEGO MINDSTORMS EV3 compatible specification
	dt-bindings: Add vendor prefix for LEGO
	phy: increase size of MII_BUS_ID_SIZE and bus_id
	serial: sh-sci: Fix register offsets for the IRDA serial port
	libertas: fix improper return value
	usb: hcd: initialize hcd->flags to 0 when rm hcd
	netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family
	brcmfmac: setup wiphy bands after registering it first
	rt2800usb: mark tx failure on timeout
	apparmor: fix undefined reference to `aa_g_hash_policy'
	IPsec: do not ignore crypto err in ah4 input
	EDAC, amd64: Save and return err code from probe_one_instance()
	s390/topology: make "topology=off" parameter work
	Input: mpr121 - handle multiple bits change of status register
	Input: mpr121 - set missing event capability
	sched/cputime, powerpc32: Fix stale scaled stime on context switch
	IB/ipoib: Change list_del to list_del_init in the tx object
	ARM: dts: STiH410-family: fix wrong parent clock frequency
	s390/qeth: fix retrieval of vipa and proxy-arp addresses
	s390/qeth: issue STARTLAN as first IPA command
	wcn36xx: Don't use the destroyed hal_mutex
	IB/rxe: Fix reference leaks in memory key invalidation code
	clk: mvebu: adjust AP806 CPU clock frequencies to production chip
	net: dsa: select NET_SWITCHDEV
	platform/x86: hp-wmi: Fix detection for dock and tablet mode
	cdc_ncm: Set NTB format again after altsetting switch for Huawei devices
	KEYS: trusted: sanitize all key material
	KEYS: trusted: fix writing past end of buffer in trusted_read()
	platform/x86: hp-wmi: Fix error value for hp_wmi_tablet_state
	platform/x86: hp-wmi: Do not shadow error values
	x86/uaccess, sched/preempt: Verify access_ok() context
	workqueue: Fix NULL pointer dereference
	crypto: ccm - preserve the IV buffer
	crypto: x86/sha1-mb - fix panic due to unaligned access
	crypto: x86/sha256-mb - fix panic due to unaligned access
	KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
	ARM: 8720/1: ensure dump_instr() checks addr_limit
	ALSA: seq: Fix OSS sysex delivery in OSS emulation
	ALSA: seq: Avoid invalid lockdep class warning
	drm/i915: Do not rely on wm preservation for ILK watermarks
	MIPS: microMIPS: Fix incorrect mask in insn_table_MM
	MIPS: Fix CM region target definitions
	MIPS: SMP: Use a completion event to signal CPU up
	MIPS: Fix race on setting and getting cpu_online_mask
	MIPS: SMP: Fix deadlock & online race
	selftests: firmware: send expected errors to /dev/null
	tools: firmware: check for distro fallback udev cancel rule
	ASoC: sun4i-spdif: remove legacy dapm components
	MIPS: BMIPS: Fix missing cbr address
	MIPS: AR7: Defer registration of GPIO
	MIPS: AR7: Ensure that serial ports are properly set up
	Input: elan_i2c - add ELAN060C to the ACPI table
	rbd: use GFP_NOIO for parent stat and data requests
	drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
	drm/bridge: adv7511: Rework adv7511_power_on/off() so they can be reused internally
	drm/bridge: adv7511: Reuse __adv7511_power_on/off() when probing EDID
	drm/bridge: adv7511: Re-write the i2c address before EDID probing
	can: sun4i: handle overrun in RX FIFO
	can: ifi: Fix transmitter delay calculation
	can: c_can: don't indicate triple sampling support for D_CAN
	x86/smpboot: Make optimization of delay calibration work correctly
	x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
	Linux 4.9.62

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-11-15 16:13:49 +01:00
Eric Biggers 419ec342d3 KEYS: trusted: fix writing past end of buffer in trusted_read()
commit a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1 upstream.

When calling keyctl_read() on a key of type "trusted", if the
user-supplied buffer was too small, the kernel ignored the buffer length
and just wrote past the end of the buffer, potentially corrupting
userspace memory.  Fix it by instead returning the size required, as per
the documentation for keyctl_read().

We also don't even fill the buffer at all in this case, as this is
slightly easier to implement than doing a short read, and either
behavior appears to be permitted.  It also makes it match the behavior
of the "encrypted" key type.

Fixes: d00a1c72f7 ("keys: add new trusted key-type")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-15 15:53:17 +01:00
Eric Biggers 64a234537a KEYS: trusted: sanitize all key material
commit ee618b4619b72527aaed765f0f0b74072b281159 upstream.

As the previous patch did for encrypted-keys, zero sensitive any
potentially sensitive data related to the "trusted" key type before it
is freed.  Notably, we were not zeroing the tpm_buf structures in which
the actual key is stored for TPM seal and unseal, nor were we zeroing
the trusted_key_payload in certain error paths.

Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-15 15:53:17 +01:00
John Johansen ab71bee531 apparmor: fix undefined reference to `aa_g_hash_policy'
[ Upstream commit 3ccb76c5dfe0d25c1d0168d5b726d0b43d19a485 ]

The kernel build bot turned up a bad config combination when
CONFIG_SECURITY_APPARMOR is y and CONFIG_SECURITY_APPARMOR_HASH is n,
resulting in the build error
   security/built-in.o: In function `aa_unpack':
   (.text+0x841e2): undefined reference to `aa_g_hash_policy'

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-15 15:53:15 +01:00
Greg Kroah-Hartman c4789f87f6 Merge 4.9.61 into android-4.9
Changes in 4.9.61
	ALSA: timer: Add missing mutex lock for compat ioctls
	ALSA: seq: Fix nested rwsem annotation for lockdep splat
	cifs: check MaxPathNameComponentLength != 0 before using it
	KEYS: return full count in keyring_read() if buffer is too small
	KEYS: fix out-of-bounds read during ASN.1 parsing
	ASoC: adau17x1: Workaround for noise bug in ADC
	arm64: ensure __dump_instr() checks addr_limit
	arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort
	arm/arm64: kvm: Disable branch profiling in HYP code
	ARM: 8715/1: add a private asm/unaligned.h
	drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting
	ocfs2: fstrim: Fix start offset of first cluster group during fstrim
	drm/i915/edp: read edp display control registers unconditionally
	drm/msm: Fix potential buffer overflow issue
	drm/msm: fix an integer overflow test
	tracing/samples: Fix creation and deletion of simple_thread_fn creation
	Fix tracing sample code warning.
	cpufreq: Do not clear real_cpus mask on policy init
	crypto: ccp - Set the AES size field for all modes
	staging: fsl-mc: Add missing header
	IB/mlx5: Assign DSCP for R-RoCE QPs Address Path
	PM / wakeirq: report a wakeup_event on dedicated wekup irq
	scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool
	mmc: s3cmci: include linux/interrupt.h for tasklet_struct
	mfd: ab8500-sysctrl: Handle probe deferral
	mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped
	bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs
	staging: rtl8712u: Fix endian settings for structs describing network packets
	PCI/MSI: Return failure when msix_setup_entries() fails
	net: mvneta: fix build errors when linux/phy*.h is removed from net/dsa.h
	ext4: fix stripe-unaligned allocations
	ext4: do not use stripe_width if it is not set
	net/ena: change driver's default timeouts
	i2c: riic: correctly finish transfers
	drm/amdgpu: when dpm disabled, also need to stop/start vce.
	perf tools: Only increase index if perf_evsel__new_idx() succeeds
	iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station
	drm/fsl-dcu: check for clk_prepare_enable() error
	clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum
	net: phy: dp83867: Recover from "port mirroring" N/A MODE4
	cx231xx: Fix I2C on Internal Master 3 Bus
	ath10k: fix reading sram contents for QCA4019
	clk: sunxi-ng: Check kzalloc() for errors and cleanup error path
	mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events()
	gpio: mcp23s08: Select REGMAP/REGMAP_I2C to fix build error
	xen/manage: correct return value check on xenbus_scanf()
	scsi: aacraid: Process Error for response I/O
	platform/x86: intel_mid_thermal: Fix module autoload
	staging: lustre: llite: don't invoke direct_IO for the EOF case
	staging: lustre: hsm: stack overrun in hai_dump_data_field
	staging: lustre: ptlrpc: skip lock if export failed
	staging: lustre: lmv: Error not handled for lmv_find_target
	brcmfmac: check brcmf_bus_get_memdump result for error
	vfs: open() with O_CREAT should not create inodes with unknown ids
	ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers
	exynos4-is: fimc-is: Unmap region obtained by of_iomap()
	mei: return error on notification request to a disconnected client
	s390/dasd: check for device error pointer within state change interrupts
	s390/prng: Adjust generation of entropy to produce real 256 bits.
	s390/crypto: Extend key length check for AES-XTS in fips mode.
	bt8xx: fix memory leak
	drm/exynos: g2d: prevent integer overflow in
	PCI: Avoid possible deadlock on pci_lock and p->pi_lock
	powerpc/64: Don't try to use radix MMU under a hypervisor
	xen: don't print error message in case of missing Xenstore entry
	staging: r8712u: Fix Sparse warning in rtl871x_xmit.c
	ARM: dts: mvebu: pl310-cache disable double-linefill
	Linux 4.9.61

