- Jul 26, 2017
-
-
Se Wang (Patrick) Oh authored
As compat_hwcap_str[] doesn't end with 'NULL', c_show() tries to read the next element even after the end of the array. So add 'NULL' at the end of compat_hwcap_str[]. Below is the KASan report for referencing. BUG: KASan: out of bounds access in c_show+0x110/0x248 at addr ffffffc0011f6370 Read of size 8 by task pool-1-thread-1/10526 page:ffffffbac14b39c0 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x400(reserved) page dumped because: kasan: bad access detected Address belongs to variable compat_hwcap_str+0xb0/0xe0 CPU: 0 PID: 10526 Comm: pool-1-thread-1 Tainted: G B W 3.18.18-ga7b28e9-11552-ge4a827f #1 Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2 + PMI8994 MTP (DT) Call trace: [<ffffffc000089ec4>] dump_backtrace+0x0/0x1c4 [<ffffffc00008a098>] show_stack+0x10/0x1c [<ffffffc0011a7c58>] dump_stack+0x74/0xc8 [<ffffffc00020e94c>] kasan_report_error+0x2b0/0x408 [<ffffffc00020eb80>] kasan_report+0x34/0x40 [<ffffffc00020db14>] __asan_load8+0x84/0x90 [<ffffffc000088ae8>] c_show+0x10c/0x248 [<ffffffc000245bb8>] traverse+0x1a8/0x320 [<ffffffc000245dc8>] seq_lseek+0x98/0x148 [<ffffffc00028f4e0>] proc_reg_llseek+0xa0/0xd8 [<ffffffc000217d1c>] vfs_llseek+0x5c/0x70 [<ffffffc000218b0c>] SyS_lseek+0x48/0x80 [<ffffffc000218b50>] compat_SyS_lseek+0xc/0x18 Memory state around the buggy address: ffffffc0011f6200: 00 00 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa ffffffc0011f6280: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 >ffffffc0011f6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa ^ ffffffc0011f6380: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa ffffffc0011f6400: 02 fa fa fa fa fa fa fa 00 00 00 02 fa fa fa fa Change-Id: I5e2098f9a7a676c47a01baf10de3ac1c86265e69 Signed-off-by:Se Wang (Patrick) Oh <sewango@codeaurora.org> Bug: 38198574 (cherry picked from 9f261e5d) Signed-off-by:
Jonathan Solnit <jsolnit@google.com>
-
- Jul 24, 2017
-
-
Jonathan Solnit authored
September 2017.2 Bug: 63172865 Change-Id: Iad7a93cb4a233d90aff1341b7f155218765bf4e3
-
Jonathan Solnit authored
September 2017.2 Bug: 63172865 Change-Id: I8982a2fe7eef373a80d69643d89fa1fd2ff14eda
-
Jonathan Solnit authored
This reverts commit d712c809. Bug: 62201221 Change-Id: I4afda40088312cfcbde3a658c115301efa566929 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 0c72d4f9. Bug: 62201221 Change-Id: I5652be1199a194f53e143ba944a3535adc18eee0 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 57bd637a. Bug: 38027632 Change-Id: I112b6b36d6ef07fccb30c0101e7b2a184b2963ee Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 5df8c7a3. Bug: 38027632 Change-Id: I86de15f86019d2c84f73e3946090d139695867d5 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 3e80e7df. Bug: 37438302 Change-Id: If284d930c673c67f0edc0718096c12afc2813216 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 53b76d0b. Bug: 37239119 Change-Id: I9077e716ebb63dbb1ea2870a4a2eba9297d9893b Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 0dad2846. Bug: 36232584 Change-Id: Ia07360d38704c4840d20a4b94e38c59419d62c77 Signed-off-by:
-
Jonathan Solnit authored
This reverts commit 69e71b36. Bug: 35644370 Change-Id: I706b10fe129f24ef50d20f06fa60cd7bc179d151 Signed-off-by:
-
- Jul 21, 2017
-
-
Jonathan Solnit authored
This reverts commit a193f921. Bug: 33548839 Change-Id: I47f898ebfc8b79dacd26f71a33c053b7786003d1 Signed-off-by:
-
- Jul 18, 2017
-
-
Jonathan Solnit authored
September 2017.1 Bug: 63172865
-
Jonathan Solnit authored
September 2017.1 Bug: 63172865 Change-Id: I16f328f3f149ce01e5d3e43ad437fc1bac4481ed
-
Takashi Iwai authored
The read from ALSA timer device, the function snd_timer_user_tread(), may access to an uninitialized struct snd_timer_user fields when the read is concurrently performed while the ioctl like snd_timer_user_tselect() is invoked. We have already fixed the races among ioctls via a mutex, but we seem to have forgotten the race between read vs ioctl. This patch simply applies (more exactly extends the already applied range of) tu->ioctl_lock in snd_timer_user_tread() for closing the race window. Reported-by:
Alexander Potapenko <glider@google.com> Tested-by:
Takashi Iwai <tiwai@suse.de> (cherry picked from commit d11662f4) Signed-off-by:
Connor O'Brien <connoro@google.com> Bug: 62201221 Change-Id: I67a3b5153c39ce9f6d7571b5aa8faabe5e3dbb83
-
Takashi Iwai authored
