[GIT PULL] Security subsystem fixes for 3.19

From: James Morris
Date: Tue Dec 16 2014 - 01:54:55 EST

Next message: Guenter Roeck: "Re: linux-next: Tree for Dec 16"
Previous message: Jongman Heo: "Re: Re: [3.18+] Can't boot with commit bd809af1 ("x86: Enable PAT to use cache mode translation tables")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Please pull these fixes for the security subsystem.

The following changes since commit 988adfdffdd43cfd841df734664727993076d7cb:

Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux (2014-12-15 15:52:01 -0800)

are available in the git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git for-linus

Dan Carpenter (1):
KEYS: remove a bogus NULL check

James Morris (1):
Merge branch 'next' of git://git.kernel.org/.../zohar/linux-integrity into for-linus

Michael Ellerman (1):
ima: Fix build failure on powerpc when TCG_IBMVTPM dependencies are not met

Takashi Iwai (1):
KEYS: Fix stale key registration at error path

security/integrity/ima/Kconfig | 2 +-
security/keys/encrypted-keys/encrypted.c | 5 ++++-
security/keys/key.c | 10 ++++------
3 files changed, 9 insertions(+), 8 deletions(-)

---

commit 5057975ae38452679b964f1382c5efcb9faee74e
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Thu Dec 11 19:59:38 2014 +0000

KEYS: remove a bogus NULL check

We already checked if "desc" was NULL at the beginning of the function
and we've dereferenced it so this causes a static checker warning.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: James Morris <james.l.morris@xxxxxxxxxx>

diff --git a/security/keys/key.c b/security/keys/key.c
index e17ba6a..aee2ec5 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -276,12 +276,10 @@ struct key *key_alloc(struct key_type *type, const char *desc,
if (!key)
goto no_memory_2;

- if (desc) {
- key->index_key.desc_len = desclen;
- key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
- if (!key->description)
- goto no_memory_3;
- }
+ key->index_key.desc_len = desclen;
+ key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
+ if (!key->description)
+ goto no_memory_3;

atomic_set(&key->usage, 1);
init_rwsem(&key->sem);

commit d0bffab0439fb7edaee09677b636eef5991e8b80
Merge: 988adfd 63a0eb7
Author: James Morris <james.l.morris@xxxxxxxxxx>
Date: Tue Dec 16 12:49:10 2014 +1100

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into for-linus

commit 63a0eb7891bdf3ef32ecb6b01eb09106df646c10
Author: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
Date: Wed Dec 3 17:04:50 2014 +1100

ima: Fix build failure on powerpc when TCG_IBMVTPM dependencies are not met

On powerpc we can end up with IMA=y and PPC_PSERIES=n which leads to:

warning: (IMA) selects TCG_IBMVTPM which has unmet direct dependencies (TCG_TPM && PPC_PSERIES)
tpm_ibmvtpm.c:(.text+0x14f3e8): undefined reference to `.plpar_hcall_norets'

I'm not sure why IMA needs to select those user-visible symbols, but if
it must then the simplest fix is to just express the proper dependencies
on the select.

Tested-by: Hon Ching (Vicky) Lo <lo1@xxxxxxxxxx>
Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index b80a93e..57515bc 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -10,7 +10,7 @@ config IMA
select CRYPTO_HASH_INFO
select TCG_TPM if HAS_IOMEM && !UML
select TCG_TIS if TCG_TPM && X86
- select TCG_IBMVTPM if TCG_TPM && PPC64
+ select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
help
The Trusted Computing Group(TCG) runtime Integrity
Measurement Architecture(IMA) maintains a list of hash

commit b26bdde5bb27f3f900e25a95e33a0c476c8c2c48
Author: Takashi Iwai <tiwai@xxxxxxx>
Date: Thu Dec 4 18:25:19 2014 +0100

KEYS: Fix stale key registration at error path

When loading encrypted-keys module, if the last check of
aes_get_sizes() in init_encrypted() fails, the driver just returns an
error without unregistering its key type. This results in the stale
entry in the list. In addition to memory leaks, this leads to a kernel
crash when registering a new key type later.

This patch fixes the problem by swapping the calls of aes_get_sizes()
and register_key_type(), and releasing resources properly at the error
paths.

Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=908163
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>

diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index db9675d..7bed4ad 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -1017,10 +1017,13 @@ static int __init init_encrypted(void)
ret = encrypted_shash_alloc();
if (ret < 0)
return ret;
+ ret = aes_get_sizes();
+ if (ret < 0)
+ goto out;
ret = register_key_type(&key_type_encrypted);
if (ret < 0)
goto out;
- return aes_get_sizes();
+ return 0;
out:
encrypted_shash_release();
return ret;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Guenter Roeck: "Re: linux-next: Tree for Dec 16"
Previous message: Jongman Heo: "Re: Re: [3.18+] Can't boot with commit bd809af1 ("x86: Enable PAT to use cache mode translation tables")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]