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-11-08 10:44:28 +01:00
Eric Biggers 0be72aebbf KEYS: return full count in keyring_read() if buffer is too small
commit 3239b6f29bdfb4b0a2ba59df995fc9e6f4df7f1f upstream.

Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer
in keyring_read()") made keyring_read() stop corrupting userspace memory
when the user-supplied buffer is too small.  However it also made the
return value in that case be the short buffer size rather than the size
required, yet keyctl_read() is actually documented to return the size
required.  Therefore, switch it over to the documented behavior.

Note that for now we continue to have it fill the short buffer, since it
did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably
relies on it.

Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-08 10:08:31 +01:00
Chenbo Feng 0521e0b3fc UPSTREAM: selinux: bpf: Add addtional check for bpf object file receive
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bpf maps and programs are using a
anonymous inode as their shared inode so the normal way of checking the
files and sockets when passing between processes cannot work properly on
eBPF object. This check only works when the BPF_SYSCALL is configured.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry-pick from net-next: f66e448cfda021b0bcd884f26709796fe19c7cc1)
Bug: 30950746

Change-Id: I5b2cf4ccb4eab7eda91ddd7091d6aa3e7ed9f2cd
2017-11-07 12:59:54 -08:00
Chenbo Feng 9b62913289 UPSTREAM: selinux: bpf: Add selinux check for eBPF syscall operations
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processes have the right privileges. The creation
of eBPF object are also checked at the general bpf check hook and new
cmd introduced to eBPF domain can also be checked there.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry-pick from net-next: ec27c3568a34c7fe5fcf4ac0a354eda77687f7eb)
Bug: 30950746
Change-Id: Ifb0cdd4b7d470223b143646b339ba511ac77c156
2017-11-07 12:59:36 -08:00
Chenbo Feng f3ad3766a9 BACKPORT: security: bpf: Add LSM hooks for bpf object related syscall
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the right priviliges can
read/write to a specific map or use a specific eBPF program. Besides
that, a general security hook is added before the multiplexer of bpf
syscall to check the cmd and the attribute used for the command. The
actual security module can decide which command need to be checked and
how the cmd should be checked.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Added the LIST_HEAD_INIT call for security hooks, it nolonger exist in
uptream code.
(cherry-pick from net-next: afdb09c720b62b8090584c11151d856df330e57d)
Bug: 30950746

Change-Id: Ieb3ac74392f531735fc7c949b83346a5f587a77b
2017-11-07 12:59:20 -08:00
Greg Kroah-Hartman 16cc920a0f Merge 4.9.59 into android-4.9
Changes in 4.9.59
	USB: devio: Revert "USB: devio: Don't corrupt user memory"
	USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
	USB: serial: metro-usb: add MS7820 device id
	usb: cdc_acm: Add quirk for Elatec TWN3
	usb: quirks: add quirk for WORLDE MINI MIDI keyboard
	usb: hub: Allow reset retry for USB2 devices on connect bounce
	ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
	can: gs_usb: fix busy loop if no more TX context is available
	parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
	iio: dummy: events: Add missing break
	usb: musb: sunxi: Explicitly release USB PHY on exit
	usb: musb: Check for host-mode using is_host_active() on reset interrupt
	xhci: Identify USB 3.1 capable hosts by their port protocol capability
	can: esd_usb2: Fix can_dlc value for received RTR, frames
	drm/nouveau/bsp/g92: disable by default
	drm/nouveau/mmu: flush tlbs before deleting page tables
	ALSA: seq: Enable 'use' locking in all configurations
	ALSA: hda: Remove superfluous '-' added by printk conversion
	ALSA: hda: Abort capability probe at invalid register read
	i2c: ismt: Separate I2C block read from SMBus block read
	i2c: piix4: Fix SMBus port selection for AMD Family 17h chips
	brcmfmac: Add check for short event packets
	brcmsmac: make some local variables 'static const' to reduce stack size
	bus: mbus: fix window size calculation for 4GB windows
	clockevents/drivers/cs5535: Improve resilience to spurious interrupts
	rtlwifi: rtl8821ae: Fix connection lost problem
	x86/microcode/intel: Disable late loading on model 79
	KEYS: encrypted: fix dereference of NULL user_key_payload
	lib/digsig: fix dereference of NULL user_key_payload
	KEYS: don't let add_key() update an uninstantiated key
	pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
	vmbus: fix missing signaling in hv_signal_on_read()
	xfs: don't unconditionally clear the reflink flag on zero-block files
	xfs: evict CoW fork extents when performing finsert/fcollapse
	fs/xfs: Use %pS printk format for direct addresses
	xfs: report zeroed or not correctly in xfs_zero_range()
	xfs: update i_size after unwritten conversion in dio completion
	xfs: perag initialization should only touch m_ag_max_usable for AG 0
	xfs: Capture state of the right inode in xfs_iflush_done
	xfs: always swap the cow forks when swapping extents
	xfs: handle racy AIO in xfs_reflink_end_cow
	xfs: Don't log uninitialised fields in inode structures
	xfs: move more RT specific code under CONFIG_XFS_RT
	xfs: don't change inode mode if ACL update fails
	xfs: reinit btree pointer on attr tree inactivation walk
	xfs: handle error if xfs_btree_get_bufs fails
	xfs: cancel dirty pages on invalidation
	xfs: trim writepage mapping to within eof
	fscrypt: fix dereference of NULL user_key_payload
	KEYS: Fix race between updating and finding a negative key
	FS-Cache: fix dereference of NULL user_key_payload
	Linux 4.9.59

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-10-30 09:27:09 +01:00
David Howells 63c8e45255 KEYS: Fix race between updating and finding a negative key
commit 363b02dab09b3226f3bd1420dad9c72b79a42a76 upstream.

Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection
error into one field such that:

 (1) The instantiation state can be modified/read atomically.

 (2) The error can be accessed atomically with the state.

 (3) The error isn't stored unioned with the payload pointers.

