- Jul 21, 2017
-
-
Jonathan Solnit authored
September 2017.2 Bug: 63173580
-
Jonathan Solnit authored
Merge branch 'android-msm-bullhead-3.10-nyc-mr2-security-next' into android-msm-bullhead-3.10-nyc-mr2 September 2017.2 Bug: 63173580
-
Jonathan Solnit authored
This reverts commit 31aaef07. Bug: 62201221 Change-Id: Iff57c945dcffcdd5632aeb65992ae7a5aca98186 Signed-off-by:
Jonathan Solnit <jsolnit@google.com>
-
Jonathan Solnit authored
This reverts commit ceb09959. Bug: 62201221 Change-Id: Ic4679c0ed98b16b3e063bca48dbc22f703072eb9 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 6fb7c5fa. Bug: 38027632 Change-Id: I6a2154164ff57b2e227ad7d9231c211ad97edaa7 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 4d526dae. Bug: 37438302 Change-Id: I20ffa328e4aec9e432cf3856b57fd6c0f3951060 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 9349ead0. Bug: 37239119 Change-Id: I5559d4fc20659397efd8a0383c4e33e72a550862 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 83c470dc. Bug: 36232584 Change-Id: I67ff48901f39883ef6a0107f35d232e3fe0b016a Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 1d5b6ba1. Bug: 35644370 Change-Id: I0880d5f11cd22547934a13b7aa564a4102b95aa9 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 19d23397. Bug: 33548839 Change-Id: Ibc6b438b076ccfab91b3b928847d3067bad0d3d9 Signed-off-by:
-
- Jul 19, 2017
-
-
Jonathan Solnit authored
September 2017.1 Bug: 63173580
-
Jonathan Solnit authored
Merge branch 'android-msm-bullhead-3.10-nyc-mr2-security-next' into android-msm-bullhead-3.10-nyc-mr2 September 2017.1 Bug: 63173580
-
- Jul 18, 2017
-
-
VijayaKumar T M authored
Since IOCTLS can come in any order, validating the actuator function table and methods before accessing them. CRs-Fixed: 1084177 Bug: 38027632 Change-Id: Ic6fce52fdf4d1420c2b707ec9bc9cba045066a13 Signed-off-by:
Sureshnaidu Laveti <lsuresh@codeaurora.org> Signed-off-by:
VijayaKumar T M <vtmuni@codeaurora.org>
-
Hugh Dickins authored
commit f4cb767d upstream. Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the end of unmapped_area_topdown(). Linus points out how MAP_FIXED (which does not have to respect our stack guard gap intentions) could result in gap_end below gap_start there. Fix that, and the similar case in its alternative, unmapped_area(). Cc: stable@vger.kernel.org Fixes: 1be7107f ("mm: larger stack guard gap, between vmas") Reported-by:
Dave Jones <davej@codemonkey.org.uk> Debugged-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Hugh Dickins <hughd@google.com> Acked-by:
Michal Hocko <mhocko@suse.com> Signed-off-by:
Willy Tarreau <w@1wt.eu> (cherry picked from commit 28ebf895) Bug: 38413813 Change-Id: I4cceb484114ba9033d29687eeed4558c64f13dae Signed-off-by:
Greg Hackmann <ghackmann@google.com>
-
Xiaojun Sang authored
msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used. CRs-Fixed: 2022953 Bug: 62379475 Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7 Signed-off-by:Xiaojun Sang <xsang@codeaurora.org>
-
Trishansh Bhardwaj authored
Use proper synchronization to ensure driver file is opened only once. CRs-Fixed: 2023513 Bug: 62378684 Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5 Signed-off-by:Trishansh Bhardwaj <tbhardwa@codeaurora.org>
-
Maria Yu authored
Cldata needed to be protected by lock since crash happened when synchronous update and free. CRs-Fixed: 2034222 Bug: 62378596 Change-Id: Ied86461b784d69d9758dc3fc793a8a0de86e7f9c Signed-off-by:Maria Yu <aiquny@codeaurora.org>
-
WANG Cong authored
Like commit 657831ff ("dccp/tcp: do not inherit mc_list from parent") we should clear ipv6_mc_list etc. for IPv6 sockets too. Cc: Eric Dumazet <edumazet@google.com> Bug: 62299478 Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Acked-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> (cherry picked from commit 83eaddab) Signed-off-by:
