prctl_set_vma_anon_name could attempt to set the name across
two vmas at the same time due to a typo, which might corrupt
the vma list.  Fix it to use tmp instead of end to limit
the name setting to a single vma at a time.

Change-Id: Ie32d8ddb0fd547efbeedd6528acdab5ca5b308b4
Reported-by: Jed Davis <jld@mozilla.com>
Signed-off-by: Colin Cross <ccross@android.com>

CVE-2016-5696

Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.

This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.

Based on initial analysis and patch from Linus.

Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.

v2: randomize the count of challenge acks per second, not the period.

Change-Id: I7b53e7006f54c459885a6c51a1f2b4d96b26e3a2
Fixes: 282f23c6 ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao <ycao009@ucr.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Merge "qseecom: validate the inputs of __qseecom_send_modfd_resp" into android-msm-sturgeon-3.10-emr1

Merge "drivers: binder: Fix elevation of privilege vulnerability in system_server" into android-msm-sturgeon-3.10-emr1

Merge "drivers: soc: Add buffer overflow check for svc send request" into android-msm-sturgeon-3.10-emr1

Merge "ASoC: msm-lsm-client: free lsm client data in msm_lsm_close" into android-msm-sturgeon-3.10-emr1

Merge "msm: ipa: handle information leak on ADD_FLT_RULE_INDEX ioctl" into android-msm-sturgeon-3.10-emr1

Merge "msm: crypto: Fix integer over flow check in qcedev driver" into android-msm-sturgeon-3.10-emr1

BUG: 31766306
Change-Id: I43ad99c6f0a85e0fd02a632781dd102015e29fce
Signed-off-by: h00232396 <h00232396@notesmail.huawei.com>
(cherry picked from commit b99a920d)

CVE-2016-7117

The syzkaller fuzzer hit the following use-after-free:

  Call Trace:
   [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
   [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
   [< inline >] SYSC_recvmmsg net/socket.c:2281
   [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
   [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
  arch/x86/entry/entry_64.S:185

And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.

Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e27255 ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com


Signed-off-by: Arnaldo Carvalho de <Melo&lt;acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Change-Id: Ibc11b0c76d57d1dfa4700cca9ec09643450df6fc

CVE-2015-8956

An information disclosure vulnerability in Bluetooth could enable a local
malicious application to access data outside of its permission levels.
In the rfcomm_sock_bind function, the addr struct copied back to user space
contains uninitialized fields potentially leading to an information leak.
The fix is designed to initialize all fields of the addr struct to prevent
the potential information leak.

Change-Id: I2259bcd1d47062bb7c3eff4cf239dad516209acd
Signed-off-by: Lianchao Song <songlianchao@huawei.com>

CVE-2016-6684

An information disclosure vulnerability in Sync could enable a local
malicious application to access data outside of its permission levels.
The format specifier %p can leak kernel addresses while not valuing
the kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

Change-Id: I76f9b6fd3ea7f387514ce9d982f053ae11f2f4a1
Signed-off-by: Lianchao Song <songlianchao@huawei.com>

CVE-2016-6683

An information disclosure vulnerability in Binder could enable a local
malicious application to access data outside of its permission levels.
The format specifier %p can leak kernel addresses while not valuing
the kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

Change-Id: Ibd4ea94afc7e80524870728ba8335eb84e2605b0
Signed-off-by: Lianchao Song <songlianchao@huawei.com>

CVE-2016-6689

An information disclosure vulnerability in Binder could enable a local
malicious application to access data outside of its permission levels.
The interaction between the kernel /dev/binder and the usermode
Parcel.cpp means that when a Binder object is passed as BINDER_TYPE_BINDER
or BINDER_TYPE_WEAK_BINDER, a pointer to that object (in the server process)
is leaked to the client process as the cookie value.
This leads to a leak of a heap address in many of the privileged Binder
services, including system_server.
The fix is designed to zero out the Binder pointer and cookie before sending
it to the client process.

Change-Id: Ic8f21578b4a5889813ce66af15002c9d7ae8f6cf
Signed-off-by: Lianchao Song <songlianchao@huawei.com>

CVE-2016-6690

A denial of service vulnerability in the kernel could allow a local
malicious application to cause a device reboot.
There is no validation of the codec variable passed to the snd_soc_read
and snd_soc_write functions.
The fix is designed to add a check for null function pointers in the
dummy sound driver.

Change-Id: I970a46b17fe3d54af37699b2d3a1cb83b9227528
Signed-off-by: Lianchao Song <songlianchao@huawei.com>

CVE-2016-6674

The usage of weak references instead of strong references in Binder can
potentially lead to a use-after-free vulnerability in system_server.
The fix is designed to no longer allow weak references in cases where
strong references are needed.