This deals with the problem that the state is spread over three different
objects (two bits and a separate variable) and reading or updating them
atomically isn't practical, given that not only can uninstantiated keys
change into instantiated or rejected keys, but rejected keys can also turn
into instantiated keys - and someone accessing the key might not be using
any locking.

The main side effect of this problem is that what was held in the payload
may change, depending on the state.  For instance, you might observe the
key to be in the rejected state.  You then read the cached error, but if
the key semaphore wasn't locked, the key might've become instantiated
between the two reads - and you might now have something in hand that isn't
actually an error code.

The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error
code if the key is negatively instantiated.  The key_is_instantiated()
function is replaced with key_is_positive() to avoid confusion as negative
keys are also 'instantiated'.

Additionally, barriering is included:

 (1) Order payload-set before state-set during instantiation.

 (2) Order state-read before payload-read when using the key.

Further separate barriering is necessary if RCU is being used to access the
payload content after reading the payload pointers.

Fixes: 146aa8b145 ("KEYS: Merge the type-specific data with the payload data")
Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-27 10:38:11 +02:00
David Howells da0c7503c0 KEYS: don't let add_key() update an uninstantiated key
commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream.

Currently, when passed a key that already exists, add_key() will call the
key's ->update() method if such exists.  But this is heavily broken in the
case where the key is uninstantiated because it doesn't call
__key_instantiate_and_link().  Consequently, it doesn't do most of the
things that are supposed to happen when the key is instantiated, such as
setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
awakening tasks waiting on it, and incrementing key->user->nikeys.

It also never takes key_construction_mutex, which means that
->instantiate() can run concurrently with ->update() on the same key.  In
the case of the "user" and "logon" key types this causes a memory leak, at
best.  Maybe even worse, the ->update() methods of the "encrypted" and
"trusted" key types actually just dereference a NULL pointer when passed an
uninstantiated key.

Change key_create_or_update() to wait interruptibly for the key to finish
construction before continuing.

This patch only affects *uninstantiated* keys.  For now we still allow a
negatively instantiated key to be updated (thereby positively
instantiating it), although that's broken too (the next patch fixes it)
and I'm not sure that anyone actually uses that functionality either.

Here is a simple reproducer for the bug using the "encrypted" key type
(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
pertained to more than just the "encrypted" key type:

    #include <stdlib.h>
    #include <unistd.h>
    #include <keyutils.h>

    int main(void)
    {
        int ringid = keyctl_join_session_keyring(NULL);

        if (fork()) {
            for (;;) {
                const char payload[] = "update user:foo 32";

                usleep(rand() % 10000);
                add_key("encrypted", "desc", payload, sizeof(payload), ringid);
                keyctl_clear(ringid);
            }
        } else {
            for (;;)
                request_key("encrypted", "desc", "callout_info", ringid);
        }
    }

It causes:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
    IP: encrypted_update+0xb0/0x170
    PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0
    PREEMPT SMP
    CPU: 0 PID: 340 Comm: reproduce Tainted: G      D         4.14.0-rc1-00025-g428490e38b2e #796
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    task: ffff8a467a39a340 task.stack: ffffb15c40770000
    RIP: 0010:encrypted_update+0xb0/0x170
    RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000
    RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303
    RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17
    R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000
    R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f
    FS:  00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0
    Call Trace:
     key_create_or_update+0x2bc/0x460
     SyS_add_key+0x10c/0x1d0
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x7f5d7f211259
    RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
    RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259
    RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04
    RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004
    R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868
    R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000
    Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
    RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8
    CR2: 0000000000000018

Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-27 10:38:08 +02:00
Eric Biggers fec442e32b KEYS: encrypted: fix dereference of NULL user_key_payload
commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.

A key of type "encrypted" references a "master key" which is used to
encrypt and decrypt the encrypted key's payload.  However, when we
accessed the master key's payload, we failed to handle the case where
the master key has been revoked, which sets the payload pointer to NULL.
Note that request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

This was an issue for master keys of type "user" only.  Master keys can
also be of type "trusted", but those cannot be revoked.

Fixes: 7e70cb4978 ("keys: add new key-type encrypted")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-27 10:38:08 +02:00
Hyojun Kim 63da4200cb f2fs: catch up to v4.14-rc1
Cherry-picked from upstream-f2fs-stable-linux-4.9.y

Changes include:

commit 30da3a4de96733 ("f2fs: hurry up to issue discard after io interruption")
commit d1c363b48398d4 ("f2fs: fix to show correct discard_granularity in sysfs")
...

commit e6b120d4d01ab0 ("f2fs/fscrypt: catch up to v4.12")
commit 4d7931d72758db ("KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload()")

Signed-off-by: Hyojun Kim <hyojun@google.com>
2017-10-13 11:27:08 +00:00
Greg Kroah-Hartman cdbe07ad26 Merge 4.9.55 into android-4.9
Changes in 4.9.55
	USB: gadgetfs: Fix crash caused by inadequate synchronization
	USB: gadgetfs: fix copy_to_user while holding spinlock
	usb: gadget: udc: atmel: set vbus irqflags explicitly
	usb: gadget: udc: renesas_usb3: fix for no-data control transfer
	usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value
	usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe()
	usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
	usb-storage: fix bogus hardware error messages for ATA pass-thru devices
	usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
	usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
	ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
	usb: pci-quirks.c: Corrected timeout values used in handshake
	USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
	USB: dummy-hcd: fix connection failures (wrong speed)
	USB: dummy-hcd: fix infinite-loop resubmission bug
	USB: dummy-hcd: Fix erroneous synchronization change
	USB: devio: Don't corrupt user memory
	usb: gadget: mass_storage: set msg_registered after msg registered
	USB: g_mass_storage: Fix deadlock when driver is unbound
	USB: uas: fix bug in handling of alternate settings
	USB: core: harden cdc_parse_cdc_header
	usb: Increase quirk delay for USB devices
	USB: fix out-of-bounds in usb_set_configuration
	xhci: fix finding correct bus_state structure for USB 3.1 hosts
	xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
	xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
	Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
	iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
	iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()'
	iio: ad_sigma_delta: Implement a dedicated reset function
	staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
	iio: core: Return error for failed read_reg
	IIO: BME280: Updates to Humidity readings need ctrl_reg write!
	iio: ad7793: Fix the serial interface reset
	iio: adc: mcp320x: Fix readout of negative voltages
	iio: adc: mcp320x: Fix oops on module unload
	uwb: properly check kthread_run return value
	uwb: ensure that endpoint is interrupt
	staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist
	mm, oom_reaper: skip mm structs with mmu notifiers
	lib/ratelimit.c: use deferred printk() version
	lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
	ALSA: compress: Remove unused variable
	Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
	ALSA: usx2y: Suppress kernel warning at page allocation failures
	mlxsw: spectrum: Prevent mirred-related crash on removal
	net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
	sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
	tcp: update skb->skb_mstamp more carefully
	bpf/verifier: reject BPF_ALU64|BPF_END
	tcp: fix data delivery rate
	udpv6: Fix the checksum computation when HW checksum does not apply
	ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
	net: phy: Fix mask value write on gmii2rgmii converter speed register
	ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
	net/sched: cls_matchall: fix crash when used with classful qdisc
	tcp: fastopen: fix on syn-data transmit failure
	net: emac: Fix napi poll list corruption
	packet: hold bind lock when rebinding to fanout hook
	bpf: one perf event close won't free bpf program attached by another perf event
	isdn/i4l: fetch the ppp_write buffer in one shot
	net_sched: always reset qdisc backlog in qdisc_reset()
	net: qcom/emac: specify the correct size when mapping a DMA buffer
	vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
	l2tp: Avoid schedule while atomic in exit_net
	l2tp: fix race condition in l2tp_tunnel_delete
	tun: bail out from tun_get_user() if the skb is empty
	net: dsa: Fix network device registration order
	packet: in packet_do_bind, test fanout with bind_lock held
	packet: only test po->has_vnet_hdr once in packet_snd
	net: Set sk_prot_creator when cloning sockets to the right proto
	netlink: do not proceed if dump's start() errs
	ip6_gre: ip6gre_tap device should keep dst
	ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
	tipc: use only positive error codes in messages
	net: rtnetlink: fix info leak in RTM_GETSTATS call
	socket, bpf: fix possible use after free
	powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
	powerpc/tm: Fix illegal TM state in signal handler
	percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
	driver core: platform: Don't read past the end of "driver_override" buffer
	Drivers: hv: fcopy: restore correct transfer length
	stm class: Fix a use-after-free
	ftrace: Fix kmemleak in unregister_ftrace_graph
	HID: i2c-hid: allocate hid buffers for real worst case
	HID: wacom: leds: Don't try to control the EKR's read-only LEDs
	HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
	HID: wacom: bits shifted too much for 9th and 10th buttons
	rocker: fix rocker_tlv_put_* functions for KASAN
	netlink: fix nla_put_{u8,u16,u32} for KASAN
	iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
	iwlwifi: add workaround to disable wide channels in 5GHz
	scsi: sd: Do not override max_sectors_kb sysfs setting
	brcmfmac: add length check in brcmf_cfg80211_escan_handler()
	brcmfmac: setup passive scan if requested by user-space
	drm/i915/bios: ignore HDMI on port A
	nvme-pci: Use PCI bus address for data/queues in CMB
	mmc: core: add driver strength selection when selecting hs400es
	sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
	vfs: deny copy_file_range() for non regular files
	ext4: fix data corruption for mmap writes
	ext4: Don't clear SGID when inheriting ACLs
	ext4: don't allow encrypted operations without keys
	f2fs: don't allow encrypted operations without keys
	KVM: x86: fix singlestepping over syscall
	Linux 4.9.55