Connor O'Brien <connoro@google.com> Change-Id: I6bcb4627885b7444949852f580a901fdae409349
-
Takashi Iwai authored
snd_timer_user_tselect() reallocates the queue buffer dynamically, but it forgot to reset its indices. Since the read may happen concurrently with ioctl and snd_timer_user_tselect() allocates the buffer via kmalloc(), this may lead to the leak of uninitialized kernel-space data, as spotted via KMSAN: BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 copy_to_user ./arch/x86/include/asm/uaccess.h:725 snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 do_loop_readv_writev fs/read_write.c:716 __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 do_readv_writev fs/read_write.c:894 vfs_readv fs/read_write.c:908 do_readv+0x52a/0x5d0 fs/read_write.c:934 SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 SyS_readv+0x87/0xb0 fs/read_write.c:1018 This patch adds the missing reset of queue indices. Together with the previous fix for the ioctl/read race, we cover the whole problem. Reported-by:
Alexander Potapenko <glider@google.com> Tested-by:
Takashi Iwai <tiwai@suse.de> (cherry picked from commit ba3021b2) Signed-off-by:
-
Takashi Iwai authored
The read from ALSA timer device, the function snd_timer_user_tread(), may access to an uninitialized struct snd_timer_user fields when the read is concurrently performed while the ioctl like snd_timer_user_tselect() is invoked. We have already fixed the races among ioctls via a mutex, but we seem to have forgotten the race between read vs ioctl. This patch simply applies (more exactly extends the already applied range of) tu->ioctl_lock in snd_timer_user_tread() for closing the race window. Reported-by:
-
Jan Kara authored
Huang has reported that in his powerfail testing he is seeing stale block contents in some of recently allocated blocks although he mounts ext4 in data=ordered mode. After some investigation I have found out that indeed when delayed allocation is used, we don't add inode to transaction's list of inodes needing flushing before commit. Originally we were doing that but commit f3b59291 removed the logic with a flawed argument that it is not needed. The problem is that although for delayed allocated blocks we write their contents immediately after allocating them, there is no guarantee that the IO scheduler or device doesn't reorder things and thus transaction allocating blocks and attaching them to inode can reach stable storage before actual block contents. Actually whenever we attach freshly allocated blocks to inode using a written extent, we should add inode to transaction's ordered inode list to make sure we properly wait for block contents to be written before committing the transaction. So that is what we do in this patch. This also handles other cases where stale data exposure was possible - like filling hole via mmap in data=ordered,nodelalloc mode. The only exception to the above rule are extending direct IO writes where blkdev_direct_IO() waits for IO to complete before increasing i_size and thus stale data exposure is not possible. For now we don't complicate the code with optimizing this special case since the overhead is pretty low. In case this is observed to be a performance problem we can always handle it using a special flag to ext4_map_blocks(). CC: stable@vger.kernel.org Fixes: f3b59291 Reported-by:
"HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com> Tested-by:
Jan Kara <jack@suse.cz> Signed-off-by:
Theodore Ts'o <tytso@mit.edu> (cherry picked from commit 06bd3c36) Signed-off-by:
-
Eric Dumazet authored
syzkaller found a way to trigger double frees from ip_mc_drop_socket() It turns out that leave a copy of parent mc_list at accept() time, which is very bad. Very similar to commit 8b485ce6 ("tcp: do not inherit fastopen_req from parent") Initial report from Pray3r, completed by Andrey one. Thanks a lot to them ! Signed-off-by:
Pray3r <pray3r.z@gmail.com> Reported-by:
Andrey Konovalov <andreyknvl@google.com> Tested-by:
Roberto Pereira <rpere@google.com> (cherry picked from commit 657831ff) Bug:38413975 Change-Id: Icf89ad025cb8225e806e52c573d68533912111ad
-
Dennis Cagle authored
The pointer qbuf_buf comes from userspace. qbuf_buf->num_planes is used with no bound check, which if set to a large value, it will overflow buf_info->mapped_info and qbuf_buf->planes CRs-Fixed: 2003798 Bug: 38196031 Git-repo: https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit Git-commit: 333a535f8323821b1d46b408f2305712640d1767 Change-Id: I332e0424e57bb14b481a740604a09350e6f029a8 Signed-off-by:
Senthil Kumar Rajagopal <skrajago@codeaurora.org> Signed-off-by:
Dennis Cagle <d-cagle@codeaurora.org>
-
Eric Dumazet authored
Splicing from TCP socket is vulnerable when a packet with URG flag is received and stored into receive queue. __tcp_splice_read() returns 0, and sk_wait_data() immediately returns since there is the problematic skb in queue. This is a nice way to burn cpu (aka infinite loop) and trigger soft lockups. Again, this gem was found by syzkaller tool. Fixes: 9c55e01c ("[TCP]: Splice receive support.") Signed-off-by:
Dmitry Vyukov <dvyukov@google.com> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by:
-
Eric Dumazet authored
commit d199fab6 upstream. Multiple threads can call fanout_add() at the same time. We need to grab fanout_mutex earlier to avoid races that could lead to one thread freeing po->rollover that was set by another thread. Do the same in fanout_release(), for peace of mind, and to help us finding lockdep issues earlier. [js] no rollover in 3.12 Fixes: dc99f600 ("packet: Add fanout support.") Fixes: 0648ab70 ("packet: rollover prepare: per-socket state") Signed-off-by:
Jiri Slaby <jslaby@suse.cz> Signed-off-by:
-
Eric Dumazet authored
Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a ("gre: Support GRE over IPv6") Signed-off-by:
-
Chris Salls authored
commit cf01fb99 upstream. In the case that compat_get_bitmap fails we do not want to copy the bitmap to the user as it will contain uninitialized stack data and leak sensitive data. Signed-off-by:
Chris Salls <salls@cs.ucsb.edu> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ef67ca99) Bug: 37751399 Change-Id: I13d6c57c32c32747c62173fcd1fe0471c84ffb26
-
Skylar Chang authored
Fix the security issue in handling add mux channel event in ipa wan driver. Bug: 36490777 Change-Id: Ic2ffeafddad4954ec3ecba0d675646d0790eede7 Signed-off-by:
Skylar Chang <chiaweic@codeaurora.org> Acked-by:
Shihuan Liu <shihuanl@qti.qualcomm.com>
-
Venu Yeshala authored
Change the format specifier in a debug print for ISPIF base address to avoid information leak. Bug: 37239119 Change-Id: Ic6c799349ea98448da113d8710300934d77079b8 Signed-off-by:Venu Yeshala <vyeshala@codeaurora.org>
-
Dennis Cagle authored
In multi-threaded environment diglen variable could be modified by multiple threads at the same time. Buffer overflow might happen in current thread if another thread changes the diglen variable. So add mutex locks to avoid this issue. CRs-Fixed: 2010656 Git-repo: https://source.codeaurora.org/quic/la/kernel/msm-3.10 Git-commit: 70b719025fbef1fa98a2e3a823e583c836dd9bb2 Signed-off-by:
AnilKumar Chimata <anilc@codeaurora.org> Signed-off-by:
John Dias <joaodias@google.com>
-
Gaoxiang Chen authored
stream_cfg_cmd->num_streams is from userspace, need to check it against MSM_ISP_STATS_MAX before using it. CRs-Fixed: 2029867 Bug: 36232584 Change-Id: I2ab892b7d406fc56de94c261a396866269e91d1a Signed-off-by:Gaoxiang Chen <gaochen@codeaurora.org>
-
