- Mar 14, 2018
-
-
Oleg Matcovschi authored
April 2018.2 Bug: 73498666 Change-Id: Id6c61080eabaa3690c688a64c62f5ee685e3a73f Signed-Off-By:Oleg Matcovschi <omatcovschi@google.com>
-
Skylar Chang authored
There is a race condition be observed on global variable num_q6_rule used in ipa wan-driver. The fix is to add lock to prevent different threads are accessing it at the same time. Bug: 68992477 Signed-off-by:Skylar Chang <chiaweic@codeaurora.org>
-
Peng Xu authored
Define a policy for packet pattern attributes in order to fix a potential read over the end of the buffer during nla_get_u32() of the NL80211_PKTPAT_OFFSET attribute. Note that the data there can always be read due to SKB allocation (with alignment and struct skb_shared_info at the end), but the data might be uninitialized. This could be used to leak some data from uninitialized vmalloc() memory, but most drivers don't allow an offset (so you'd just get -EINVAL if the data is non-zero) or just allow it with a fixed value - 100 or 128 bytes, so anything above that would get -EINVAL. With brcmfmac the limit is 1500 so (at least) one byte could be obtained. Cc: stable@kernel.org Bug: 64403015 Signed-off-by:
Peng Xu <pxu@qti.qualcomm.com> Signed-off-by:
Jouni Malinen <jouni@qca.qualcomm.com> [rewrite description based on SKB allocation knowledge] Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Conflicts: net/wireless/nl80211.c Git-commit: ad670233 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git CRs-fixed: 2116387 [Backport: Fix conflicts] Signed-off-by:
Vidyullatha Kanchanapally <vidyullatha@codeaurora.org> Signed-off-by:
Peng Xu <pxu@codeaurora.org>
-
Shihuan Liu authored
Add null terminator at the end of string extend_ioctl_data.u.rmnet_mux_val.vchannel_name to avoid potential security issue. Bug: 33967002 Acked-by:
Shihuan Liu <shihuanl@qti.qualcomm.com> Signed-off-by:
Ahmed ElArabawy <arabawy@google.com>
-
Kevin Cernekee authored
[ Upstream commit 93c64764 ] Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ spi 0x1 mode transport \ auth sha1 0x6162633132330000000000000000000000000000 \ enc aes 0x00000000000000000000000000000000 grep --binary abc123 /tmp/nlmon.pcap Bug: 70980949 Signed-off-by:
Kevin Cernekee <cernekee@chromium.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Srinivas Girigowda authored
Currently wake_info->vdev_id, recevied from the FW, is directly used to refer to wma->interfaces without validating if the vdev_id is valid. Add sanity check to make sure vdev_id is less than max_bssid before using it. CRs-Fixed: 2114363 Bug: 71501687 Signed-off-by:Srinivas Girigowda <sgirigow@codeaurora.org>
-
Srinivas Girigowda authored
Add sanity check for vdev id in wma_vdev_start_resp_handler() to prevent out of bound memory access. CRs-Fixed: 2120424 Bug: 71501694 Signed-off-by: -
tinlin authored
Calculate buf_len properly for extscan hotlist event buffer in wma_extscan_hotlist_match_event_handler() Bug: 72956920 CRs-Fixed: 2170578
-
Srinivas Girigowda authored
propagation from qcacld-3.0 to qcacld-2.0. There is a possibility of buffer overread while processing PTT commands, because of packet length check is missing. While processing PTT commands, validate packet length to make sure there is no buffer overread. CRs-Fixed: 2125577 Bug: 65853393 Signed-off-by: -
Marissa Wall authored
Andrey Konovalov reported a possible out-of-bounds problem for the cdc_parse_cdc_header function. He writes: It looks like cdc_parse_cdc_header() doesn't validate buflen before accessing buffer[1], buffer[2] and so on. The only check present is while (buflen > 0). So fix this issue up by properly validating the buffer length matches what the descriptor says it is. (cherry picked from commit 2e1c4239) (The original patch fixed the generic cdc_parser_cdc_header function. That generic function did not exist in 3.18 but there are a couple cdc parsers that suffer from the same underlying problem.) Bug: 69052594 Reported-by:
Andrey Konovalov <andreyknvl@google.com> Tested-by:
Marissa Wall <marissaw@google.com>
-
Nicolai Stange authored
