Linux v4.18.11
This commit is contained in:
parent
66a1b58665
commit
3779aa986b
|
@ -1,242 +0,0 @@
|
|||
From 1816494330a83f2a064499d8ed2797045641f92c Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Pelletier <plr.vincent@gmail.com>
|
||||
Date: Sun, 9 Sep 2018 04:09:26 +0000
|
||||
Subject: scsi: target: iscsi: Use hex2bin instead of a re-implementation
|
||||
|
||||
This change has the following effects, in order of descreasing importance:
|
||||
|
||||
1) Prevent a stack buffer overflow
|
||||
|
||||
2) Do not append an unnecessary NULL to an anyway binary buffer, which
|
||||
is writing one byte past client_digest when caller is:
|
||||
chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
|
||||
|
||||
The latter was found by KASAN (see below) when input value hes expected size
|
||||
(32 hex chars), and further analysis revealed a stack buffer overflow can
|
||||
happen when network-received value is longer, allowing an unauthenticated
|
||||
remote attacker to smash up to 17 bytes after destination buffer (16 bytes
|
||||
attacker-controlled and one null). As switching to hex2bin requires
|
||||
specifying destination buffer length, and does not internally append any null,
|
||||
it solves both issues.
|
||||
|
||||
This addresses CVE-2018-14633.
|
||||
|
||||
Beyond this:
|
||||
|
||||
- Validate received value length and check hex2bin accepted the input, to log
|
||||
this rejection reason instead of just failing authentication.
|
||||
|
||||
- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
|
||||
|
||||
==================================================================
|
||||
BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
|
||||
Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
|
||||
|
||||
CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2
|
||||
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
|
||||
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
|
||||
Call Trace:
|
||||
dump_stack+0x71/0xac
|
||||
print_address_description+0x65/0x22e
|
||||
? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
|
||||
kasan_report.cold.6+0x241/0x2fd
|
||||
chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
|
||||
chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
|
||||
? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
|
||||
? ftrace_caller_op_ptr+0xe/0xe
|
||||
? __orc_find+0x6f/0xc0
|
||||
? unwind_next_frame+0x231/0x850
|
||||
? kthread+0x1a0/0x1c0
|
||||
? ret_from_fork+0x35/0x40
|
||||
? ret_from_fork+0x35/0x40
|
||||
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
|
||||
? deref_stack_reg+0xd0/0xd0
|
||||
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
|
||||
? is_module_text_address+0xa/0x11
|
||||
? kernel_text_address+0x4c/0x110
|
||||
? __save_stack_trace+0x82/0x100
|
||||
? ret_from_fork+0x35/0x40
|
||||
? save_stack+0x8c/0xb0
|
||||
? 0xffffffffc1660000
|
||||
? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
|
||||
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
|
||||
? process_one_work+0x35c/0x640
|
||||
? worker_thread+0x66/0x5d0
|
||||
? kthread+0x1a0/0x1c0
|
||||
? ret_from_fork+0x35/0x40
|
||||
? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
|
||||
? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
|
||||
chap_main_loop+0x172/0x570 [iscsi_target_mod]
|
||||
? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
|
||||
? rx_data+0xd6/0x120 [iscsi_target_mod]
|
||||
? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
|
||||
? cyc2ns_read_begin.part.2+0x90/0x90
|
||||
? _raw_spin_lock_irqsave+0x25/0x50
|
||||
? memcmp+0x45/0x70
|
||||
iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
|
||||
? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
|
||||
? del_timer+0xe0/0xe0
|
||||
? memset+0x1f/0x40
|
||||
? flush_sigqueue+0x29/0xd0
|
||||
iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
|
||||
? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
|
||||
? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
|
||||
process_one_work+0x35c/0x640
|
||||
worker_thread+0x66/0x5d0
|
||||
? flush_rcu_work+0x40/0x40
|
||||
kthread+0x1a0/0x1c0
|
||||
? kthread_bind+0x30/0x30
|
||||
ret_from_fork+0x35/0x40
|
||||
|
||||
The buggy address belongs to the page:
|
||||
page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
|
||||
flags: 0x17fffc000000000()
|
||||
raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
|
||||
raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
|
||||
page dumped because: kasan: bad access detected
|
||||
|
||||