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-10-12 22:31:24 +02:00
Casey Schaufler 88c195d638 lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream.

security_inode_getsecurity() provides the text string value
of a security attribute. It does not provide a "secctx".
The code in xattr_getsecurity() that calls security_inode_getsecurity()
and then calls security_release_secctx() happened to work because
SElinux and Smack treat the attribute and the secctx the same way.
It fails for cap_inode_getsecurity(), because that module has no
secctx that ever needs releasing. It turns out that Smack is the
one that's doing things wrong by not allocating memory when instructed
to do so by the "alloc" parameter.

The fix is simple enough. Change the security_release_secctx() to
kfree() because it isn't a secctx being returned by
security_inode_getsecurity(). Change Smack to allocate the string when
told to do so.

Note: this also fixes memory leaks for LSMs which implement
inode_getsecurity but not release_secctx, such as capabilities.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-12 11:51:19 +02:00
Greg Kroah-Hartman 379e3b2a6d Merge 4.9.53 into android-4.9
Changes in 4.9.53
	cifs: release cifs root_cred after exit_cifs
	cifs: release auth_key.response for reconnect.
	fs/proc: Report eip/esp in /prod/PID/stat for coredumping
	mac80211: fix VLAN handling with TXQs
	mac80211_hwsim: Use proper TX power
	mac80211: flush hw_roc_start work before cancelling the ROC
	genirq: Make sparse_irq_lock protect what it should protect
	KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
	KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list
	tracing: Fix trace_pipe behavior for instance traces
	tracing: Erase irqsoff trace with empty write
	md/raid5: fix a race condition in stripe batch
	md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
	scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
	drm/radeon: disable hard reset in hibernate for APUs
	crypto: drbg - fix freeing of resources
	crypto: talitos - Don't provide setkey for non hmac hashing algs.
	crypto: talitos - fix sha224
	crypto: talitos - fix hashing
	security/keys: properly zero out sensitive key material in big_key
	security/keys: rewrite all of big_key crypto
	KEYS: fix writing past end of user-supplied buffer in keyring_read()
	KEYS: prevent creating a different user's keyrings
	KEYS: prevent KEYCTL_READ on negative key
	powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
	powerpc/tm: Flush TM only if CPU has TM feature
	powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS
	s390/mm: fix write access check in gup_huge_pmd()
	PM: core: Fix device_pm_check_callbacks()
	Fix SMB3.1.1 guest authentication to Samba
	SMB3: Warn user if trying to sign connection that authenticated as guest
	SMB: Validate negotiate (to protect against downgrade) even if signing off
	SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
	vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
	nl80211: check for the required netlink attributes presence
	bsg-lib: don't free job in bsg_prepare_job
	iw_cxgb4: remove the stid on listen create failure
	iw_cxgb4: put ep reference in pass_accept_req()
	selftests/seccomp: Support glibc 2.26 siginfo_t.h
	seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
	arm64: Make sure SPsel is always set
	arm64: fault: Route pte translation faults via do_translation_fault
	KVM: VMX: extract __pi_post_block
	KVM: VMX: avoid double list add with VT-d posted interrupts
	KVM: VMX: simplify and fix vmx_vcpu_pi_load
	kvm/x86: Handle async PF in RCU read-side critical sections
	KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
	kvm: nVMX: Don't allow L2 to access the hardware CR8
	xfs: validate bdev support for DAX inode flag
	etnaviv: fix gem object list corruption
	PCI: Fix race condition with driver_override
	btrfs: fix NULL pointer dereference from free_reloc_roots()
	btrfs: propagate error to btrfs_cmp_data_prepare caller
	btrfs: prevent to set invalid default subvolid
	x86/mm: Fix fault error path using unsafe vma pointer
	x86/fpu: Don't let userspace set bogus xcomp_bv
	gfs2: Fix debugfs glocks dump
	timer/sysclt: Restrict timer migration sysctl values to 0 and 1
	KVM: VMX: do not change SN bit in vmx_update_pi_irte()
	KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
	cxl: Fix driver use count
	KVM: VMX: use cmpxchg64
	video: fbdev: aty: do not leak uninitialized padding in clk to userspace
	swiotlb-xen: implement xen_swiotlb_dma_mmap callback
	Linux 4.9.53

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-10-05 10:37:37 +02:00
Eric Biggers dda70d28c0 KEYS: prevent KEYCTL_READ on negative key
commit 37863c43b2c6464f252862bf2e9768264e961678 upstream.

Because keyctl_read_key() looks up the key with no permissions
requested, it may find a negatively instantiated key.  If the key is
also possessed, we went ahead and called ->read() on the key.  But the
key payload will actually contain the ->reject_error rather than the
normal payload.  Thus, the kernel oopses trying to read the
user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.

Fortunately the payload data is stored inline, so it shouldn't be
possible to abuse this as an arbitrary memory read primitive...

Reproducer:
    keyctl new_session
    keyctl request2 user desc '' @s
    keyctl read $(keyctl show | awk '/user: desc/ {print $1}')

It causes a crash like the following:
     BUG: unable to handle kernel paging request at 00000000ffffff92
     IP: user_read+0x33/0xa0
     PGD 36a54067 P4D 36a54067 PUD 0
     Oops: 0000 [#1] SMP
     CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
     task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
     RIP: 0010:user_read+0x33/0xa0
     RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
     RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
     RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
     RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
     R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
     R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
     FS:  00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
     Call Trace:
      keyctl_read_key+0xac/0xe0
      SyS_keyctl+0x99/0x120
      entry_SYSCALL_64_fastpath+0x1f/0xbe
     RIP: 0033:0x7f58ec787bb9
     RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
     RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
     RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
     RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
     R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
     R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
     Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
     RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
     CR2: 00000000ffffff92

Fixes: 61ea0c0ba9 ("KEYS: Skip key state checks when checking for possession")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-05 09:44:00 +02:00
Eric Biggers bfe9d7b8e0 KEYS: prevent creating a different user's keyrings
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.