Gaoxiang Chen authored
In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q, it will pass the check, leading to off-by-one overflow (exceed the length of array by one element). CRs-Fixed: 2031677 Bug: 36136563 Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13 Signed-off-by: -
Robb Glasser authored
sg_ioctl could be spammed by requests, leading to a double free in __free_pages. This protects the entry points of sg_ioctl where the memory could be corrupted by a double call to __free_pages if multiple requests are happening concurrently. Bug:35644812 Change-Id: Ie13f65beb6974430f90292e2742841b26aecb8b1 Signed-off-by:Robb Glasser <rglasser@google.com>
-
Adrian Salido authored
commit 4617f564 upstream. When calling a dm ioctl that doesn't process any data (IOCTL_FLAGS_NO_PARAMS), the contents of the data field in struct dm_ioctl are left initialized. Current code is incorrectly extending the size of data copied back to user, causing the contents of kernel stack to be leaked to user. Fix by only copying contents before data and allow the functions processing the ioctl to override. Bug: 35644370 Signed-off-by:
Adrian Salido <salidoa@google.com> Reviewed-by:
Alasdair G Kergon <agk@redhat.com> Signed-off-by:
Mike Snitzer <snitzer@redhat.com> Signed-off-by:
-
VijayaKumar T M authored
There is no syncronization between msm_vb2_get_buf and msm_delete_stream which can lead to use after free. Fixed it by using read/write lock. CRs-Fixed: 2013052 Bug: 35099636 Change-Id: I8e80d70ec866253aab8836457a28ae14175f5d61 Signed-off-by:
Manish Poddar <mpoddar@codeaurora.org> Signed-off-by:
-
VijayaKumar T M authored
Use mutex lock before using queuing ioctls like queuing, dequeing buffers to avoid race condition. CRs-Fixed: 2038086 Bug: 34329758 Change-Id: Ia9fdfd5a766add2f8d99003b0c2bfe7d34d57a09 Signed-off-by:
Krupal Divvela <kdivvela@codeaurora.org> Signed-off-by:
-
Siva Kumar Akkireddi authored
SPS debugfs APIs can be called concurrently which can result in dangling pointer access. This change synchronizes access to the SPS debugfs buffer. Bug: 33548839 Change-Id: I409b3f0618f760cb67eba47b43c81d166cdae4aa Signed-off-by:Siva Kumar Akkireddi <sivaa@codeaurora.org>
-
Tony Truong authored
Via debugfs nodes, users have the option to read and write to any PCIe register. To ensure clients do not access registers outside the PCIe range, add checks to validate the offset clients provide. Bug: 33039685 Change-Id: Ia35cd04c57f01c21a47962be596bca395b5ca247 Signed-off-by:Tony Truong <truong@codeaurora.org>
-
Maggie White authored
There is no bound check in stream_cfg_cmd->num_streams and it's used in several places as a maximum index into the stream_cfg_cmd->stream_handle array which has a size of 15. Current code didn't check the maximum index to make sure it didn't exceed the array size. Bug: 62379525 Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0 Signed-off-by:Maggie White <maggiewhite@google.com>
-
Srinivas Girigowda authored
The wcnss platform driver update the wlan calibration data by the user space wlan daemon. The wlan user space daemon store the updated wlan calibration data reported by wlan firmware in user space and write it back to the wcnss platform calibration data buffer for the calibration data download and update. During the wlan calibration data store and retrieve operation there are some potential race condition which leads to memory leak and buffer overflow during the context switch. Fix the above issue by adding protection code and avoid usage of global pointer during the device file read and write operation. Bug: 62377236 CRs-Fixed: 2015858 Change-Id: Ib5b57eb86dcb4e6ed799b5222d06396eaabfaad3 Signed-off-by:
Sarada Prasanna Garnayak <sgarna@codeaurora.org> Signed-off-by:
Srinivas Girigowda <sgirigow@codeaurora.org>
-