Memory state around the buggy address:
|
||||
ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
|
||||
ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
|
||||
>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
|
||||
^
|
||||
ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
|
||||
ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
|
||||
==================================================================
|
||||
|
||||
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
|
||||
Reviewed-by: Mike Christie <mchristi@redhat.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
drivers/target/iscsi/iscsi_target_auth.c | 30 ++++++++++++++----------------
|
||||
1 file changed, 14 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
|
||||
index 9518ffd8b8ba..6c3b4c022894 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_auth.c
|
||||
+++ b/drivers/target/iscsi/iscsi_target_auth.c
|
||||
@@ -26,18 +26,6 @@
|
||||
#include "iscsi_target_nego.h"
|
||||
#include "iscsi_target_auth.h"
|
||||
|
||||
-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
|
||||
-{
|
||||
- int j = DIV_ROUND_UP(len, 2), rc;
|
||||
-
|
||||
- rc = hex2bin(dst, src, j);
|
||||
- if (rc < 0)
|
||||
- pr_debug("CHAP string contains non hex digit symbols\n");
|
||||
-
|
||||
- dst[j] = '\0';
|
||||
- return j;
|
||||
-}
|
||||
-
|
||||
static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
|
||||
{
|
||||
int i;
|
||||
@@ -248,9 +236,16 @@ static int chap_server_compute_md5(
|
||||
pr_err("Could not find CHAP_R.\n");
|
||||
goto out;
|
||||
}
|
||||
+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
|
||||
+ pr_err("Malformed CHAP_R\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
|
||||
+ pr_err("Malformed CHAP_R\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
pr_debug("[server] Got CHAP_R=%s\n", chap_r);
|
||||
- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
|
||||
|
||||
tfm = crypto_alloc_shash("md5", 0, 0);
|
||||
if (IS_ERR(tfm)) {
|
||||
@@ -349,9 +344,7 @@ static int chap_server_compute_md5(
|
||||
pr_err("Could not find CHAP_C.\n");
|
||||
goto out;
|
||||
}
|
||||
- pr_debug("[server] Got CHAP_C=%s\n", challenge);
|
||||
- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
|
||||
- strlen(challenge));
|
||||
+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
|
||||
if (!challenge_len) {
|
||||
pr_err("Unable to convert incoming challenge\n");
|
||||
goto out;
|
||||
@@ -360,6 +353,11 @@ static int chap_server_compute_md5(
|
||||
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
|
||||
goto out;
|
||||
}
|
||||
+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
|
||||
+ pr_err("Malformed CHAP_C\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ pr_debug("[server] Got CHAP_C=%s\n", challenge);
|
||||
/*
|
||||
* During mutual authentication, the CHAP_C generated by the
|
||||
* initiator must not match the original CHAP_C generated by
|
||||
--
|
||||
cgit 1.2-0.3.lf.el7
|
||||
|
||||
From 8c39e2699f8acb2e29782a834e56306da24937fe Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Pelletier <plr.vincent@gmail.com>
|
||||
Date: Sun, 9 Sep 2018 04:09:27 +0000
|
||||
Subject: scsi: target: iscsi: Use bin2hex instead of a re-implementation
|
||||
|
||||
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
|
||||
Reviewed-by: Mike Christie <mchristi@redhat.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
drivers/target/iscsi/iscsi_target_auth.c | 15 +++------------
|
||||
1 file changed, 3 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
|
||||
index 6c3b4c022894..4e680d753941 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_auth.c
|
||||
+++ b/drivers/target/iscsi/iscsi_target_auth.c
|
||||
@@ -26,15 +26,6 @@
|
||||
#include "iscsi_target_nego.h"
|
||||
#include "iscsi_target_auth.h"
|
||||
|
||||
-static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
|
||||
-{
|
||||
- int i;
|
||||
-
|
||||
- for (i = 0; i < src_len; i++) {
|
||||
- sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff);
|
||||
- }
|
||||
-}
|
||||
-
|
||||
static int chap_gen_challenge(
|
||||
struct iscsi_conn *conn,
|
||||
int caller,
|
||||
@@ -50,7 +41,7 @@ static int chap_gen_challenge(
|
||||
ret = get_random_bytes_wait(chap->challenge, CHAP_CHALLENGE_LENGTH);
|
||||
if (unlikely(ret))
|
||||
return ret;
|
||||
- chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge,
|
||||
+ bin2hex(challenge_asciihex, chap->challenge,
|
||||
CHAP_CHALLENGE_LENGTH);
|
||||
/*
|
||||
* Set CHAP_C, and copy the generated challenge into c_str.
