- Apr 27, 2017
-
-
Zhang Wei authored
Change-Id: I9004ec45bd376a3fd586f3d4830dfdef025957d6 Signed-off-by:c00187401 <c00187401@notesmail.huawei.com>
-
- Apr 24, 2017
-
-
Zhang Wei authored
CVE-2017-0605 Strcpy has no limit on string being copied which causes stack corruption leading to kernel panic. Use strlcpy to resolve the issue by providing length of string to be copied. CRs-fixed: 1048480 Change-Id: Ib290b25f7e0ff96927b8530e5c078869441d409f Signed-off-by:Amey Telawane <ameyt@codeaurora.org>
-
Zhang Wei authored
CVE-2016-5854 Calling copy_to_user(to, from, size) with negative value might cause heap overflow since size is unsigned parameter and negative value is cast to big unsigned value. CRs-Fixed: 1092683 Change-Id: I9b4a0710aa33942de2976f7ee158a8025dd6a20e Signed-off-by:Amir Samuelov <amirs@codeaurora.org>
-
Zhang Wei authored
CVE-2017-0630 This likely breaks tracing tools like trace-cmd. It logs in the same format but now addresses are all 0x0. Bug: 34277115 Change-Id: Iffd01e5002dd342c4435ef932c231183b0ce3c80 Signed-off-by: -
Zhang Wei authored
CVE-2017-7184 When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate the user supplied replay_esn to ensure that the size is valid and to ensure that the replay_window size is within the allocated buffer. However later it is possible to update this replay_esn via a XFRM_MSG_NEWAE call. There we again validate the size of the supplied buffer matches the existing state and if so inject the contents. We do not at this point check that the replay_window is within the allocated memory. This leads to out-of-bounds reads and writes triggered by netlink packets. This leads to memory corruption and the potential for priviledge escalation. We already attempt to validate the incoming replay information in xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user is not trying to change the size of the replay state buffer which includes the replay_esn. It however does not check the replay_window remains within that buffer. Add validation of the contained replay_window. Signed-off-by:
Andy Whitcroft <apw@canonical.com> Acked-by:
Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Change-Id: Ia235af1f43f7385d3c0ee68789ea49ef082863d7
-
Zhang Wei authored
CVE-2016-10291 Subsystem will restart within short timeframe. Synchronise subsytem up/down callback notifications to avoid functionality failures. Use mutex locks to achieve synchronization. Change-Id: I5881c7d468507bb8402a2e9f8178b9c31e57e8a5 Signed-off-by:Dilip Kota <dkota@codeaurora.org>
-
Zhang Wei authored
CVE-2016-9794 commit 3aa02cb6 upstream. Currently kill_fasync() is called outside the stream lock in snd_pcm_period_elapsed(). This is potentially racy, since the stream may get released even during the irq handler is running. Although snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't guarantee that the irq handler finishes, thus the kill_fasync() call outside the stream spin lock may be invoked after the substream is detached, as recently reported by KASAN. As a quick workaround, move kill_fasync() call inside the stream lock. The fasync is rarely used interface, so this shouldn't have a big impact from the performance POV. Ideally, we should implement some sync mechanism for the proper finish of stream and irq handler. But this oneliner should suffice for most cases, so far. Change-Id: Id8eac74639477d1c283eabf4f7ff82916674474f Reported-by:
Baozeng Ding <sploving1@gmail.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
Willy Tarreau <w@1wt.eu>
-
- Apr 20, 2017
-
-
Shuailei Fang authored
If nfc is interacting with POS and detect watch suspend to sleep, get wakelock to delay enter sleep. Change-Id: I9abaecd8929983d68a6bba80da961f4434c477ce
-
- Mar 22, 2017
-
-
c00187401 authored
In the process of repeated sleep and wake up ,sometime TP firmware will not be able to respond to the AP's TP driver. So it should be in the wake up function to do abnormal detection. When the TP exception occurs, the TP driver reset TP firmware. Change-Id: Ic6175981238cf80380b8d27c5d1b1e93e50c6397
-
l00228880 authored
When repeat charge flag is true, the repo soc is 100 even if the real soc is low, such as 80. So when the real capacity is low, we clear the repeat charge flag. Change-Id: I8b04c93c0b881dfcab1e72a851232c4148e1ae8a
-
l00228880 authored
The bug happens in the situation as the follow steps: 1, usb is online and battery temp is above 45 or below 0. 2, unplugin the usb and plugin the usb. The reson is that it can not consider of cold or hot status and enable the charging when usb is unplugined. Change-Id: I3b35e5cc0a3f0592d366b0931cf64a2dfa524003
-
- Mar 20, 2017
-
-
Kaushal Kumar authored
