- Jul 18, 2017
-
-
Maria Yu authored
Cldata needed to be protected by lock since crash happened when synchronous update and free. CRs-Fixed: 2034222 Bug: 62378596 Change-Id: Ied86461b784d69d9758dc3fc793a8a0de86e7f9c Signed-off-by:Maria Yu <aiquny@codeaurora.org>
-
Srinivas Girigowda authored
The wcnss platform driver update the wlan calibration data by the user space wlan daemon. The wlan user space daemon store the updated wlan calibration data reported by wlan firmware in user space and write it back to the wcnss platform calibration data buffer for the calibration data download and update. During the wlan calibration data store and retrieve operation there are some potential race condition which leads to memory leak and buffer overflow during the context switch. Fix the above issue by adding protection code and avoid usage of global pointer during the device file read and write operation. Bug: 62377236 CRs-Fixed: 2015858 Change-Id: Ib5b57eb86dcb4e6ed799b5222d06396eaabfaad3 Signed-off-by:
Sarada Prasanna Garnayak <sgarna@codeaurora.org> Signed-off-by:
Srinivas Girigowda <sgirigow@codeaurora.org>
-
WANG Cong authored
Like commit 657831ff ("dccp/tcp: do not inherit mc_list from parent") we should clear ipv6_mc_list etc. for IPv6 sockets too. Cc: Eric Dumazet <edumazet@google.com> Bug: 62299478 Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Acked-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> (cherry picked from commit 83eaddab) Signed-off-by:
Connor O'Brien <connoro@google.com> Change-Id: I072f17a16ae8095c792ed05b73589a97c1d2a16b
-
Jan Kara authored
Huang has reported that in his powerfail testing he is seeing stale block contents in some of recently allocated blocks although he mounts ext4 in data=ordered mode. After some investigation I have found out that indeed when delayed allocation is used, we don't add inode to transaction's list of inodes needing flushing before commit. Originally we were doing that but commit f3b59291 removed the logic with a flawed argument that it is not needed. The problem is that although for delayed allocated blocks we write their contents immediately after allocating them, there is no guarantee that the IO scheduler or device doesn't reorder things and thus transaction allocating blocks and attaching them to inode can reach stable storage before actual block contents. Actually whenever we attach freshly allocated blocks to inode using a written extent, we should add inode to transaction's ordered inode list to make sure we properly wait for block contents to be written before committing the transaction. So that is what we do in this patch. This also handles other cases where stale data exposure was possible - like filling hole via mmap in data=ordered,nodelalloc mode. The only exception to the above rule are extending direct IO writes where blkdev_direct_IO() waits for IO to complete before increasing i_size and thus stale data exposure is not possible. For now we don't complicate the code with optimizing this special case since the overhead is pretty low. In case this is observed to be a performance problem we can always handle it using a special flag to ext4_map_blocks(). CC: stable@vger.kernel.org Fixes: f3b59291 Reported-by:
"HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com> Tested-by:
Jan Kara <jack@suse.cz> Signed-off-by:
Theodore Ts'o <tytso@mit.edu> (cherry picked from commit 06bd3c36) Signed-off-by:
-
Eric Dumazet authored
syzkaller found a way to trigger double frees from ip_mc_drop_socket() It turns out that leave a copy of parent mc_list at accept() time, which is very bad. Very similar to commit 8b485ce6 ("tcp: do not inherit fastopen_req from parent") Initial report from Pray3r, completed by Andrey one. Thanks a lot to them ! Signed-off-by:
Pray3r <pray3r.z@gmail.com> Reported-by:
Andrey Konovalov <andreyknvl@google.com> Tested-by:
Roberto Pereira <rpere@google.com> (cherry picked from commit 657831ff) Bug:38413975 Change-Id: Icf89ad025cb8225e806e52c573d68533912111ad Signed-off-by:
Jonathan Solnit <jsolnit@google.com>
-
Hugh Dickins authored
commit f4cb767d upstream. Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the end of unmapped_area_topdown(). Linus points out how MAP_FIXED (which does not have to respect our stack guard gap intentions) could result in gap_end below gap_start there. Fix that, and the similar case in its alternative, unmapped_area(). Change-Id: I57c1da473463659e39203ba0c8d6c99573beda1a Fixes: 1be7107f ("mm: larger stack guard gap, between vmas") Reported-by:
Dave Jones <davej@codemonkey.org.uk> Debugged-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Hugh Dickins <hughd@google.com> Acked-by:
Michal Hocko <mhocko@suse.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 38413813 Signed-off-by:
-
Hugh Dickins authored
commit 1be7107f upstream. Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a different mapping. But this seems to be insufficient in the light of the stack usage in userspace. E.g. glibc uses as large as 64kB alloca() in many commonly used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX] which is 256kB or stack strings with MAX_ARG_STRLEN. This will become especially dangerous for suid binaries and the default no limit for the stack size limit because those applications can be tricked to consume a large portion of the stack and a single glibc call could jump over the guard page. These attacks are not theoretical, unfortunatelly. Make those attacks less probable by increasing the stack guard gap to 1MB (on systems with 4k pages; but make it depend on the page size because systems with larger base pages might cap stack allocations in the PAGE_SIZE units) which should cover larger alloca() and VLA stack allocations. It is obviously not a full fix because the problem is somehow inherent, but it should reduce attack space a lot. One could argue that the gap size should be configurable from userspace, but that can be done later when somebody finds that the new 1MB is wrong for some special case applications. For now, add a kernel command line option (stack_guard_gap) to specify the stack gap size (in page units). Implementation wise, first delete all the old code for stack guard page: because although we could get away with accounting one extra page in a stack vma, accounting a larger gap can break userspace - case in point, a program run with "ulimit -S -v 20000" failed when the 1MB gap was counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK and strict non-overcommit mode. Instead of keeping gap inside the stack vma, maintain the stack guard gap as a gap between vmas: using vm_start_gap() in place of vm_start (or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few places which need to respect the gap - mainly arch_get_unmapped_area(), and and the vma tree's subtree_gap support for that. Change-Id: Iad38214c2e22290e5e84365b20f53a9c0f534a40 Original-patch-by:
Oleg Nesterov <oleg@redhat.com> Original-patch-by:
Willy Tarreau <w@1wt.eu> [gkh: minor build fixes for 3.18] Signed-off-by:
-
Siena Richard authored
Validate a buffer virtual address is fully within the region before returning the region to ensure functionality for an extended edge case. Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654 Signed-off-by:Siena Richard <sienar@codeaurora.org> CRs-fixed: 1108461 Bug: 38195131 Change-Id: Ib527a380a857719bff8254be514133528bd64c75
-
Sureshnaidu Laveti authored
Correcting the return value for getting the actuator information IOCTL. CRs-Fixed: 1084177 Bug: 38027632 Change-Id: I2bbe7be3daedef45a5990c23168df5185e72e82f Signed-off-by:Sureshnaidu Laveti <lsuresh@codeaurora.org>
-
Sureshnaidu Laveti authored
Since IOCTLS can come in any order, validating the actuator function table and methods before accessing them. CRs-Fixed: 1084177 Bug: 38027632 Change-Id: Ic6fce52fdf4d1420c2b707ec9bc9cba045066a13 Signed-off-by: -
Eric Dumazet authored
commit d199fab6 upstream. Multiple threads can call fanout_add() at the same time. We need to grab fanout_mutex earlier to avoid races that could lead to one thread freeing po->rollover that was set by another thread. Do the same in fanout_release(), for peace of mind, and to help us finding lockdep issues earlier. [js] no rollover in 3.12 Fixes: dc99f600 ("packet: Add fanout support.") Fixes: 0648ab70 ("packet: rollover prepare: per-socket state") Signed-off-by:
Jiri Slaby <jslaby@suse.cz> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 7892032c ] Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a ("gre: Support GRE over IPv6") Bug: 37871211 Signed-off-by:
-
Chris Salls authored
commit cf01fb99 upstream. In the case that compat_get_bitmap fails we do not want to copy the bitmap to the user as it will contain uninitialized stack data and leak sensitive data. Signed-off-by:
Chris Salls <salls@cs.ucsb.edu> Signed-off-by:
-
Srinivas Girigowda authored
qcacld-3.0 to qcacld-2.0 propagation Currently there is no nl policy defined for vendor sub command QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in buffer overread error. To resolve this, add nl policy. Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b CRs-Fixed: 2058452 Bug: 37712167 Signed-off-by: -
Ashish Garg authored
Number of cea blocks are read from edid buffer which comes from the user. If the number of cea blocks are more than the supported blocks kernel information leak is possible by reading more data than is present in edid_buf. Bug: 37567102 Change-Id: I03b8456ff1e1a7b15d711f06908bd5c83f83cc02 Signed-off-by:Ashish Garg <ashigarg@codeaurora.org>
-
Dennis Cagle authored
In multi-threaded environment diglen variable could be modified by multiple threads at the same time. Buffer overflow might happen in current thread if another thread changes the diglen variable. So add mutex locks to avoid this issue. CRs-Fixed: 2010656 Git-repo: https://source.codeaurora.org/quic/la/kernel/msm-3.10 Git-commit: 70b719025fbef1fa98a2e3a823e583c836dd9bb2 Signed-off-by:
AnilKumar Chimata <anilc@codeaurora.org> Signed-off-by:
Dennis Cagle <d-cagle@codeaurora.org> Bug: 37438302 Change-Id: Ib123d494ce6d258e82f77f8ac5eeeec30ff35b1b Signed-off-by:
John Dias <joaodias@google.com>
-
Venu Yeshala authored
Change the format specifier in a debug print for ISPIF base address to avoid information leak. Bug: 37239119 Change-Id: Ic6c799349ea98448da113d8710300934d77079b8 Signed-off-by:Venu Yeshala <vyeshala@codeaurora.org>
-
Srinivas Girigowda authored
Length of the MAC address is not checked which may cause out of bound read issue. To resolve this add a check for MAC address length. CRs-Fixed: 2051433 Change-Id: I58454b84c28b157cef35984d612a9bc6fdd9ec56 Bug: 36815555 Signed-off-by: -
Haibin Liu authored
When getting power down setting, there is an untrusted pointer from a user space pointer.Need to copy to the kernel space first. CRs-Fixed: 2037398 Bug: 36492827 Change-Id: I64032a96e62ddfeec85eebe984d8ba52754f6148 Signed-off-by:Haibin Liu <haibinl@codeaurora.org>
-
Skylar Chang authored
Fix the security issue in handling add mux channel event in ipa wan driver. Bug: 36490777 Signed-off-by:
Skylar Chang <chiaweic@codeaurora.org> Acked-by:
Shihuan Liu <shihuanl@qti.qualcomm.com> Signed-off-by:
Paresh Purabhiya <ppurab@codeaurora.org> Change-Id: Ic2ffeafddad4954ec3ecba0d675646d0790eede7
-
Fei Zhang authored
fix one potential out of boundary query of stats info. Bug: 36264696 Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f Signed-off-by:Fei Zhang <feizhang@codeaurora.org>
-
Gaoxiang Chen authored
stream_cfg_cmd->num_streams is from userspace, need to check it against MSM_ISP_STATS_MAX before using it. CRs-Fixed: 2029867 Bug: 36232584 Change-Id: I2ab892b7d406fc56de94c261a396866269e91d1a Signed-off-by:Gaoxiang Chen <gaochen@codeaurora.org>
-
Gaoxiang Chen authored
In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q, it will pass the check, leading to off-by-one overflow (exceed the length of array by one element). Change-Id: I4189423bda7f5c6fa01751d00b8405bc1ad8b2b8 CRs-Fixed: 2031677 Bug: 36136563 Signed-off-by: -
Adrian Salido authored
The driver_override implementation is susceptible to race condition when different threads are reading vs storing a different driver override. Add locking to avoid race condition. Fixes: 3d713e0e ("driver core: platform: add device binding path 'driver_override'") Cc: stable@vger.kernel.org Bug: 35676417 Signed-off-by:
Adrian Salido <salidoa@google.com> Signed-off-by:
-
Adrian Salido authored
commit 4617f564 upstream. When calling a dm ioctl that doesn't process any data (IOCTL_FLAGS_NO_PARAMS), the contents of the data field in struct dm_ioctl are left initialized. Current code is incorrectly extending the size of data copied back to user, causing the contents of kernel stack to be leaked to user. Fix by only copying contents before data and allow the functions processing the ioctl to override. Bug: 35644370 Signed-off-by:
Alasdair G Kergon <agk@redhat.com> Signed-off-by:
Mike Snitzer <snitzer@redhat.com> Signed-off-by:
-
Robb Glasser authored
