Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem fixes from James Morris:
 "This includes several fixes for TPM, as well as a fix for the x.509
  certificate parser to address CVE-2015-5327"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  X.509: Fix the time validation [ver #2]
  tpm: fix compat 'ppi' link handling in tpm_chip_register()
  tpm: fix missing migratable flag in sealing functionality for TPM2
  TPM: revert the list handling logic fixed in 398a1e7
  TPM: Avoid reference to potentially freed memory
  tpm_tis: restore IRQ vector in IO memory after failed probing
  tpm_tis: free irq after probing

1 files changed, 7 insertions, 5 deletions

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 3000ea3..021d39c 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
 	if (*p != 'Z')
 		goto unsupported_time;
 
-	mon_len = month_lengths[mon];
+	if (year < 1970 ||
+	    mon < 1 || mon > 12)
+		goto invalid_time;
+
+	mon_len = month_lengths[mon - 1];
 	if (mon == 2) {
 		if (year % 4 == 0) {
 			mon_len = 29;
@@ -543,14 +547,12 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
 		}
 	}
 
-	if (year < 1970 ||
-	    mon < 1 || mon > 12 ||
-	    day < 1 || day > mon_len ||
+	if (day < 1 || day > mon_len ||
 	    hour > 23 ||
 	    min > 59 ||
 	    sec > 59)
 		goto invalid_time;
-	
+
 	*_t = mktime64(year, mon, day, hour, min, sec);
 	return 0;