commit 9561475d upstream. The driver_override implementation is susceptible to a race condition when different threads are reading vs. storing a different driver override. Add locking to avoid the race condition. This is in close analogy to commit 62655397 ("driver core: platform: fix race condition with driver_override") from Adrian Salido. Fixes: 782a985d ("PCI: Introduce new device binding path using pci_dev.driver_override") Bug: 69128924 Signed-off-by:
Nicolai Stange <nstange@suse.de> Signed-off-by:
Bjorn Helgaas <bhelgaas@google.com> Signed-off-by:
-
Eric Biggers authored
With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: linux-stable <stable@vger.kernel.org> # 3.18.y Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Bug: 70526974 Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
James Morris <james.l.morris@oracle.com> Signed-off-by:
Jin Qian <jinqian@google.com> Signed-off-by:
Steve Pfetsch <spfetsch@google.com> (cherry picked from commit 794b4bc2)
-
Jonathan Solnit authored
[ Upstream commit 8f659a03 ] inet->hdrincl is racy, and could lead to uninitialized stack pointer usage, so its value should be read only once. Bug: 71500434 Fixes: c008ba5b ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") Signed-off-by:
Mohamed Ghannam <simo.ghannam@gmail.com> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
Jonathan Solnit <jsolnit@google.com>
-
Gopikrishna Mogasati authored
This fix checks the validity of dci client's process descriptor before issuing a signal to it when subsystem restart is performed. This fix avoids accessing cleaned-up process descriptor's fields. CRs-Fixed: 2047235 Bug: 71501666 Signed-off-by:Gopikrishna Mogasati <gmogas@codeaurora.org>
-
Abhinav Kumar authored
In function wma_extscan_hotlist_match_event_handler, numap and src_hotlist are received from the FW. src_hotlist is pointer to the hostist data and is looped for numap times and copied to the local buffer dest_hotlist. If the value of numap is not equal to the number of src_hotlist data present in the buffer, buffer overread would occur during memcpy. Add check to validate the len of the buffer received from the FW is not less than the size of fixparam struct + (numap * src_hostlist structure) Bug: 72956920 CRs-Fixed: 2148646
-
Abhinav Kumar authored
Currently, value of param_buf->num_tbttoffset_list is received from FW is used to allocate the memory for local buffer to store tbtt offset list If the value of param_buf->num_tbttoffset_list is very large then during memory allocation input argument can be overflowed.As a result of this integer overflow, a heap overwrite can occur during memory copy. Add sanity check to make sure param_buf->num_tbttoffset_list is not exceed the maximum limit. Bug: 71501686 CRs-Fixed: 2114336 Signed-off-by:Ecco Park <eccopark@google.com>
-
gaurank kathpalia authored
In function "wma_extscan_start_stop_event_handler", variable "event" is coming from the FW, whose content is copied to variable "buf".Variable "vdev_id" equals to "event->vdev_id". "vdev_id" is a uint8_t value, with no limit check, so a buffer overwrite is possible. Add sanity check for vdev-id to avoid buffer overwrite Bug: 71501691 CRs-Fixed: 2115207 Signed-off-by: -
Abhinav Kumar authored
Currently, sta_add_event->data_len received from FW is used to copy data from buf_ptr to add_sta_req, which is allocated only for fixed size of sap_offload_add_sta_req structure. If data_len received from FW is greater than size of sap_offload_add_sta_req structure, buffer overwrite will occur. Add sanity check to make sure sta_add_event->data_len is not greater than MAX_CONNECT_REQ_LENGTH. Bug: 71501692 CRs-Fixed: 2115221 Signed-off-by: -
Bala Venkatesh authored
After deriving the vdev_id from the vdev map in wma_beacon_swba_handler check for the validity of the vdev_id Bug: 71501695 CRs-Fixed: 2115134 Signed-off-by: -
Aditya Bavanari authored
Add boundary checks for APR port received from ADSP. CRs-Fixed: 2143207 Bug: 72956842 Signed-off-by:Aditya Bavanari <abavanar@codeaurora.org>
-
Ghanim Fodi authored
Default IPA header is added or deleted from the driver directly and not by user space application. This change prevents adding/deleting it from user application which may cause inconsistencies in the driver. Also the change fixes the header reset function to skip on the correct default header. Bug: 72957269 CRs-fixed: 2151146 Signed-off-by:Ghanim Fodi <gfodi@codeaurora.org>