|
||||
@@ -289,7 +280,7 @@ static int chap_server_compute_md5(
|
||||
goto out;
|
||||
}
|
||||
|
||||
- chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE);
|
||||
+ bin2hex(response, server_digest, MD5_SIGNATURE_SIZE);
|
||||
pr_debug("[server] MD5 Server Digest: %s\n", response);
|
||||
|
||||
if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) {
|
||||
@@ -411,7 +402,7 @@ static int chap_server_compute_md5(
|
||||
/*
|
||||
* Convert response from binary hex to ascii hext.
|
||||
*/
|
||||
- chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE);
|
||||
+ bin2hex(response, digest, MD5_SIGNATURE_SIZE);
|
||||
*nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s",
|
||||
response);
|
||||
*nr_out_len += 1;
|
||||
--
|
||||
cgit 1.2-0.3.lf.el7
|
||||
|
|
@ -1,88 +0,0 @@
|
|||
From patchwork Wed Jul 25 12:29:07 2018
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: drm/vc4: Fix the "no scaling" case on multi-planar YUV formats
|
||||
From: Boris Brezillon <boris.brezillon@bootlin.com>
|
||||
X-Patchwork-Id: 240917
|
||||
Message-Id: <20180725122907.13702-1-boris.brezillon@bootlin.com>
|
||||
To: Eric Anholt <eric@anholt.net>
|
||||
Cc: David Airlie <airlied@linux.ie>,
|
||||
Boris Brezillon <boris.brezillon@bootlin.com>, stable@vger.kernel.org,
|
||||
dri-devel@lists.freedesktop.org
|
||||
Date: Wed, 25 Jul 2018 14:29:07 +0200
|
||||
|
||||
When there's no scaling requested ->is_unity should be true no matter
|
||||
the format.
|
||||
|
||||
Also, when no scaling is requested and we have a multi-planar YUV
|
||||
format, we should leave ->y_scaling[0] to VC4_SCALING_NONE and only
|
||||
set ->x_scaling[0] to VC4_SCALING_PPF.
|
||||
|
||||
Doing this fixes an hardly visible artifact (seen when using modetest
|
||||
and a rather big overlay plane in YUV420).
|
||||
|
||||
Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
|
||||
Reviewed-by: Eric Anholt <eric@anholt.net>
|
||||
---
|
||||
drivers/gpu/drm/vc4/vc4_plane.c | 25 ++++++++++++-------------
|
||||
1 file changed, 12 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
|
||||
index cfb50fedfa2b..a3275fa66b7b 100644
|
||||
--- a/drivers/gpu/drm/vc4/vc4_plane.c
|
||||
+++ b/drivers/gpu/drm/vc4/vc4_plane.c
|
||||
@@ -297,6 +297,9 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
|
||||
vc4_state->y_scaling[0] = vc4_get_scaling_mode(vc4_state->src_h[0],
|
||||
vc4_state->crtc_h);
|
||||
|
||||
+ vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
|
||||
+ vc4_state->y_scaling[0] == VC4_SCALING_NONE);
|
||||
+
|
||||
if (num_planes > 1) {
|
||||
vc4_state->is_yuv = true;
|
||||
|
||||
@@ -312,24 +315,17 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
|
||||
vc4_get_scaling_mode(vc4_state->src_h[1],
|
||||
vc4_state->crtc_h);
|
||||
|
||||
- /* YUV conversion requires that scaling be enabled,
|
||||
- * even on a plane that's otherwise 1:1. Choose TPZ
|
||||
- * for simplicity.
|
||||
+ /* YUV conversion requires that horizontal scaling be enabled,
|
||||
+ * even on a plane that's otherwise 1:1. Looks like only PPF
|
||||
+ * works in that case, so let's pick that one.