snd_timer_user_tselect() reallocates the queue buffer dynamically, but it forgot to reset its indices. Since the read may happen concurrently with ioctl and snd_timer_user_tselect() allocates the buffer via kmalloc(), this may lead to the leak of uninitialized kernel-space data, as spotted via KMSAN: BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 copy_to_user ./arch/x86/include/asm/uaccess.h:725 snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 do_loop_readv_writev fs/read_write.c:716 __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 do_readv_writev fs/read_write.c:894 vfs_readv fs/read_write.c:908 do_readv+0x52a/0x5d0 fs/read_write.c:934 SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 SyS_readv+0x87/0xb0 fs/read_write.c:1018 This patch adds the missing reset of queue indices. Together with the previous fix for the ioctl/read race, we cover the whole problem. Reported-by:
-
Senthil Kumar Rajagopal authored
The pointer qbuf_buf comes from userspace. qbuf_buf->num_planes is used with no bound check, which if set to a large value, it will overflow buf_info->mapped_info and qbuf_buf->planes CRs-Fixed: 2003798 Bug: 38196031 Change-Id: I332e0424e57bb14b481a740604a09350e6f029a8 Signed-off-by:Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-
Eric Dumazet authored
[ Upstream commit ccf7abb9 ] Splicing from TCP socket is vulnerable when a packet with URG flag is received and stored into receive queue. __tcp_splice_read() returns 0, and sk_wait_data() immediately returns since there is the problematic skb in queue. This is a nice way to burn cpu (aka infinite loop) and trigger soft lockups. Again, this gem was found by syzkaller tool. Fixes: 9c55e01c ("[TCP]: Splice receive support.") Bug: 37901268 Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
Dmitry Vyukov <dvyukov@google.com> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
-
Maggie White authored
There is no bound check in stream_cfg_cmd->num_streams and it's used in several places as a maximum index into the stream_cfg_cmd->stream_handle array which has a size of 15. Current code didn't check the maximum index to make sure it didn't exceed the array size. Bug: 62379525 Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0 Signed-off-by:Maggie White <maggiewhite@google.com>
-
Xiaojun Sang authored
msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used. CRs-Fixed: 2022953 Bug: 62379475 Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7 Signed-off-by:Xiaojun Sang <xsang@codeaurora.org>
-
Sandeep Panda authored
If there is any failure while registering a DBA client with MDSS driver, then remove the client from device client list first and then free the client. Otherwise driver might crash when traversing the device client list in later stage, because of an uninitialized entry in the list. Bug: 62378788 Change-Id: I60666f4c3dea5c7ea7b7c77bcb14b080ee25b54d Signed-off-by:
Sandeep Panda <spanda@codeaurora.org> Signed-off-by:
Siqi Lin <siqilin@google.com> (am from https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=c9a6f09f1030cec591df837622cb54bbb2d24ddc)
-
Trishansh Bhardwaj authored
Use proper synchronization to ensure driver file is opened only once. CRs-Fixed: 2023513 Bug: 62378684 Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5 Signed-off-by:Trishansh Bhardwaj <tbhardwa@codeaurora.org>
-
Maria Yu authored
Cldata needed to be protected by lock since crash happened when synchronous update and free. CRs-Fixed: 2034222 Bug: 62378596 Change-Id: Ied86461b784d69d9758dc3fc793a8a0de86e7f9c Signed-off-by:Maria Yu <aiquny@codeaurora.org>
-
Srinivas Girigowda authored
The wcnss platform driver update the wlan calibration data by the user space wlan daemon. The wlan user space daemon store the updated wlan calibration data reported by wlan firmware in user space and write it back to the wcnss platform calibration data buffer for the calibration data download and update. During the wlan calibration data store and retrieve operation there are some potential race condition which leads to memory leak and buffer overflow during the context switch. Fix the above issue by adding protection code and avoid usage of global pointer during the device file read and write operation. Bug: 62377236 CRs-Fixed: 2015858 Change-Id: Ib5b57eb86dcb4e6ed799b5222d06396eaabfaad3 Signed-off-by:
Sarada Prasanna Garnayak <sgarna@codeaurora.org> Signed-off-by:
Srinivas Girigowda <sgirigow@codeaurora.org>
-
WANG Cong authored
Like commit 657831ff ("dccp/tcp: do not inherit mc_list from parent") we should clear ipv6_mc_list etc. for IPv6 sockets too. Cc: Eric Dumazet <edumazet@google.com> Bug: 62299478 Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Acked-by:
-
Jan Kara authored
Huang has reported that in his powerfail testing he is seeing stale block contents in some of recently allocated blocks although he mounts ext4 in data=ordered mode. After some investigation I have found out that indeed when delayed allocation is used, we don't add inode to transaction's list of inodes needing flushing before commit. Originally we were doing that but commit f3b59291 removed the logic with a flawed argument that it is not needed. The problem is that although for delayed allocated blocks we write their contents immediately after allocating them, there is no guarantee that the IO scheduler or device doesn't reorder things and thus transaction allocating blocks and attaching them to inode can reach stable storage before actual block contents. Actually whenever we attach freshly allocated blocks to inode using a written extent, we should add inode to transaction's ordered inode list to make sure we properly wait for block contents to be written before committing the transaction. So that is what we do in this patch. This also handles other cases where stale data exposure was possible - like filling hole via mmap in data=ordered,nodelalloc mode. The only exception to the above rule are extending direct IO writes where blkdev_direct_IO() waits for IO to complete before increasing i_size and thus stale data exposure is not possible. For now we don't complicate the code with optimizing this special case since the overhead is pretty low. In case this is observed to be a performance problem we can always handle it using a special flag to ext4_map_blocks(). CC: stable@vger.kernel.org Fixes: f3b59291 Reported-by:
"HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com> Tested-by:
Jan Kara <jack@suse.cz> Signed-off-by:
Theodore Ts'o <tytso@mit.edu> (cherry picked from commit 06bd3c36) Signed-off-by:
-
Eric Dumazet authored
syzkaller found a way to trigger double frees from ip_mc_drop_socket() It turns out that leave a copy of parent mc_list at accept() time, which is very bad. Very similar to commit 8b485ce6 ("tcp: do not inherit fastopen_req from parent") Initial report from Pray3r, completed by Andrey one. Thanks a lot to them ! Signed-off-by:
Pray3r <pray3r.z@gmail.com> Reported-by:
Andrey Konovalov <andreyknvl@google.com> Tested-by:
Roberto Pereira <rpere@google.com> (cherry picked from commit 657831ff) Bug:38413975 Change-Id: Icf89ad025cb8225e806e52c573d68533912111ad Signed-off-by:
-
Hugh Dickins authored
commit f4cb767d upstream. Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the end of unmapped_area_topdown(). Linus points out how MAP_FIXED (which does not have to respect our stack guard gap intentions) could result in gap_end below gap_start there. Fix that, and the similar case in its alternative, unmapped_area(). Change-Id: I57c1da473463659e39203ba0c8d6c99573beda1a Fixes: 1be7107f ("mm: larger stack guard gap, between vmas") Reported-by:
Dave Jones <davej@codemonkey.org.uk> Debugged-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Hugh Dickins <hughd@google.com> Acked-by:
Michal Hocko <mhocko@suse.com> Signed-off-by:
-
Hugh Dickins authored
commit 1be7107f upstream. Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a different mapping. But this seems to be insufficient in the light of the stack usage in userspace. E.g. glibc uses as large as 64kB alloca() in many commonly used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX] which is 256kB or stack strings with MAX_ARG_STRLEN. This will become especially dangerous for suid binaries and the default no limit for the stack size limit because those applications can be tricked to consume a large portion of the stack and a single glibc call could jump over the guard page. These attacks are not theoretical, unfortunatelly. Make those attacks less probable by increasing the stack guard gap to 1MB (on systems with 4k pages; but make it depend on the page size because systems with larger base pages might cap stack allocations in the PAGE_SIZE units) which should cover larger alloca() and VLA stack allocations. It is obviously not a full fix because the problem is somehow inherent, but it should reduce attack space a lot. One could argue that the gap size should be configurable from userspace, but that can be done later when somebody finds that the new 1MB is wrong for some special case applications. For now, add a kernel command line option (stack_guard_gap) to specify the stack gap size (in page units). Implementation