CVE-2017-6423 Add config option to enable/disable l2 indirect access debug capability. The driver exposes l2 indirect access debugfs interface to get/set data, address, and target cpus so keep it disabled by default. Change-Id: I09728c2984b7be169a12d4a9f926a97cc4261bba Signed-off-by:Kaushal Kumar <kaushalk@codeaurora.org>
-
gwx419604 authored
CVE-2017-0572 added boundary check not to overflow buffer especially when input parameters manipulated. Bug: 34198931 Change-Id: I39d7dc38a597a938d37dbd7bb267a7ff4df93e45 Signed-off-by:
Insun Song <insun.song@broadcom.com> Signed-off-by:
gwx419604 <gwx419604@notesmail.huawei.com>
-
gwx419604 authored
CVE-2016-8465 add bssid count element to exactly refer in NL-TLV parsing. This change need to sync with /hardware/broadcom/wlan/bcmdhd/wifi_hal/gscan.cpp where GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT supposed to be called. Bug: 32474971 Change-Id: I059ace65405c86add784bd43f7df84cdd5c93a51 Signed-off-by:
-
gwx419604 authored
CVE-2017-0570 WEXT API was already obsoleted and should be removed. Bug: 34199963 Signed-off-by:
-
Sudhir Kohalli authored
CVE-2017-0569 1) The default_chan_list buffer overflow is avoided by checking n_nodfs index does not exceed num_chans, which is the length of default_chan_list buffer. 2) The SSID length check 32(max limit) is done and then the SSID name copied in extra buffer is null terminated. The extra buffer is allocated a length of of 33 in wl_iw_ioctl.c. 3) Issue of chances of cumulative results->pkt_count length exceeding allocated memory length of results->total_count is avoided in this fix. change_array is the destination array whose length is allocated to results->total_count. Signed-off-by:Sudhir Kohalli <sudhir.kohalli@broadcom.com> Bug: 34197514 Bug: 34199963 Bug: 34198729 Change-Id: Iec7cf496886bf0f51cf36737556958e740ff9e77
-
Insun Song authored
CVE-2017-0567 added boundary check not to override allocated buffer. Change-Id: I81a0f79221360ee57906ef9497391276744d891c Signed-off-by: -
gwx419604 authored
CVE-2017-0573 added boundary check not to override allocated buffer. Specially when user input corrupted or manipulated. Change-Id: I3c6ba1efaa10c6f8a7ba342786537258173cf793 Signed-off-by:
-
gwx419604 authored
CVE-2017-0571 added boundary check not to override allocated buffer Change-Id: I6cf95da5f0c3bc688c3110439ec92d29cbcc0a07 Signed-off-by:
-
gwx419604 authored
CVE-2017-0568 prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL overriden by attacker and its return manipulated. Bug: 34197514 Change-Id: Iaf2f9177304edd9925e635d442fea58e1859e205 Signed-off-by:
-
gwx419604 authored
CVE-2016-7097 When file permissions are modified via chmod(2) and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod(2). Fix that. Change-Id: I1b7ca2d562f0f58ad27482b4eb49d032870c685f Reviewed-by:
Christoph Hellwig <hch@lst.de> Reviewed-by:
Jeff Layton <jlayton@redhat.com> Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by:
-
gwx419604 authored
CVE-2017-0586 Add out of bounds check in routing put functions for the mux value before accessing the texts pointer of soc_enum struct with mux as index. Change-Id: I328d3455ecb255217eda31044c022215d75b34bf CRs-fixed: 1097569 Bug: 33649808 Signed-off-by:
Karthikeyan Mani <kmani@codeaurora.org> Signed-off-by:
-
ansharma authored
CVE-2017-6426 There is a possible race condition when debugfs files are concurrently accessed by multiple threads. Fix this. Change-Id: Ie5f1ba87b55b2fae69de262ab7ac3e86610036a5 CRs-Fixed: 1106842 Signed-off-by:ansharma <ansharma@codeaurora.org>
-
Arumuga Durai A authored
CVE-2016-10236 A race condition bug in function 'mbim_bind_config' allows to change 'mbim->xport' type to invalid value. This allows mbim_ioctl() to copy the uninitialized data to userspace. Fix this by avoiding copy_to_user() call when transport type is invalid. Change-Id: Ifcdf1fe96500c2401ab2c601d914a0347552d131 CRs-Fixed: 1102418 Signed-off-by:Arumuga Durai A <cadurai@codeaurora.org>
-
Sravan Kumar D.V.N authored
CVE-2017-6425 In the compat layer, the temporary structures used to convert data from 32bit to 64bit structures need to be set to 0 before being assigned values. Change-Id: Ib95e6a08be34c6227c181b3329d014148b8648d0 CRs-Fixed: 1103689 Signed-off-by:Sravan Kumar D.V.N <sravank1@codeaurora.org>
-
Xiaoyu Ye authored
CVE-2016-5346 Error handling is added to prevent garbage value being passed to user space by the uninitialized local variable avtimer_tick. Change-Id: Id98ba4c3456c5820c21c0430506ab1377beb7458 CRs-Fixed: 1097878 Signed-off-by:Xiaoyu Ye <benyxy@codeaurora.org>
-
ahmedsh authored
CVE-2017-0462 Avoid race condition in driver when encoding param by reading contents from a local copy instead of msg buffer itself which can be mapped to user space. Change-Id: I4083348ac3490c0dfa6d14085555129332c153f2 Signed-off-by:Ahmed Sheikh <ahmedsh@codeaurora.org>