|
||||
*/
|
||||
- if (vc4_state->x_scaling[0] == VC4_SCALING_NONE)
|
||||
- vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
|
||||
- if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
|
||||
- vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
|
||||
+ if (vc4_state->is_unity)
|
||||
+ vc4_state->x_scaling[0] = VC4_SCALING_PPF;
|
||||
} else {
|
||||
vc4_state->x_scaling[1] = VC4_SCALING_NONE;
|
||||
vc4_state->y_scaling[1] = VC4_SCALING_NONE;
|
||||
}
|
||||
|
||||
- vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
|
||||
- vc4_state->y_scaling[0] == VC4_SCALING_NONE &&
|
||||
- vc4_state->x_scaling[1] == VC4_SCALING_NONE &&
|
||||
- vc4_state->y_scaling[1] == VC4_SCALING_NONE);
|
||||
-
|
||||
/* No configuring scaling on the cursor plane, since it gets
|
||||
non-vblank-synced updates, and scaling requires requires
|
||||
LBM changes which have to be vblank-synced.
|
||||
@@ -672,7 +668,10 @@ static int vc4_plane_mode_set(struct drm_plane *plane,
|
||||
vc4_dlist_write(vc4_state, SCALER_CSC2_ITR_R_601_5);
|
||||
}
|
||||
|
||||
- if (!vc4_state->is_unity) {
|
||||
+ if (vc4_state->x_scaling[0] != VC4_SCALING_NONE ||
|
||||
+ vc4_state->x_scaling[1] != VC4_SCALING_NONE ||
|
||||
+ vc4_state->y_scaling[0] != VC4_SCALING_NONE ||
|
||||
+ vc4_state->y_scaling[1] != VC4_SCALING_NONE) {
|
||||
/* LBM Base Address. */
|
||||
if (vc4_state->y_scaling[0] != VC4_SCALING_NONE ||
|
||||
vc4_state->y_scaling[1] != VC4_SCALING_NONE) {
|
11
kernel.spec
11
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 10
|
||||
%define stable_update 11
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -614,9 +614,6 @@ Patch331: bcm2835-cpufreq-add-CPU-frequency-control-driver.patch
|
|||
|
||||
Patch332: bcm2835-hwmon-Add-support-for-RPi-voltage-sensor.patch
|
||||
|
||||
# https://patchwork.freedesktop.org/patch/240917/
|
||||
Patch334: drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch
|
||||
|
||||
# Fix for AllWinner A64 Timer Errata, still not final
|
||||
# https://patchwork.kernel.org/patch/10392891/
|
||||
Patch350: arm64-arch_timer-Workaround-for-Allwinner-A64-timer-instability.patch
|
||||
|
@ -665,9 +662,6 @@ Patch531: xsa270.patch
|
|||
Patch533: 0001-random-add-a-config-option-to-trust-the-CPU-s-hwrng.patch
|
||||
Patch534: 0001-random-make-CPU-trust-a-boot-parameter.patch
|
||||
|
||||
# CVE-2018-14633 rhbz 1626035 1632185
|
||||
Patch535: CVE-2018-14633.patch
|
||||
|
||||
# rhbz 1628394
|
||||
Patch536: powerpc-ipv6.patch
|
||||
|
||||
|
@ -1930,6 +1924,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Sun Sep 30 2018 Laura Abbott <labbott@redhat.com> - 4.18.11-300
|
||||
- Linux v4.18.11
|
||||
|
||||
* Wed Sep 26 2018 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Add thermal trip to bcm283x (Raspberry Pi) cpufreq
|
||||
- Add initial RockPro64 DT support
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.18.tar.xz) = 950eb85ac743b291afe9f21cd174d823e25f11883ee62cecfbfff8fe8c5672aae707654b1b8f29a133b1f2e3529e63b9f7fba4c45d6dacccc8000b3a9a9ae038
|
||||
SHA512 (patch-4.18.10.xz) = ff00f5b50921654494bf0cc290a82871bf3f053dc170abbde906499e3bffe1f368a94a6c09196ded618ae46fe2fa74e05b4e594f31ccc08a7071efa1e9ec4a68
|
||||
SHA512 (patch-4.18.11.xz) = a1cfab9c4fb7bec8da33fa95da0986ed7605ff9953fd425f5122978c462a6024886955827ce52a87f93312d5e17a4533606bbabf3e6ad6a5dd353d430db92e7e
|
||||
|
|
Loading…
Reference in New Issue