It was possible for an unprivileged user to create the user and user
session keyrings for another user.  For example:

    sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
                           keyctl add keyring _uid_ses.4000 "" @u
                           sleep 15' &
    sleep 1
    sudo -u '#4000' keyctl describe @u
    sudo -u '#4000' keyctl describe @us

This is problematic because these "fake" keyrings won't have the right
permissions.  In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:

    -4: alswrv-----v------------  3000     0 keyring: _uid.4000
    -5: alswrv-----v------------  3000     0 keyring: _uid_ses.4000

Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING.  Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.

Fixes: 69664cf16a ("keys: don't generate user and user session keyrings unless they're accessed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-05 09:44:00 +02:00
Eric Biggers 47e8bd1965 KEYS: fix writing past end of user-supplied buffer in keyring_read()
commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.

Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring.  But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer.  Fix it by
only filling the space that is available.

Fixes: b2a4df200d ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-05 09:44:00 +02:00
Jason A. Donenfeld 0c70fb88c7 security/keys: rewrite all of big_key crypto
commit 428490e38b2e352812e0b765d8bceafab0ec441d upstream.

This started out as just replacing the use of crypto/rng with
get_random_bytes_wait, so that we wouldn't use bad randomness at boot
time. But, upon looking further, it appears that there were even deeper
underlying cryptographic problems, and that this seems to have been
committed with very little crypto review. So, I rewrote the whole thing,
trying to keep to the conventions introduced by the previous author, to
fix these cryptographic flaws.

It makes no sense to seed crypto/rng at boot time and then keep
using it like this, when in fact there's already get_random_bytes_wait,
which can ensure there's enough entropy and be a much more standard way
of generating keys. Since this sensitive material is being stored
untrusted, using ECB and no authentication is simply not okay at all. I
find it surprising and a bit horrifying that this code even made it past
basic crypto review, which perhaps points to some larger issues. This
patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
generated each time, we can set the nonce to zero. There was also a race
condition in which the same key would be reused at the same time in
different threads. A mutex fixes this issue now.

So, to summarize, this commit fixes the following vulnerabilities:

  * Low entropy key generation, allowing an attacker to potentially
    guess or predict keys.
  * Unauthenticated encryption, allowing an attacker to modify the
    cipher text in particular ways in order to manipulate the plaintext,
    which is is even more frightening considering the next point.
  * Use of ECB mode, allowing an attacker to trivially swap blocks or
    compare identical plaintext blocks.
  * Key re-use.
  * Faulty memory zeroing.

[Note that in backporting this commit to 4.9, get_random_bytes_wait was
replaced with get_random_bytes, since 4.9 does not have the former
function. This might result in slightly worse entropy in key generation,
but common use cases of big_keys makes that likely not a huge deal. And,
this is the best we can do with this old kernel. Alas.]

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-05 09:44:00 +02:00
Jason A. Donenfeld 2f9be92dff security/keys: properly zero out sensitive key material in big_key
commit 910801809b2e40a4baedd080ef5d80b4a180e70e upstream.

Error paths forgot to zero out sensitive material, so this patch changes
some kfrees into a kzfrees.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-05 09:44:00 +02:00
John Stultz 0268f76e4b ANDROID: commoncap: Begin to warn users of implicit PARANOID_NETWORK capability grants
CAP_NET_ADMIN and CAP_NET_RAW are implicity granted to the "special"
Android groups net_admin and net_raw.

This is a byproduct of the init system not being able to specify
capabilities back in the day, but has now been resolved and .rc files
can explictly specify the capabilities to be granted to a service.

Thus, we should start to remove this implict capability grant, and the
first step is to warn when a process doesn't have explicit capablity
but is a member of the implicitly granted group, when that capability
is checked.

This will allow for the PARANOID_NETWORK checks in commoncap.c to
be totally removed in a future kernel.

Change-Id: I6dac90e23608b6dba14a8f2049ba29ae56cb7ae4
Signed-off-by: John Stultz <john.stultz@linaro.org>
2017-09-12 17:59:15 +00:00
Greg Kroah-Hartman 598195a906 Merge 4.9.37 into android-4.9
Changes in 4.9.37
	fs: add a VALID_OPEN_FLAGS
	fs: completely ignore unknown open flags
	driver core: platform: fix race condition with driver_override
	ceph: choose readdir frag based on previous readdir reply
	tracing/kprobes: Allow to create probe with a module name starting with a digit
	media: entity: Fix stream count check
	drm/virtio: don't leak bo on drm_gem_object_init failure
	usb: dwc3: replace %p with %pK
	USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
	Add USB quirk for HVR-950q to avoid intermittent device resets
	usb: usbip: set buffer pointers to NULL after free
	usb: Fix typo in the definition of Endpoint[out]Request
	USB: core: fix device node leak
	mac80211_hwsim: Replace bogus hrtimer clockid
	sysctl: don't print negative flag for proc_douintvec
	sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec
	pinctrl: qcom: ipq4019: add missing pingroups for pins > 70
	pinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard work again
	pinctrl: sh-pfc: r8a7794: Swap ATA signals
	pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
	pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
	pinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl
	pinctrl: meson: meson8b: fix the NAND DQS pins
	pinctrl: stm32: Fix bad function call
	pinctrl: sunxi: Fix SPDIF function name for A83T
	pinctrl: cherryview: Add terminate entry for dmi_system_id tables
	pinctrl: mxs: atomically switch mux and drive strength config
	pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
	pinctrl: sh-pfc: Update info pointer after SoC-specific init
	USB: serial: option: add two Longcheer device ids
	USB: serial: qcserial: new Sierra Wireless EM7305 device ID
	xhci: Limit USB2 port wake support for AMD Promontory hosts
	gfs2: Fix glock rhashtable rcu bug
	tpm: fix a kernel memory leak in tpm-sysfs.c
	x86/tools: Fix gcc-7 warning in relocs.c
	x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings
	ath10k: override CE5 config for QCA9377
	KEYS: Fix an error code in request_master_key()
	crypto: drbg - Fixes panic in wait_for_completion call
	RDMA/uverbs: Check port number supplied by user verbs cmds
	rt286: add Thinkpad Helix 2 to force_combo_jack_table
	Linux 4.9.37

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-07-12 17:07:29 +02:00
Dan Carpenter 73a0a68779 KEYS: Fix an error code in request_master_key()
commit 57cb17e764ba0aaa169d07796acce54ccfbc6cae upstream.

This function has two callers and neither are able to handle a NULL
return.  Really, -EINVAL is the correct thing return here anyway.  This
fixes some static checker warnings like:

	security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
	error: uninitialized symbol 'master_key'.

