- Jun 05, 2018
-
-
David Lin authored
August 2018.1 Bug: 80191245 Change-Id: I9e764529ca03931d029685270567fbdf320b1337 Signed-off-by:David Lin <dtwlin@google.com>
-
Florian Westphal authored
commit b7181216 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by:
<syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> Bug: 77902350 Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I01c7b86ed219c461113208c575148fe84f96317a
-
Mahesh Sivasubramanian authored
In cleanup_stats(), a freed memory pointer pos might be accessed for list traversal. Switch to using _safe() variant of the list API to prevent undefined accesses. Bug: 79421260 Change-Id: I7d068cb7813ccb9bfdbcab4646b4ec890145828a Signed-off-by:Mahesh Sivasubramanian <msivasub@codeaurora.org>
-
annamraj authored
Fix for possible information leak issue because of unintialised variable Which can be accesed from userspace in camera fd driver Bug: 73889358 Signed-off-by:annamraj <annamraj@codeaurora.org> Change-Id: I4552c4829e9532d848e46fd123316b26105e310e
-
Harsh Sahu authored
Check the number of bytes to copy against the size of the user buffer before copy to user to avoid buffer overflow. Bug: 79422277 Change-Id: Icdd3d4e755deca19fa431e903620bd9e4c701c89 Signed-off-by:
Harsh Sahu <hsahu@codeaurora.org> Signed-off-by:
Siqi Lin <siqilin@google.com>
-
Sreelakshmi Gownipalli authored
In diagchar_open() protect the decrement of number of diag clients so that there will be no race conditions while reading the value from other functions. Bug: 79421261 Change-Id: I0e2fb5331eec9c7bba39e7d881b69559256833a3 Signed-off-by:Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
-
Bhalchandra Gajare authored
In the ioctl function, driver allocates memory to store data internally before calling copy_to_user to copy data to user-space. It is possible that kernel internal information can be leaked to user space through this if the allocated memory is not completely overwritten with valid data. Use kzalloc to fix this. CRs-fixed: 2026045 Bug: 73888283 Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6 Signed-off-by:Bhalchandra Gajare <gajare@codeaurora.org>
-
Mohammed Javid authored
Check for CAP_NET_ADMIN capability of the user space application who tries to access rmnet driver IOCTL. Bug: 36367253 Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a CRs-Fixed: 2226355 Signed-off-by:Mohammed Javid <mjavid@codeaurora.org>
-
- May 10, 2018
-
-
Badhri Jagan Sridharan authored
July 2018.1 Bug: 79366047 Change-Id: I13f70caa78d9794fe5bd5f53d1596ee981897598 Signed-off-by:Badhri Jagan Sridharan <Badhri@google.com>
-
Badhri Jagan Sridharan authored
July 2018.1 Bug: 79366047 Change-Id: Iea614d5c3a4d82e659f4e5afe1189577852b9913 Signed-off-by: -
Li Jinyue authored
UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. Signed-off-by:
Li Jinyue <lijinyue@huawei.com> Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Erick Reyes <erickreyes@google.com> Signed-off-by:
Oleg Matcovschi <omatcovschi@google.com> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com Cherry-picked from <fbe0e839> Bug: 76106267 Change-Id: I1ec41dfab44abfa5154d6f073e475bf499dac882
-
Badhri Jagan Sridharan authored
This reverts commit <40d05cf8> Bug: 76106267 Change-Id: I5e367c56e440c0cdeb59b3c714ac335920d28295 Signed-off-by:
-
Banajit Goswami authored
Audio Packet Router (APR) is used by multiple audio services to communicate between APSS and ADSP. These audio services registers for service level APR communication (port 0xFFFFFFFF), or for session level APR communication (using port 0x101 etc.). The services might choose to call apr_register for any port at random. The expectation is that the refcounting for the number of ports registered with APR for any specific service, is handled irrespective of the order in which registrations are done. The current logic fails to handle the refcounting when apr_register is called for 0xFFFFFFFF before other session based ports. Fix this correctly using the service count (svc_cnt) variable in apr_svc. CRs-fixed: 2022490 Bug: 34088848 Change-Id: I2fcd1269facf24d509db0d90314e0d2545a2ad67 Signed-off-by:Banajit Goswami <bgoswami@codeaurora.org>
-
Tanvi Aggarwal authored
Add conditional check when sending VIDIOC_MSM_OIS_CFG. Bug: 38258851 Change-Id: I128591359d7996fe73e9ac3d8a17c47004a2e04e CRs-Fixed:2078155 Signed-off-by:Tanvi Aggarwal <tanvia@codeaurora.org>
-
Dennis Cagle authored
As the length datatype is signed, an attacker can both overflow the calculation or supply a negative number to trick the check into returning an chosen chunk. This can have undesired consequences. Always use unsigned integer types for length values. Change-Id: Ifde2f0d35129014b976507f7723a319c53fabddf Acked-by:
Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com> Signed-off-by:
Tharun Kumar Merugu <mtharu@codeaurora.org> Bug: 63165135 CRs-Fixed: 2139538 Signed-off-by:
Dennis Cagle <dcagle@codeaurora.org> (cherry picked from commit c29e11c774b3c59660c1c599b73b7fabf1492d43) Signed-off-by:
-
Willem de Bruijn authored
commit 85f1bd9a upstream. When iteratively building a UDP datagram with MSG_MORE and that datagram exceeds MTU, consistently choose UFO or fragmentation. Once skb_is_gso, always apply ufo. Conversely, once a datagram is split across multiple skbs, do not consider ufo. Sendpage already maintains the first invariant, only add the second. IPv6 does not have a sendpage implementation to modify. A gso skb must have a partial checksum, do not follow sk_no_check_tx in udp_send_skb. Found by syzkaller. [gregkh - tweaks for 3.18 for ipv6, hopefully they are correct...] [wt: s/skb_is_gso/skb_has_frags for 3.10] Fixes: e89e9cf5 ("[IPv4/IPv6]: UFO Scatter-gather approach") Reported-by:
Andrey Konovalov <andreyknvl@google.com> Bug: 68806309 Signed-off-by:
Willem de Bruijn <willemb@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Willy Tarreau <w@1wt.eu> Change-Id: Iac75f1be3304c7400e1c5d221a56476a0d60aba3 Signed-off-by:
Suren Baghdasaryan <surenb@google.com>
-
Mahesh Sivasubramanian authored
The list_for_each macro was not used correctly, where the intermediate variable would be LIST_POISON, resulting in a untrusted pointer dereference. Switch to using list_for_each_entry_safe to for safe removal of a list entry. Bug: 72956998 Change-Id: I0e0fd5dd9f251b5093d6e9d6335387512ec59249 Signed-off-by: -
Mel Gorman authored
commit 65d8fc77 upstream. When dealing with key handling for shared futexes, we can drastically reduce the usage/need of the page lock. 1) For anonymous pages, the associated futex object is the mm_struct which does not require the page lock. 2) For inode based, keys, we can check under RCU read lock if the page mapping is still valid and take reference to the inode. This just leaves one rare race that requires the page lock in the slow path when examining the swapcache. Additionally realtime users currently have a problem with the page lock being contended for unbounded periods of time during futex operations. Task A get_futex_key() lock_page() ---> preempted Now any other task trying to lock that page will have to wait until task A gets scheduled back in, which is an unbound time. With this patch, we pretty much have a lockless futex_get_key(). Experiments show that this patch can boost/speedup the hashing of shared futexes with the perf futex benchmarks (which is good for measuring such change) by up to 45% when there are high (> 100) thread counts on a 60 core Westmere. Lower counts are pretty much in the noise range or less than 10%, but mid range can be seen at over 30% overall throughput (hash ops/sec). This makes anon-mem shared futexes much closer to its private counterpart. Signed-off-by:
Mel Gorman <mgorman@suse.de> [ Ported on top of thp refcount rework, changelog, comments, fixes. ] Signed-off-by:
Davidlohr Bueso <dbueso@suse.de> Reviewed-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
Chenbo Feng <fengc@google.com> Signed-off-by:
-
Li Jinyue authored
UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. Signed-off-by:
-
Karthikeyan Mani authored
Check for debugfs ops buf size passed before reading to eliminate the possibility of reading out of bounds. Bug: 77528653 Change-Id: I28fd60ce93256b6b0bad62b449092a891cc15463 Signed-off-by:Karthikeyan Mani <kmani@codeaurora.org>
-
raghavendra ambadas authored
current code does not have locking mechanism between rotator play and rotator unset, due to which race condition can occur when concurrent threads invoke rotator play and unset ioctl cmd. So use mutex lock to avoid such issues. Bug: 77527701 Change-Id: I6a7cd16ee8a8f3a4c9397e87b8c109809ec6f573 Signed-off-by:
Raghavendra Ambadas <rambad@codeaurora.org> Signed-off-by:
Steve Pfetsch <spfetsch@google.com>
-
- May 07, 2018
-
-
Daniel Mentz authored
This reverts commit 1f19ec80. Bug: 72957321 Bug: 79219092 Change-Id: I4b74e3970718c137f543ae638547becfbdff5245 Signed-off-by:
Daniel Mentz <danielmentz@google.com>
-
- May 01, 2018
-
-
Johannes Thumshirn authored
If the list search in sg_get_rq_mark() fails to find a valid request, we return a bogus element. This then can later lead to a GPF in sg_remove_scat(). So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case the list search doesn't find a valid request. Bug: 79090045 Signed-off-by:
Johannes Thumshirn <jthumshirn@suse.de> Reported-by:
Hannes Reinecke <hare@suse.de> Acked-by:
Doug Gilbert <dgilbert@interlog.com> Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by:
-
- Apr 16, 2018
-
-
Daniel Mentz authored
June 2018.1 Bug: 76444978 Change-Id: I64ca05eb268173dbb069ebf62ed8d78729b3d722
-
Tharun Kumar Merugu authored
Send context ID in rpc header instead of context pointer. Validate context ID received in response and get context pointer. Bug: 74237782 Change-Id: I9cfd10d0c1b25c3085b8e15c7ca1c8ff214bf10d Acked-by:
Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com> Signed-off-by:
-
Eric Biggers authored
In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed to the action functions before their lengths had been computed, using the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH). This resulted in reading data past the end of the input buffer, when given a specially crafted message. Fix it by rearranging the code so that the indefinite length is resolved before the action is called. This bug was originally found by fuzzing the X.509 parser in userspace using libFuzzer from the LLVM project. KASAN report (cleaned up slightly): BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline] BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366 Read of size 128 at addr ffff880035dd9eaf by task keyctl/195 CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xd1/0x175 lib/dump_stack.c:53 print_address_description+0x78/0x260 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x23f/0x350 mm/kasan/report.c:409 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy ./include/linux/string.h:341 [inline] x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366 asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447 x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89 x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174 asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388 key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0x96 Allocated by task 195: __do_kmalloc_node mm/slab.c:3675 [inline] __kmalloc_node+0x47/0x60 mm/slab.c:3682 kvmalloc ./include/linux/mm.h:540 [inline] SYSC_add_key security/keys/keyctl.c:104 [inline] SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0x96 Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder") Reported-by:Alexander Potapenko <glider@google.com> Cc: <stable@vger.kernel.org> # v3.7+ Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
David Howells <dhowells@redhat.com> (cherry picked from commit e0058f3a) Bug: 73827422 Change-Id: Ib1278bd75b3be8e41b2ab0dc3a750d52006acc4b Signed-off-by:
Connor O'Brien <connoro@google.com>
-
Eric Biggers authored
syzkaller with KASAN reported an out-of-bounds read in asn1_ber_decoder(). It can be reproduced by the following command, assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y: keyctl add asymmetric desc $'\x30\x30' @s The bug is that the length of an ASN.1 data value isn't validated in the case where it is encoded using the short form, causing the decoder to read past the end of the input buffer. Fix it by validating the length. The bug report was: BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233 Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818 CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0xb3/0x10b lib/dump_stack.c:52 print_address_description+0x79/0x2a0 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x236/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233 x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89 x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174 asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388 key_create_or_update+0x347/0xb20 security/keys/key.c:855 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447c89 RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89 RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5 RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700 Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder") Cc: <stable@vger.kernel.org> # v3.7+ Signed-off-by:James Morris <james.l.morris@oracle.com> (cherry picked from commit 2eb9eabf) Bug: 73827422 Change-Id: I3c57fd16ebc63214c4225e85004b1339fbc41728 Signed-off-by:
-
Liam Mark authored
Cleanup ION cache maintenance code to properly validate the target of userspace cache maintenance requests. Bug: 72957321 Change-Id: I55b8e3584c59634f95250bc7c0bce5d8d70e6a13 Signed-off-by:
Liam Mark <lmark@codeaurora.org> Signed-off-by:
Swetha Chikkaboraiah <schikk@codeaurora.org>
-
Eric Biggers authored
