Skip to content
Snippets Groups Projects
  1. Jun 03, 2016
  2. May 25, 2016
  3. May 20, 2016
  4. May 03, 2016
  5. Apr 21, 2016
  6. Apr 20, 2016
  7. Mar 25, 2016
    • Colin Cross's avatar
      mm: fix prctl_set_vma_anon_name · c03cbb22
      Colin Cross authored
      
      prctl_set_vma_anon_name could attempt to set the name across
      two vmas at the same time due to a typo, which might corrupt
      the vma list.  Fix it to use tmp instead of end to limit
      the name setting to a single vma at a time.
      
      Reported-by: default avatarJed Davis <jld@mozilla.com>
      Signed-off-by: default avatarColin Cross <ccross@android.com>
      (cherry picked from commit 091ff4dc)
      
      Change-Id: I626f7b7b84885220a51daa76b8c40575dfa6fce0
    • Jeff Vander Stoep's avatar
      pipe: iovec: Fix OOB read in pipe_read() · 152777b5
      Jeff Vander Stoep authored
      
      Previous upstream *stable* fix 14f81062 was incomplete.
      
      A local process can trigger a system crash with an OOB read on buf.
      This occurs when the state of buf gets out of sync. After an error in
      pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset
      but not buf->len. Upon retrying pipe_read() while in
      pipe_iov_copy_to_user() *remaining will be larger than the space left
      after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE,
      buf->offset = 0x300.
      
      This is fixed by not updating the state of buf->offset until after the
      full copy is completed, similar to how pipe_write() is implemented.
      
      For stable kernels < 3.16.
      
      Bug: 27721803
      Change-Id: Idf224a5d09af55a42d0a5d31cf3d467bf73f49f5
      Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
      152777b5
  8. Mar 23, 2016
  9. Mar 18, 2016
  10. Feb 26, 2016
  11. Jan 22, 2016
  12. Oct 08, 2015
  13. Oct 07, 2015
  14. Sep 29, 2015