Fixes: 7e70cb4978 ("keys: add new key-type encrypted")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-12 15:01:06 +02:00
Jeff Vander Stoep 8bdee6783c UPSTREAM: selinux: enable genfscon labeling for tracefs
In kernel version 4.1, tracefs was separated from debugfs into its
own filesystem. Prior to this split, files in
/sys/kernel/debug/tracing could be labeled during filesystem
creation using genfscon or later from userspace using setxattr. This
change re-enables support for genfscon labeling.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 6a3911837da0a90ed599fd0a9836472f5e7ddf1b)
Change-Id: I98ad8c829302346705c1abcdc8f019f479fdefb6
Bug: 62413700
2017-06-30 16:44:11 +00:00
Greg Kroah-Hartman da3493c028 Merge 4.9.32 into android-4.9
Changes in 4.9.32
	bnx2x: Fix Multi-Cos
	vxlan: eliminate cached dst leak
	ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
	cxgb4: avoid enabling napi twice to the same queue
	tcp: disallow cwnd undo when switching congestion control
	vxlan: fix use-after-free on deletion
	ipv6: Fix leak in ipv6_gso_segment().
	net: ping: do not abuse udp_poll()
	net/ipv6: Fix CALIPSO causing GPF with datagram support
	net: ethoc: enable NAPI before poll may be scheduled
	net: stmmac: fix completely hung TX when using TSO
	net: bridge: start hello timer only if device is up
	sparc64: Add __multi3 for gcc 7.x and later.
	sparc64: mm: fix copy_tsb to correctly copy huge page TSBs
	sparc: Machine description indices can vary
	sparc64: reset mm cpumask after wrap
	sparc64: combine activate_mm and switch_mm
	sparc64: redefine first version
	sparc64: add per-cpu mm of secondary contexts
	sparc64: new context wrap
	sparc64: delete old wrap code
	arch/sparc: support NR_CPUS = 4096
	serial: ifx6x60: fix use-after-free on module unload
	ptrace: Properly initialize ptracer_cred on fork
	crypto: asymmetric_keys - handle EBUSY due to backlog correctly
	KEYS: fix dereferencing NULL payload with nonzero length
	KEYS: fix freeing uninitialized memory in key_update()
	KEYS: encrypted: avoid encrypting/decrypting stack buffers
	crypto: drbg - wait for crypto op not signal safe
	crypto: gcm - wait for crypto op not signal safe
	drm/amdgpu/ci: disable mclk switching for high refresh rates (v2)
	nfsd4: fix null dereference on replay
	nfsd: Fix up the "supattr_exclcreat" attributes
	efi: Don't issue error message when booted under Xen
	kvm: async_pf: fix rcu_irq_enter() with irqs enabled
	KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation
	arm64: KVM: Preserve RES1 bits in SCTLR_EL2
	arm64: KVM: Allow unaligned accesses at EL2
	arm: KVM: Allow unaligned accesses at HYP
	KVM: async_pf: avoid async pf injection when in guest mode
	KVM: arm/arm64: vgic-v3: Do not use Active+Pending state for a HW interrupt
	KVM: arm/arm64: vgic-v2: Do not use Active+Pending state for a HW interrupt
	dmaengine: usb-dmac: Fix DMAOR AE bit definition
	dmaengine: ep93xx: Always start from BASE0
	dmaengine: ep93xx: Don't drain the transfers in terminate_all()
	dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly
	dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors
	dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx
	dmaengine: mv_xor_v2: enable XOR engine after its configuration
	dmaengine: mv_xor_v2: fix tx_submit() implementation
	dmaengine: mv_xor_v2: remove interrupt coalescing
	dmaengine: mv_xor_v2: set DMA mask to 40 bits
	cfq-iosched: fix the delay of cfq_group's vdisktime under iops mode
	xen/privcmd: Support correctly 64KB page granularity when mapping memory
	ext4: fix SEEK_HOLE
	ext4: keep existing extra fields when inode expands
	ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO
	ext4: fix fdatasync(2) after extent manipulation operations
	drm: Fix oops + Xserver hang when unplugging USB drm devices
	usb: gadget: f_mass_storage: Serialize wake and sleep execution
	usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
	usb: chipidea: debug: check before accessing ci_role
	staging/lustre/lov: remove set_fs() call from lov_getstripe()
	iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's
	iio: light: ltr501 Fix interchanged als/ps register field
	iio: proximity: as3935: fix AS3935_INT mask
	iio: proximity: as3935: fix iio_trigger_poll issue
	mei: make sysfs modalias format similar as uevent modalias
	cpufreq: cpufreq_register_driver() should return -ENODEV if init fails
	target: Re-add check to reject control WRITEs with overflow data
	drm/msm: Expose our reservation object when exporting a dmabuf.
	ahci: Acer SA5-271 SSD Not Detected Fix
	cgroup: Prevent kill_css() from being called more than once
	Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled
	cpuset: consider dying css as offline
	fs: add i_blocksize()
	ufs: restore proper tail allocation
	fix ufs_isblockset()
	ufs: restore maintaining ->i_blocks
	ufs: set correct ->s_maxsize
	ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments()
	ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path
	cxl: Fix error path on bad ioctl
	cxl: Avoid double free_irq() for psl,slice interrupts
	btrfs: use correct types for page indices in btrfs_page_exists_in_range
	btrfs: fix memory leak in update_space_info failure path
	KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages
	scsi: qla2xxx: don't disable a not previously enabled PCI device
	scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues
	scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC
	scsi: qla2xxx: Fix mailbox pointer error in fwdump capture
	powerpc/sysdev/simple_gpio: Fix oops in gpio save_regs function
	powerpc/numa: Fix percpu allocations to be NUMA aware
	powerpc/hotplug-mem: Fix missing endian conversion of aa_index
	powerpc/kernel: Fix FP and vector register restoration
	powerpc/kernel: Initialize load_tm on task creation
	perf/core: Drop kernel samples even though :u is specified
	drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
	drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
	drm/vmwgfx: Make sure backup_handle is always valid
	drm/nouveau/tmr: fully separate alarm execution/pending lists
	ALSA: timer: Fix race between read and ioctl
	ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
	ASoC: Fix use-after-free at card unregistration
	cpu/hotplug: Drop the device lock on error
	drivers: char: mem: Fix wraparound check to allow mappings up to the end
	serial: sh-sci: Fix panic when serial console and DMA are enabled
	arm64: traps: fix userspace cache maintenance emulation on a tagged pointer
	arm64: hw_breakpoint: fix watchpoint matching for tagged pointers
	arm64: entry: improve data abort handling of tagged pointers
	ARM: 8636/1: Cleanup sanity_check_meminfo
	ARM: 8637/1: Adjust memory boundaries after reservations
	usercopy: Adjust tests to deal with SMAP/PAN
	drm/i915/vbt: don't propagate errors from intel_bios_init()
	drm/i915/vbt: split out defaults that are set when there is no VBT
	cpufreq: schedutil: move cached_raw_freq to struct sugov_policy
	cpufreq: schedutil: Fix per-CPU structure initialization in sugov_start()
	netfilter: nft_set_rbtree: handle element re-addition after deletion
	Linux 4.9.32

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-06-14 16:42:56 +02:00
Eric Biggers d24c1c1977 KEYS: encrypted: avoid encrypting/decrypting stack buffers
commit e9ff56ac352446f55141aaef1553cee662b2e310 upstream.

Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
stack buffers because the stack may be virtually mapped.  Fix this for
the padding buffers in encrypted-keys by using ZERO_PAGE for the
encryption padding and by allocating a temporary heap buffer for the
decryption padding.

Tested with CONFIG_DEBUG_SG=y:
	keyctl new_session
	keyctl add user master "abcdefghijklmnop" @s
	keyid=$(keyctl add encrypted desc "new user:master 25" @s)
	datablob="$(keyctl pipe $keyid)"
	keyctl unlink $keyid
	keyid=$(keyctl add encrypted desc "load $datablob" @s)
	datablob2="$(keyctl pipe $keyid)"
	[ "$datablob" = "$datablob2" ] && echo "Success!"