commit af3ff804 upstream. Because the HMAC template didn't check that its underlying hash algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))" through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC being used without having been keyed, resulting in sha3_update() being called without sha3_init(), causing a stack buffer overflow. This is a very old bug, but it seems to have only started causing real problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3) because the innermost hash's state is ->import()ed from a zeroed buffer, and it just so happens that other hash algorithms are fine with that, but SHA-3 is not. However, there could be arch or hardware-dependent hash algorithms also affected; I couldn't test everything. Fix the bug by introducing a function crypto_shash_alg_has_setkey() which tests whether a shash algorithm is keyed. Then update the HMAC template to require that its underlying hash algorithm is unkeyed. Here is a reproducer: #include <linux/if_alg.h> #include <sys/socket.h> int main() { int algfd; struct sockaddr_alg addr = { .salg_type = "hash", .salg_name = "hmac(hmac(sha3-512-generic))", }; char key[4096] = { 0 }; algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (const struct sockaddr *)&addr, sizeof(addr)); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); } Here was the KASAN report from syzbot: BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline] BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044 CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:341 [inline] sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 crypto_shash_update+0xcb/0x220 crypto/shash.c:109 shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 hmac_finup+0x182/0x330 crypto/hmac.c:152 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172 crypto_shash_digest+0xc4/0x120 crypto/shash.c:186 hmac_setkey+0x36a/0x690 crypto/hmac.c:66 crypto_shash_setkey+0xad/0x190 crypto/shash.c:64 shash_async_setkey+0x47/0x60 crypto/shash.c:207 crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200 hash_setkey+0x40/0x90 crypto/algif_hash.c:446 alg_setkey crypto/af_alg.c:221 [inline] alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254 SYSC_setsockopt net/socket.c:1851 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1830 entry_SYSCALL_64_fastpath+0x1f/0x96 Reported-by:
syzbot <syzkaller@googlegroups.com> Bug: 71752561 Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Andrew Chant authored
when comparing a signed value vs sizeof, make sure it's >= 0 so that when promoted to signed for comparison it won't lead to unexpected results. Bug: 70528036 Change-Id: I99a1220598e67e3ce5c99d425e84c79639121838 Signed-off-by:Andrew Chant <achant@google.com>
-
Sreelakshmi Gownipalli authored
Add correct conditional check for len in dci_process_ctrl_status() to prevent buffer overflow. Bug: 70528036 Change-Id: Id73ed1c8b104428eceef0544ce2858160cc08fd2 Signed-off-by: -
Sean Callanan authored
In the code, start_fetch can try to access the buffer pointer variable after free, as the same pointer can be freed at RELEASE_BUF call at the same time. CRs-Fixed: 2149998 Change-Id: Ic83f22336504cf67afe12131f791eee25477f011 Signed-off-by:
Meera Gande <mgande@codeaurora.org> Signed-off-by:
Vijay Kumar TM <vtmuni@codeaurora.org> Bug: 69065862 Signed-off-by:
Sean Callanan <spyffe@google.com>
-
Mark Salyzyn authored
The buffer length is unsigned at all layers, but gets cast to int and checked in hidp_process_report and can lead to a buffer overflow. Switch len parameter to unsigned int to resolve issue. Signed-off-by:Mark Salyzyn <salyzyn@google.com> Fixes: 678af93e46ac10318b54f2f0c9abbdfe75c4e078 ("HID: Bluetooth: hidp: make sure input buffers are big enough") Bug: 65853588 Change-Id: I779ce783ae7c3bce8c5a66c0954ef31347e42cfc
-
David Herrmann authored
(cherry picked from commit a4b1b587) HID core expects the input buffers to be at least of size 4096 (HID_MAX_BUFFER_SIZE). Other sizes will result in buffer-overflows if an input-report is smaller than advertised. We could, like i2c, compute the biggest report-size instead of using HID_MAX_BUFFER_SIZE, but this will blow up if report-descriptors are changed after ->start() has been called. So lets be safe and just use the biggest buffer we have. Note that this adds an additional copy to the HIDP input path. If there is a way to make sure the skb-buf is big enough, we should use that instead. The best way would be to make hid-core honor the @size argument, though, that sounds easier than it is. So lets just fix the buffer-overflows for now and afterwards look for a faster way for all transport drivers. Signed-off-by:
David Herrmann <dh.herrmann@gmail.com> Signed-off-by:
Jiri Kosina <jkosina@suse.cz> Bug: 65853588 Change-Id: Iec1410993a6d21dd9c88bd7669cf658b9f48f9dc
-
Mike Maloney authored