Change-Id: I2083cdcffdae042fd1c5399ed41f3f4fe0b059ea
Signed-off-by: Lianchao Song <songlianchao@huawei.com>

CVE-2015-8955

The perf core implicitly rejects events spanning multiple HW PMUs, as in
these cases the event->ctx will differ. However this validation is
performed after pmu::event_init() is called in perf_init_event(), and
thus pmu::event_init() may be called with a group leader from a
different HW PMU.

The ARM64 PMU driver does not take this fact into account, and when
validating groups assumes that it can call to_arm_pmu(event->pmu) for
any HW event. When the event in question is from another HW PMU this is
wrong, and results in dereferencing garbage.

This patch updates the ARM64 PMU driver to first test for and reject
events from other PMUs, moving the to_arm_pmu and related logic after
this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
a CCI PMU present:

Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL)
CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249
Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT)
task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000
PC is at 0x0
LR is at validate_event+0x90/0xa8
pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145
sp : ffffffc07b0a3ba0

[<          (null)>]           (null)
[<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc
[<ffffffc00015d870>] perf_try_init_event+0x34/0x70
[<ffffffc000164094>] perf_init_event+0xe0/0x10c
[<ffffffc000164348>] perf_event_alloc+0x288/0x358
[<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c
Code: bad PC value

Also cleans up the code to use the arm_pmu only when we know
that we are dealing with an arm pmu event.

Change-Id: I4293ce37a52c4be1b4787bb42394f96f44bed973
Cc: Will Deacon <will.deacon@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Peter Ziljstra (Intel) <peterz@infradead.org>
Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>

CVE-2015-8950

[ Upstream commit 6829e274 ]

Buffers allocated by dma_alloc_coherent() are always zeroed on Alpha,
ARM (32bit), MIPS, PowerPC, x86/x86_64 and probably other architectures.
It turned out that some drivers rely on this 'feature'. Allocated buffer
might be also exposed to userspace with dma_mmap() call, so clearing it
is desired from security point of view to avoid exposing random memory
to userspace. This patch unifies dma_alloc_coherent() behavior on ARM64
architecture with other implementations by unconditionally zeroing
allocated buffer.

CRs-Fixed: 1041735
Change-Id: I74bf024e0f603ca8c0b05430dc2ee154d579cfb2
Cc: <stable@vger.kernel.org> # v3.14+
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Git-commit: a142e964
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


[lmark@codeaurora.org: resolve merge conflicts]
Signed-off-by: Liam Mark <lmark@codeaurora.org>

CVE-2016-0758

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

	datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

	for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Change-Id: Idf5e0106f4d027f93fcad2ae3889e5f3d7ac7ffc
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>

Fix elevation of privilege vulnerability in Synaptics touchscreen
driver.
There is a possible stack overflow vulnerability in the
synaptics_rmi4_i2c_write function because the stack array size
is from user space.
The fix is designed to allocate heap memory for the temporary
buffer instead of stack memory to prevent the stack overflow
vulnerability.

Change-Id: I5a840ad9188bcfe1be601936924df53256ebecc3
Signed-off-by: Lianchao Song <songlianchao@huawei.com>

CVE-2016-6697

Add buffer overflow check in voice_svc_send_req.

CRs-fixed: 1010081
Change-Id: I4ae703334b0cf04f327b392bc9cd6febd4ad32f2
Signed-off-by: Josh Kirsch <jkirsch@codeaurora.org>

CVE-2016-6681
CVE-2016-6682

Use variables in driver context after proper initialization

CRs-Fixed: 1049521, 1049615
Change-Id: I3e59e27534b8e1088d74b42c72e0075d2fe910e6
Signed-off-by: Haynes Mathew George <hgeorge@codeaurora.org>

CVE-2016-3860

For the audio get calibration ioctl compare the allocated
buffer size to the size of the header and cal type header
to ensure the buffer is big enough.

Change-Id: I851b4454e8420706ad3263d67e892720d46e5718
Signed-off-by: Ben Romberger <bromberg@codeaurora.org>

CVE-2015-8951

Currently lsm client data is deallocated when q6lsm_open() fails
which can cause memory corruption if lsm client data is accessed
after freed. Fix this issue by deallocating the client data only
in msm_lsm_close().

Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>

CVE-2016-3902

IPA might have Information leak and device crash due to
kernel heap overread in IPA driver when processing
WAN_IOC_ADD_FLT_RULE_INDEX ioctl. The fix is to add
check on max number of filter rules send to modem.

Change-Id: I454e04d05cfcb7af8fc4bd2b4a1bade55c4684d0
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>