Cc: Andy Lutomirski <luto@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-14 15:05:55 +02:00
Eric Biggers 2436976102 KEYS: fix freeing uninitialized memory in key_update()
commit 63a0b0509e700717a59f049ec6e4e04e903c7fe2 upstream.

key_update() freed the key_preparsed_payload even if it was not
initialized first.  This would cause a crash if userspace called
keyctl_update() on a key with type like "asymmetric" that has a
->preparse() method but not an ->update() method.  Possibly it could
even be triggered for other key types by racing with keyctl_setperm() to
make the KEY_NEED_WRITE check fail (the permission was already checked,
so normally it wouldn't fail there).

Reproducer with key type "asymmetric", given a valid cert.der:

keyctl new_session
keyid=$(keyctl padd asymmetric desc @s < cert.der)
keyctl setperm $keyid 0x3f000000
keyctl update $keyid data

[  150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
[  150.687601] IP: asymmetric_key_free_kids+0x12/0x30
[  150.688139] PGD 38a3d067
[  150.688141] PUD 3b3de067
[  150.688447] PMD 0
[  150.688745]
[  150.689160] Oops: 0000 [#1] SMP
[  150.689455] Modules linked in:
[  150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8cd2f #742
[  150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
[  150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000
[  150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30
[  150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202
[  150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004
[  150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001
[  150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000
[  150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[  150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f
[  150.709720] FS:  00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
[  150.711504] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0
[  150.714487] Call Trace:
[  150.714975]  asymmetric_key_free_preparse+0x2f/0x40
[  150.715907]  key_update+0xf7/0x140
[  150.716560]  ? key_default_cmp+0x20/0x20
[  150.717319]  keyctl_update_key+0xb0/0xe0
[  150.718066]  SyS_keyctl+0x109/0x130
[  150.718663]  entry_SYSCALL_64_fastpath+0x1f/0xc2
[  150.719440] RIP: 0033:0x7fcbce75ff19
[  150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
[  150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19
[  150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002
[  150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e
[  150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80
[  150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f
[  150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8
[  150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58
[  150.728117] CR2: 0000000000000001
[  150.728430] ---[ end trace f7f8fe1da2d5ae8d ]---

Fixes: 4d8c0250b8 ("KEYS: Call ->free_preparse() even after ->preparse() returns an error")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-14 15:05:54 +02:00
Eric Biggers 1b253e023f KEYS: fix dereferencing NULL payload with nonzero length
commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream.

sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
NULL payload with nonzero length to be passed to the key type's
->preparse(), ->instantiate(), and/or ->update() methods.  Various key
types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
not handle this case, allowing an unprivileged user to trivially cause a
NULL pointer dereference (kernel oops) if one of these key types was
present.  Fix it by doing the copy_from_user() when 'plen' is nonzero
rather than when '_payload' is non-NULL, causing the syscall to fail
with EFAULT as expected when an invalid buffer is specified.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-14 15:05:54 +02:00
Greg Kroah-Hartman 951d823c04 Merge 4.9.30 into android-4.9
Changes in 4.9.30
	usb: misc: legousbtower: Fix buffers on stack
	usb: misc: legousbtower: Fix memory leak
	USB: ene_usb6250: fix DMA to the stack
	watchdog: pcwd_usb: fix NULL-deref at probe
	char: lp: fix possible integer overflow in lp_setup()
	USB: core: replace %p with %pK
	tpm_tis_core: Choose appropriate timeout for reading burstcount
	ALSA: hda: Fix cpu lockup when stopping the cmd dmas
	ARM: tegra: paz00: Mark panel regulator as enabled on boot
	fanotify: don't expose EOPENSTALE to userspace
	tpm_tis_spi: Use single function to transfer data
	tpm_tis_spi: Abort transfer when too many wait states are signaled
	tpm_tis_spi: Check correct byte for wait state indicator
	tpm_tis_spi: Remove limitation of transfers to MAX_SPI_FRAMESIZE bytes
	tpm_tis_spi: Add small delay after last transfer
	tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
	tpm: add sleep only for retry in i2c_nuvoton_write_status()
	tpm_crb: check for bad response size
	ASoC: cs4271: configure reset GPIO as output
	mlx5: Fix mlx5_ib_map_mr_sg mr length
	infiniband: call ipv6 route lookup via the stub interface
	dm btree: fix for dm_btree_find_lowest_key()
	dm raid: select the Kconfig option CONFIG_MD_RAID0
	dm bufio: avoid a possible ABBA deadlock
	dm bufio: check new buffer allocation watermark every 30 seconds
	dm mpath: split and rename activate_path() to prepare for its expanded use
	dm cache metadata: fail operations if fail_io mode has been established
	dm bufio: make the parameter "retain_bytes" unsigned long
	dm thin metadata: call precommit before saving the roots
	dm space map disk: fix some book keeping in the disk space map
	md: update slab_cache before releasing new stripes when stripes resizing
	md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop
	rtlwifi: rtl8821ae: setup 8812ae RFE according to device type
	mwifiex: MAC randomization should not be persistent
	mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
	ima: accept previously set IMA_NEW_FILE
	KVM: x86: Fix load damaged SSEx MXCSR register
	KVM: x86: Fix potential preemption when get the current kvmclock timestamp
	KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
	x86: fix 32-bit case of __get_user_asm_u64()
	regulator: rk808: Fix RK818 LDO2
	regulator: tps65023: Fix inverted core enable logic.
	s390/kdump: Add final note
	s390/cputime: fix incorrect system time
	ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device
	ath9k_htc: fix NULL-deref at probe
	drm/amdgpu: Make display watermark calculations more accurate
	drm/amdgpu: Avoid overflows/divide-by-zero in latency_watermark calculations.
	drm/amdgpu: Add missing lb_vblank_lead_lines setup to DCE-6 path.
	drm/nouveau/therm: remove ineffective workarounds for alarm bugs
	drm/nouveau/tmr: ack interrupt before processing alarms
	drm/nouveau/tmr: fix corruption of the pending list when rescheduling an alarm
	drm/nouveau/tmr: avoid processing completed alarms when adding a new one
	drm/nouveau/tmr: handle races with hw when updating the next alarm time
	gpio: omap: return error if requested debounce time is not possible
	cdc-acm: fix possible invalid access when processing notification
	ohci-pci: add qemu quirk
	cxl: Force context lock during EEH flow
	cxl: Route eeh events to all drivers in cxl_pci_error_detected()
	proc: Fix unbalanced hard link numbers
	of: fix sparse warning in of_pci_range_parser_one
	of: fix "/cpus" reference leak in of_numa_parse_cpu_nodes()
	of: fdt: add missing allocation-failure check
	ibmvscsis: Do not send aborted task response
	iio: dac: ad7303: fix channel description
	IIO: bmp280-core.c: fix error in humidity calculation
	IB/hfi1: Return an error on memory allocation failure
	IB/hfi1: Fix a subcontext memory leak
	pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
	pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes()
	USB: serial: ftdi_sio: fix setting latency for unprivileged users
	USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs
	USB: chaoskey: fix Alea quirk on big-endian hosts
	f2fs: check entire encrypted bigname when finding a dentry
	fscrypt: avoid collisions when presenting long encrypted filenames
	libnvdimm: fix clear length of nvdimm_forget_poison()
	xhci: remove GFP_DMA flag from allocation
	usb: host: xhci-plat: propagate return value of platform_get_irq()
	xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
	usb: host: xhci-mem: allocate zeroed Scratchpad Buffer
	net: irda: irda-usb: fix firmware name on big-endian hosts
	usbvision: fix NULL-deref at probe
	mceusb: fix NULL-deref at probe
	ttusb2: limit messages to buffer size
	dvb-usb-dibusb-mc-common: Add MODULE_LICENSE
	usb: dwc3: gadget: Prevent losing events in event cache
	usb: musb: tusb6010_omap: Do not reset the other direction's packet size
	usb: musb: Fix trying to suspend while active for OTG configurations
	USB: iowarrior: fix info ioctl on big-endian hosts
	usb: serial: option: add Telit ME910 support
	USB: serial: qcserial: add more Lenovo EM74xx device IDs
	USB: serial: mct_u232: fix big-endian baud-rate handling
	USB: serial: io_ti: fix div-by-zero in set_termios
	USB: hub: fix SS hub-descriptor handling
	USB: hub: fix non-SS hub-descriptor handling
	ipx: call ipxitf_put() in ioctl error path
	iio: proximity: as3935: fix as3935_write
	iio: hid-sensor: Store restore poll and hysteresis on S3
	s5p-mfc: Fix race between interrupt routine and device functions
	gspca: konica: add missing endpoint sanity check
	s5p-mfc: Fix unbalanced call to clock management
	dib0700: fix NULL-deref at probe
	zr364xx: enforce minimum size when reading header
	dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops
	digitv: limit messages to buffer size
	dw2102: limit messages to buffer size
	cx231xx-audio: fix init error path
	cx231xx-audio: fix NULL-deref at probe
	cx231xx-cards: fix NULL-deref at probe
	powerpc/mm: Ensure IRQs are off in switch_mm()
	powerpc/eeh: Avoid use after free in eeh_handle_special_event()
	powerpc/book3s/mce: Move add_taint() later in virtual mode
	powerpc/pseries: Fix of_node_put() underflow during DLPAR remove
	powerpc/iommu: Do not call PageTransHuge() on tail pages
	powerpc/64e: Fix hang when debugging programs with relocated kernel
	powerpc/tm: Fix FP and VMX register corruption
	arm64: KVM: Do not use stack-protector to compile EL2 code
	arm: KVM: Do not use stack-protector to compile HYP code
	KVM: arm: plug potential guest hardware debug leakage
	ARM: 8662/1: module: split core and init PLT sections
	ARM: 8670/1: V7M: Do not corrupt vector table around v7m_invalidate_l1 call
	ARM: dts: at91: sama5d3_xplained: fix ADC vref
	ARM: dts: at91: sama5d3_xplained: not all ADC channels are available
	ARM: dts: imx6sx-sdb: Remove OPP override
	arm64: dts: hi6220: Reset the mmc hosts
	arm64: xchg: hazard against entire exchange variable
	arm64: ensure extension of smp_store_release value
	arm64: armv8_deprecated: ensure extension of addr
	arm64: uaccess: ensure extension of access_ok() addr
	arm64: documentation: document tagged pointer stack constraints
	staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
	staging: rtl8192e: fix 2 byte alignment of register BSSIDR.
	staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
	staging: rtl8192e: GetTs Fix invalid TID 7 warning.
	iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings
	metag/uaccess: Fix access_ok()
	metag/uaccess: Check access_ok in strncpy_from_user
	stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms
	uwb: fix device quirk on big-endian hosts
	genirq: Fix chained interrupt data ordering
	nvme: unmap CMB and remove sysfs file in reset path
	MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6
	osf_wait4(): fix infoleak
	um: Fix to call read_initrd after init_bootmem
	tracing/kprobes: Enforce kprobes teardown after testing
	PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC
	PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs
	PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
	PCI: Fix another sanity check bug in /proc/pci mmap
	PCI: Only allow WC mmap on prefetchable resources
	PCI: Freeze PME scan before suspending devices
	mtd: nand: orion: fix clk handling
	mtd: nand: omap2: Fix partition creation via cmdline mtdparts
	mtd: nand: add ooblayout for old hamming layout
	drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
	NFSv4: Fix a hang in OPEN related to server reboot
	NFS: Fix use after free in write error path
	NFS: Use GFP_NOIO for two allocations in writeback
	nfsd: fix undefined behavior in nfsd4_layout_verify
	nfsd: encoders mustn't use unitialized values in error cases
	drivers: char: mem: Check for address space wraparound with mmap()
	drm/i915/gvt: Disable access to stolen memory as a guest
	Linux 4.9.30