-
Naseer Ahmed authored
CVE-2017-0579 Check size of cursor image provided by userspace to avoid buffer overflow. Bug: 34125463 Change-Id: I3682d7b5992d8cc2f18d1efdcc6c077466599923 Signed-off-by:
Naseer Ahmed <naseer@codeaurora.org> Signed-off-by:
Steve Pfetsch <spfetsch@google.com>
-
Karthikeyan Mani authored
CVE-2016-10231 Add check in tasha_mad_input_put function to return error on out of bounds access using mad input value. CRs-fixed: 1096799 Change-Id: Iddaa3fef362f7cb1919aa3bd8dd4b83133fe7c97 Signed-off-by: -
Lianchao Song authored
CVE-2017-0578 Add locking to control shared access to DTS Eagle license cache. Also update a logic to recreate cache when new license string is set. Change-Id: Idedbd56c229ab3c9b2758be3e99c3a6ce031188c Signed-off-by:
Jitendra Naruka <jitendra.naruka@dts.com> Signed-off-by:
Lianchao Song <songlianchao@huawei.com>
-
Zhen Kong authored
CVE-2017-0576 qcedev_vbuf_ablk_cipher will calculate total data length. It starts with the value of "areq->cipher_op_req.byteoffset", which is controlled by the user. Make change to check if this total data length has integer overflow issue in qcedev_check_cipher_params. Change-Id: Ice42dca6d47eb8febfe8a34e566c69e4799fab57 Signed-off-by:Zhen Kong <zkong@codeaurora.org>
-
kunleiz authored
CVE-2017-0454 Add mutex protection to avoid access output_len in parallel. CRs-Fixed: 1104067 Change-Id: I4e17258e2abee9cd68152f4b79520b00003aa80d Signed-off-by:kunleiz <kunleiz@codeaurora.org>
-
gwx419604 authored
CVE-2017-0564 his separates the kref for ion handles into two components. Userspace requests through the ioctl will hold at most one reference to the internally used kref. All additional requests will increment a separate counter, and the original reference is only put once that counter hits 0. This protects the kernel from a poorly behaving userspace. Bug: 34276203 Change-Id: Ibc491d8ce6e88d1420c10261cd37eb93355fbe95 Signed-off-by:
Daniel Rosenberg <drosen@google.com> Signed-off-by:
-
gwx419604 authored
CVE-2016-10229 Backport of this upstream commit into stable kernels : 89c22d8c ("net: Fix skb csum races when peeking") exposed a bug in udp stack vs MSG_PEEK support, when user provides a buffer smaller than skb payload. In this case, skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov); returns -EFAULT. This bug does not happen in upstream kernels since Al Viro did a great job to replace this into : skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); This variant is safe vs short buffers. For the time being, instead reverting Herbert Xu patch and add back skb->ip_summed invalid changes, simply store the result of udp_lib_checksum_complete() so that we avoid computing the checksum a second time, and avoid the problematic skb_copy_and_csum_datagram_iovec() call. This patch can be applied on recent kernels as it avoids a double checksumming, then backported to stable kernels as a bug fix. Change-Id: I007d1e69ba0e542f679d1644c7e80c632152e841 Signed-off-by:
Eric Dumazet <edumazet@google.com> Acked-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Neeraj Soni authored
CVE-2016-10230 Adding user passed parameters without check might lead to Integer overflow and unpredictable system behaviour. Change-Id: I78c73e6b74c1c73a9f1c5024aa2a7ff2ccd51372 Signed-off-by:Neeraj Soni <neersoni@codeaurora.org>
-
- Mar 02, 2017
-
-
gwx419604 authored
CVE-2017-0509 Google found one security issue in wl_iw.c where these WIRELESS EXTENSION APIs obsoleted and no longer used. So these files should be removed completely from mogrification. Change-Id: I03d59fa9780695efd5a7411485841a52595d45eb
-
gwx419604 authored
CVE-2017-0430 Found one possible use-after-free in _dhd_pno_get_for_batch(). In case where "pscan_result->cnt_header==0", the kernel try to free 'pscan_results' and immediately try to dereference it again. Change-Id: I53504cdc6ca447547b879c52a2468a82ebd73daf
-
- Feb 25, 2017
-
-
j00365487 authored
1.disable charging when capacity is above 70. 2.enable charging when capacity is below 60. Change-Id: I631e2aee0d6b93138687a7453d934b71e1cfac2f
-
Amir Samuelov authored
CVE-2016-5856 Check command buf size before allocating kernel buffer. CRs-Fixed: 1094078 Change-Id: Ib03cd8c79966ff35863c1bde99089cac018ab45c Signed-off-by: -
Karthikeyan Ramasubramanian authored
CVE-2017-0463 Allowing services to be registered on a non-client port will cause either an existing service or a control port to be over-written. This will cause undefined functional behavior. Allow the services to be registered only on client ports. CRs-Fixed: 1101792 Change-Id: If6cfc75e9314204b7b44957f1598a8a2e1a45325 Signed-off-by:Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
-