-
Vignesh Viswanathan authored
In function ProcSetReqInternal, valueLen is obtained from the message buffer pParam. This valueLen is used as argument to the function GetStrValue where the contents of the buffer pParam is copied to pMac->cfg.gSBuffer for valueLen number of bytes. However the array pMac->cfg.gSBuffer is a static array of size CFG_MAX_STR_LEN. If the value of valueLen exceeds CFG_MAX_STR_LEN, a buffer overwrite will occur in GetStrValue. Add Sanity check to make sure valueLen does not exceed CFG_MAX_STR_LEN. Bug: 72957177 CRs-Fixed: 2143847
-
Tiger Yu authored
Check for the validity of peer_id when received the htt message of HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware to ensure the buffer overflow does not happen. Bug: 72956997 CRs-Fixed: 2147119
-
Tiger Yu authored
Check for the validity of tid when received the htt message of HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware to ensure the buffer overflow does not happen. And correct the sequence number type from signed int to unsigned. Bug: 72957235 CRs-Fixed: 2149399
-
Poddar, Siddarth authored
Check for buffer overflow for pktlog messages in process_tx_info function before doing mem copy. Bug: 72957136 CRs-Fixed: 2154331
-
- Feb 07, 2018
-
-
Santhosh Behara authored
Increase minimum input buffer count for VP9 decode to 6,as for some vp9 clips which have superframes with more than 4 subframes require more than 4 reference buffers to decode. Bug: 65175134 Change-Id: I561f4c3ad4c4a94c36293c26aab3a9c9423e9268 Signed-off-by:
Deepak Kushwah <dkushwah@codeaurora.org> Signed-off-by:
Santhosh Behara <santhoshbehara@codeaurora.org>
-
- Jan 17, 2018
-
-
Wei Wang authored
March 2018.2 Bug: 72042274 Change-Id: Ibdf51d841a19daee70589df6d9ba4a5492fac9e2
-
- Jan 16, 2018
-
-
Greg Hackmann authored
uaccess_disable_not_uao now uses a second temporary register for stashing IRQ flags. Again, update the out-of-tree uaccess macro usage in __dma_flush_range to match. Bug: 69856074 Change-Id: Ib114decb19f013107ebdd2d28a909631c0839f8b Signed-off-by:Greg Hackmann <ghackmann@google.com>
-
Catalin Marinas authored
With ARM64_SW_TTBR0_PAN enabled, the exception entry code checks the active ASID to decide whether user access was enabled (non-zero ASID) when the exception was taken. On return from exception, if user access was previously disabled, it re-instates TTBR0_EL1 from the per-thread saved value (updated in switch_mm() or efi_set_pgd()). Commit 7655abb9 ("arm64: mm: Move ASID from TTBR0 to TTBR1") makes a TTBR0_EL1 + ASID switching non-atomic. Subsequently, commit 27a921e7 ("arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN") changes the __uaccess_ttbr0_disable() function and asm macro to first write the reserved TTBR0_EL1 followed by the ASID=0 update in TTBR1_EL1. If an exception occurs between these two, the exception return code will re-instate a valid TTBR0_EL1. Similar scenario can happen in cpu_switch_mm() between setting the reserved TTBR0_EL1 and the ASID update in cpu_do_switch_mm(). This patch reverts the entry.S check for ASID == 0 to TTBR0_EL1 and disables the interrupts around the TTBR0_EL1 and ASID switching code in __uaccess_ttbr0_disable(). It also ensures that, when returning from the EFI runtime services, efi_set_pgd() doesn't leave a non-zero ASID in TTBR1_EL1 by using uaccess_ttbr0_{enable,disable}. The accesses to current_thread_info()->ttbr0 are updated to use READ_ONCE/WRITE_ONCE. As a safety measure, __uaccess_ttbr0_enable() always masks out any existing non-zero ASID TTBR1_EL1 before writing in the new ASID. Fixes: 27a921e7 ("arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN") Acked-by:
Will Deacon <will.deacon@arm.com> Reported-by:
Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by:
James Morse <james.morse@arm.com> Tested-by:
Marc Zyngier <marc.zyngier@arm.com> Signed-off-by:
Catalin Marinas <catalin.marinas@arm.com> (cherry picked from git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git commit 6b88a32c) Bug: 69856074 Change-Id: I1597fe926e4d7fc0f2c19dc63efbd359b5033796 [ghackmann@google.com: - adjust context - apply asm-uaccess.h changes to uaccess.h, and efi.h changes to efi.c] Signed-off-by:
-
Marc Zyngier authored