wise, first delete all the old code for stack guard page: because although we could get away with accounting one extra page in a stack vma, accounting a larger gap can break userspace - case in point, a program run with "ulimit -S -v 20000" failed when the 1MB gap was counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK and strict non-overcommit mode. Instead of keeping gap inside the stack vma, maintain the stack guard gap as a gap between vmas: using vm_start_gap() in place of vm_start (or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few places which need to respect the gap - mainly arch_get_unmapped_area(), and and the vma tree's subtree_gap support for that. Change-Id: Iad38214c2e22290e5e84365b20f53a9c0f534a40 Original-patch-by:
Oleg Nesterov <oleg@redhat.com> Original-patch-by:
Willy Tarreau <w@1wt.eu> [gkh: minor build fixes for 3.18] Signed-off-by:
-
Siena Richard authored
Validate a buffer virtual address is fully within the region before returning the region to ensure functionality for an extended edge case. Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654 Signed-off-by:Siena Richard <sienar@codeaurora.org> CRs-fixed: 1108461 Bug: 38195131 Change-Id: Ib527a380a857719bff8254be514133528bd64c75
-
Sureshnaidu Laveti authored
Correcting the return value for getting the actuator information IOCTL. CRs-Fixed: 1084177 Bug: 38027632 Change-Id: I2bbe7be3daedef45a5990c23168df5185e72e82f Signed-off-by:Sureshnaidu Laveti <lsuresh@codeaurora.org>
-
Sureshnaidu Laveti authored
Since IOCTLS can come in any order, validating the actuator function table and methods before accessing them. CRs-Fixed: 1084177 Bug: 38027632 Change-Id: Ic6fce52fdf4d1420c2b707ec9bc9cba045066a13 Signed-off-by: -
Eric Dumazet authored
commit d199fab6 upstream. Multiple threads can call fanout_add() at the same time. We need to grab fanout_mutex earlier to avoid races that could lead to one thread freeing po->rollover that was set by another thread. Do the same in fanout_release(), for peace of mind, and to help us finding lockdep issues earlier. [js] no rollover in 3.12 Fixes: dc99f600 ("packet: Add fanout support.") Fixes: 0648ab70 ("packet: rollover prepare: per-socket state") Signed-off-by:
Jiri Slaby <jslaby@suse.cz> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 7892032c ] Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a ("gre: Support GRE over IPv6") Bug: 37871211 Signed-off-by:
-
Chris Salls authored
commit cf01fb99 upstream. In the case that compat_get_bitmap fails we do not want to copy the bitmap to the user as it will contain uninitialized stack data and leak sensitive data. Signed-off-by:
Chris Salls <salls@cs.ucsb.edu> Signed-off-by:
-
Srinivas Girigowda authored
qcacld-3.0 to qcacld-2.0 propagation Currently there is no nl policy defined for vendor sub command QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in buffer overread error. To resolve this, add nl policy. Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b CRs-Fixed: 2058452 Bug: 37712167 Signed-off-by: -
Ashish Garg authored
Number of cea blocks are read from edid buffer which comes from the user. If the number of cea blocks are more than the supported blocks kernel information leak is possible by reading more data than is present in edid_buf. Bug: 37567102 Change-Id: I03b8456ff1e1a7b15d711f06908bd5c83f83cc02 Signed-off-by:Ashish Garg <ashigarg@codeaurora.org>
-
Dennis Cagle authored
In multi-threaded environment diglen variable could be modified by multiple threads at the same time. Buffer overflow might happen in current thread if another thread changes the diglen variable. So add mutex locks to avoid this issue. CRs-Fixed: 2010656 Git-repo: https://source.codeaurora.org/quic/la/kernel/msm-3.10 Git-commit: 70b719025fbef1fa98a2e3a823e583c836dd9bb2 Signed-off-by:
AnilKumar Chimata <anilc@codeaurora.org> Signed-off-by:
Dennis Cagle <d-cagle@codeaurora.org> Bug: 37438302 Change-Id: Ib123d494ce6d258e82f77f8ac5eeeec30ff35b1b Signed-off-by:
John Dias <joaodias@google.com>
-
Venu Yeshala authored
Change the format specifier in a debug print for ISPIF base address to avoid information leak. Bug: 37239119 Change-Id: Ic6c799349ea98448da113d8710300934d77079b8 Signed-off-by:Venu Yeshala <vyeshala@codeaurora.org>
-
Srinivas Girigowda authored
Length of the MAC address is not checked which may cause out of bound read issue. To resolve this add a check for MAC address length. CRs-Fixed: 2051433 Change-Id: I58454b84c28b157cef35984d612a9bc6fdd9ec56 Bug: 36815555 Signed-off-by:
-