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-05-25 17:32:43 +02:00
Daniel Glöckner 91034255e4 ima: accept previously set IMA_NEW_FILE
commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.

Modifying the attributes of a file makes ima_inode_post_setattr reset
the IMA cache flags. So if the file, which has just been created,
is opened a second time before the first file descriptor is closed,
verification fails since the security.ima xattr has not been written
yet. We therefore have to look at the IMA_NEW_FILE even if the file
already existed.

With this patch there should no longer be an error when cat tries to
open testfile:

$ rm -f testfile
$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile

A file being new is no reason to accept that it is missing a digital
signature demanded by the policy.

Signed-off-by: Daniel Glöckner <dg@emlix.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-05-25 15:44:34 +02:00
Greg Kroah-Hartman bae751b9ab Merge 4.9.25 into android-4.9
Changes in 4.9.25:
	KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
	KEYS: Change the name of the dead type to ".dead" to prevent user access
	KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
	tracing: Allocate the snapshot buffer before enabling probe
	ring-buffer: Have ring_buffer_iter_empty() return true when empty
	mm: prevent NR_ISOLATE_* stats from going negative
	cifs: Do not send echoes before Negotiate is complete
	CIFS: remove bad_network_name flag
	s390/mm: fix CMMA vs KSM vs others
	Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
	ACPI / power: Avoid maybe-uninitialized warning
	mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card
	ubifs: Fix RENAME_WHITEOUT support
	ubifs: Fix O_TMPFILE corner case in ubifs_link()
	mac80211: reject ToDS broadcast data frames
	mac80211: fix MU-MIMO follow-MAC mode
	ubi/upd: Always flush after prepared for an update
	powerpc/kprobe: Fix oops when kprobed on 'stdu' instruction
	x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
	x86/mce: Make the MCE notifier a blocking one
	device-dax: switch to srcu, fix rcu_read_lock() vs pte allocation
	Linux 4.9.25

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2017-04-27 10:09:21 +02:00
Eric Biggers 174a74dbca KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.

This fixes CVE-2017-7472.

Running the following program as an unprivileged user exhausts kernel
memory by leaking thread keyrings:

	#include <keyutils.h>

	int main()
	{
		for (;;)
			keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
	}

Fix it by only creating a new thread keyring if there wasn't one before.
To make things more consistent, make install_thread_keyring_to_cred()
and install_process_keyring_to_cred() both return 0 if the corresponding
keyring is already present.

Fixes: d84f4f992c ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-04-27 09:10:37 +02:00
David Howells b2dd90e812 KEYS: Change the name of the dead type to ".dead" to prevent user access
commit c1644fe041ebaf6519f6809146a77c3ead9193af upstream.

This fixes CVE-2017-6951.

Userspace should not be able to do things with the "dead" key type as it
doesn't have some of the helper functions set upon it that the kernel
needs.  Attempting to use it may cause the kernel to crash.

Fix this by changing the name of the type to ".dead" so that it's rejected
up front on userspace syscalls by key_get_type_from_user().

Though this doesn't seem to affect recent kernels, it does affect older
ones, certainly those prior to:

	commit c06cfb08b8
	Author: David Howells <dhowells@redhat.com>
	Date:   Tue Sep 16 17:36:06 2014 +0100
	KEYS: Remove key_type::match in favour of overriding default by match_preparse

which went in before 3.18-rc1.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-04-27 09:10:37 +02:00