We will soon need to invoke a CPU-specific function pointer after changing page tables, so move post_ttbr_update_workaround out into C code to make this possible. Signed-off-by:
-
- Jan 12, 2018
-
-
Wei Wang authored
March 2018.1 Change-Id: Idaab8c961102611abd6371ae24341a855e022cdd
-
Will Deacon authored
Although CONFIG_UNMAP_KERNEL_AT_EL0 does make KASLR more robust, it's actually more useful as a mitigation against speculation attacks that can leak arbitrary kernel data to userspace through speculation. Reword the Kconfig help message to reflect this, and make the option depend on EXPERT so that it is on by default for the majority of users. Bug: 69856074 Change-Id: I2d8cb517bce5083c5aa70d28c6a56e9dc4f9b980 Signed-off-by:
Greg Kroah-Hartman <gregkh@google.com>
-
Will Deacon authored
Speculation attacks against the entry trampoline can potentially resteer the speculative instruction stream through the indirect branch and into arbitrary gadgets within the kernel. This patch defends against these attacks by forcing a misprediction through the return stack: a dummy BL instruction loads an entry into the stack, so that the predicted program flow of the subsequent RET instruction is to a branch-to-self instruction which is finally resolved as a branch to the kernel vectors with speculation suppressed. Bug: 69856074 Change-Id: I23f435f16031575523a76427e6f0143e744d573d Signed-off-by:
-
Will Deacon authored
The literal pool entry for identifying the vectors base is the only piece of information in the trampoline page that identifies the true location of the kernel. This patch moves it into a page-aligned region of the .rodata section and maps this adjacent to the trampoline text via an additional fixmap entry, which protects against any accidental leakage of the trampoline contents. Bug: 69856074 Change-Id: I7f825ef3df0aa487ad417ef0a9bd5740e7285923 Suggested-by:
-
Will Deacon authored
There are now a handful of open-coded masks to extract the ASID from a TTBR value, so introduce a TTBR_ASID_MASK and use that instead. Bug: 69856074 Change-Id: Iffa589543a4af87b97118becfa784678d0e34509 Suggested-by:
Mark Rutland <mark.rutland@arm.com> Reviewed-by:
-
Will Deacon authored
Allow explicit disabling of the entry trampoline on the kernel command line (kpti=off) by adding a fake CPU feature (ARM64_UNMAP_KERNEL_AT_EL0) that can be used to toggle the alternative sequences in our entry code and avoid use of the trampoline altogether if desired. This also allows us to make use of a static key in arm64_kernel_unmapped_at_el0(). Bug: 69856074 Change-Id: I01807c661449f4146accba10bcc8f758875d6b61 Reviewed-by:
-
Will Deacon authored
When unmapping the kernel at EL0, we use tpidrro_el0 as a scratch register during exception entry from native tasks and subsequently zero it in the kernel_ventry macro. We can therefore avoid zeroing tpidrro_el0 in the context-switch path for native tasks using the entry trampoline. Bug: 69856074 Change-Id: I9ce06eed51ab6e3d5bc34dfcb46b3af376d443c7 Signed-off-by: -
Will Deacon authored
We rely on an atomic swizzling of TTBR1 when transitioning from the entry trampoline to the kernel proper on an exception. We can't rely on this atomicity in the face of Falkor erratum #E1003, so on affected cores we can issue a TLB invalidation to invalidate the walk cache prior to jumping into the kernel. There is still the possibility of a TLB conflict here due to conflicting walk cache entries prior to the invalidation, but this doesn't appear to be the case on these CPUs in practice. Reviewed-by:
-
Will Deacon authored
Hook up the entry trampoline to our exception vectors so that all exceptions from and returns to EL0 go via the trampoline, which swizzles the vector base register accordingly. Transitioning to and from the kernel clobbers x30, so we use tpidrro_el0 and far_el1 as scratch registers for native tasks. Bug: 69856074 Change-Id: I1b03e5a5cce2be6892f5a8cd8d2857d134a74c18 Signed-off-by: -
Will Deacon authored
We will need to treat exceptions from EL0 differently in kernel_ventry, so rework the macro to take the exception level as an argument and construct the branch target using that. Bug: 69856074 Change-Id: Ifceb09e20aa831b58bb9d1ced88a81840183a2f1 Signed-off-by:
-