sg_ioctl could be spammed by requests, leading to a double free in __free_pages. This protects the entry points of sg_ioctl where the memory could be corrupted by a double call to __free_pages if multiple requests are happening concurrently. Bug:35644812 Change-Id: Ie13f65beb6974430f90292e2742841b26aecb8b1 Signed-off-by:Robb Glasser <rglasser@google.com>
-
Dennis Cagle authored
There is no syncronization between msm_vb2_get_buf and msm_delete_stream which can lead to use after free. Fixed it by using read/write lock. Bug: 35099636 CRs-Fixed: 2013052 Change-Id: I8e80d70ec866253aab8836457a28ae14175f5d61 Signed-off-by:
Manish Poddar <mpoddar@codeaurora.org> Signed-off-by:
Trishansh Bhardwaj <tbhardwa@codeaurora.org> Signed-off-by:
-
Krupal Divvela authored
Use mutex lock before using queuing ioctls like queuing, dequeing buffers to avoid race condition. Bug: 34329758 Change-Id: Ia9fdfd5a766add2f8d99003b0c2bfe7d34d57a09 Signed-off-by:Krupal Divvela <kdivvela@codeaurora.org>
-
Siva Kumar Akkireddi authored
SPS debugfs APIs can be called concurrently which can result in dangling pointer access. This change synchronizes access to the SPS debugfs buffer. Bug: 33548839 Change-Id: I409b3f0618f760cb67eba47b43c81d166cdae4aa Signed-off-by:Siva Kumar Akkireddi <sivaa@codeaurora.org>
-
Tony Truong authored
Via debugfs nodes, users have the option to read and write to any PCIe register. To ensure clients do not access registers outside the PCIe range, add checks to validate the offset clients provide. Change-Id: Ia35cd04c57f01c21a47962be596bca395b5ca247 Signed-off-by:
Tony Truong <truong@codeaurora.org> Bug: 33039685 Signed-off-by:
-
- Jul 17, 2017
-
-
Siqi Lin authored
prebuilts/gcc now has a new enough compiler to build KASAN and prebuilts-master/gcc is removed. Build KASAN using prebuilts/gcc. Bug: 63636412 Change-Id: I36ad1b148ad2292aa317fa1940fdd272d612655a Signed-off-by:Siqi Lin <siqilin@google.com>
-
- Jun 12, 2017
-
-
Stuart Scott authored
August 2017.1
-
- Jun 07, 2017
-
-
Steve Pfetsch authored
August 2017.1 Bug: 62368772 Change-Id: I84e7ff2c2348c1da9846119245c3b8cc8bdb164e
-
Dennis Cagle authored
Disable and remove gud mobicore driver. Bug: 33842910 CRs-Fixed: 1116560 Change-Id: Ia16bc3e1331f86724a391fd367587b56ccc14546 Acked-by:
Tony Hamilton <tonyh@qti.qualcomm.com> Signed-off-by:
Trudy Shearer <tshearer@codeaurora.org> Signed-off-by:
-
Maggie White authored
Complete removal of gud mobicore driver. The driver author delivers an updated version of the driver to interested parties directly rendering this version obsolete. Bug: 33842910 CRs-Fixed: 1116560 Change-Id: I40498d3203b1d6ca04f2b5a2e65461851d84d2d4 Acked-by:
Maggie White <maggiewhite@google.com>
-
Pratham Pratap authored
Assume that there are two threads, thread1 is setting value of _rndis_qc variable in rndis_qc_bind_config_vendor function. Thread2 jumps in and get the value of _rndis_qc in rndis_qc_open_dev function before it is freed in rndis_qc_bind_config_vendor function, since rndis_ipa_init or usb_add_function failed. Use-after-free will happen as Thread2 is referencing freed objects. To prevent this spinlock is used where ever it is needed to protect _rndis_qc variable. Bug: 35136547 Change-Id: Ibfe10cedc18bcb19dd01cd2bec43a5554fd008bc Signed-off-by:Pratham Pratap <prathampratap@codeaurora.org>
-
Harsh Sahu authored
Currently memcpy is copying from a bigger memory size to a smaller memory size, which may lead to buffer overflow. This change corrects this issue by performing the memcopy restricted to the smaller of the src or dest memory buffer. Bug: 35258962 Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748 Signed-off-by:Harsh Sahu <hsahu@codeaurora.org>
-
Utkarsh Saxena authored
Overflow of reference counter can lead to memory leak. Before incrementing the reference count, check with U32_MAX and return for error check. Bug: 35467471 Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66 Acked-by:
Mohammed Javid <mjavid@qti.qualcomm.com> Signed-off-by:
Utkarsh Saxena <usaxena@codeaurora.org>
-
Abir Ghosh authored
Terminate the string, coming from userspace and containing the name of fingerprint trusted app, with null character, to make sure kernel memory does not leak into logs Bug: 35644510 Change-Id: I1668a64fcb6747ce3ef3b1ee6321fa5fa4a1798a CRs-Fixed: 2029409 Signed-off-by:Abir Ghosh <abirg@codeaurora.org>
-
Abir Ghosh authored
Fix uninitialized local variable error which might have lead to crash Bug: 35764241 Change-Id: I3fd95cb343c3175e4190c8ebfe209399db0602a6 CRs-Fixed: 2030137 Signed-off-by:
-