The logic in __ip6_append_data() assumes that the MTU is at least large enough for the headers. A device's MTU may be adjusted after being added while sendmsg() is processing data, resulting in __ip6_append_data() seeing any MTU. For an mtu smaller than the size of the fragmentation header, the math results in a negative 'maxfraglen', which causes problems when refragmenting any previous skb in the skb_write_queue, leaving it possibly malformed. Instead sendmsg returns EINVAL when the mtu is calculated to be less than IPV6_MIN_MTU. Found by syzkaller: kernel BUG at ./include/linux/skbuff.h:2064! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d0b68580 task.stack: ffff8801ac6b8000 RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline] RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216 RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000 RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0 RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000 R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8 R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000 FS: 00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6_finish_skb include/net/ipv6.h:911 [inline] udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093 udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x352/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4512e9 RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9 RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005 RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69 R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000 Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570 RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570 Reported-by:
Mike Maloney <maloney@google.com> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
Greg Hackmann <ghackmann@google.com>
-
Alexander Potapenko authored
raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied from the userspace contains the IPv4/IPv6 header, so if too few bytes are copied, parts of the header may remain uninitialized. This bug has been detected with KMSAN. For the record, the KMSAN report: ================================================================== BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0 inter: 0 CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078 __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510 nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577 ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 nf_hook_entry_hookfn ./include/linux/netfilter.h:102 nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310 nf_hook ./include/linux/netfilter.h:212 NF_HOOK ./include/linux/netfilter.h:255 rawv6_send_hdrinc net/ipv6/raw.c:673 rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 SyS_sendto+0xbc/0xe0 net/socket.c:1664 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 RIP: 0033:0x436e03 RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000 origin: 00000000d9400053 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270 slab_alloc_node mm/slub.c:2735 __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341 __kmalloc_reserve net/core/skbuff.c:138 __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231 alloc_skb ./include/linux/skbuff.h:933 alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678 sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903 sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920 rawv6_send_hdrinc net/ipv6/raw.c:638 rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 SyS_sendto+0xbc/0xe0 net/socket.c:1664 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 ================================================================== , triggered by the following syscalls: socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3 sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket instead of a PF_INET6 one. Signed-off-by: -
Vaishnavi Kommaraju authored
Add mutex lock to ensure atomic access to core handle in CPE alloc and dealloc sessions. CRs-Fixed: 2169403 Bug: 62536960 Signed-off-by:Vaishnavi Kommaraju <vkommara@codeaurora.org> Change-Id: Ic0bb7e1646cbeafe507680c39bb8de56086df47a
-
- Apr 03, 2018
-
-
Sean Callanan authored
The FASTRPC_IOCTL_INIT ioctl registers a pointer for later access without checking that it is a user pointer. This could allow arbitrary kernel memory access. This patch verifies that the pointer is a user pointer. Bug: 63165064 Change-Id: I936f73a2c2029f9e7ca12cc8fc06d0698e6710c0 Signed-off-by:
-
- Mar 15, 2018
-
-
Siyuan Zhou authored
May 2018.1 Bug: 74402703 Change-Id: Ied982cac355a94c0e2b6367b0831cc17e3617988 Signed-off-by:Siyuan Zhou <siyuanzhou@google.com>
-
- Mar 14, 2018
-
-
Tanya Dixit authored
Add mutex unlock in function audio_effects_shared_ioctl at appropriate place to prevent use after free. CRs-Fixed: 2123291 Bug: 72957040 Change-Id: Ie0d321dc8cc20a295d102a44faea7e5710834932 Signed-off-by:Tanya Dixit <tdixit@codeaurora.org>
-
