Skip to content
Snippets Groups Projects
  1. Jan 20, 2016
    • Yevgeny Pats's avatar
      UPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring() · 9a3e9ef8
      Yevgeny Pats authored
      
      (cherry pick from commit 23567fd0)
      
      This fixes CVE-2016-0728.
      
      If a thread is asked to join as a session keyring the keyring that's already
      set as its session, we leak a keyring reference.
      
      This can be tested with the following program:
      
      	#include <stddef.h>
      	#include <stdio.h>
      	#include <sys/types.h>
      	#include <keyutils.h>
      
      	int main(int argc, const char *argv[])
      	{
      		int i = 0;
      		key_serial_t serial;
      
      		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
      				"leaked-keyring");
      		if (serial < 0) {
      			perror("keyctl");
      			return -1;
      		}
      
      		if (keyctl(KEYCTL_SETPERM, serial,
      			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
      			perror("keyctl");
      			return -1;
      		}
      
      		for (i = 0; i < 100; i++) {
      			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
      					"leaked-keyring");
      			if (serial < 0) {
      				perror("keyctl");
      				return -1;
      			}
      		}
      
      		return 0;
      	}
      
      If, after the program has run, there something like the following line in
      /proc/keys:
      
      3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
      
      with a usage count of 100 * the number of times the program has been run,
      then the kernel is malfunctioning.  If leaked-keyring has zero usages or
      has been garbage collected, then the problem is fixed.
      
      Bug: 26636379
      
      Reported-by: default avatarYevgeny Pats <yevgeny@perception-point.io>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarDon Zickus <dzickus@redhat.com>
      Acked-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Acked-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Change-Id: I10177a58a7b3178eda95017557edaa7298594d06
  2. Jan 13, 2016
  3. Jan 08, 2016
    • Vasily Kulikov's avatar
      include/linux/poison.h: fix LIST_POISON{1,2} offset · 4bb3f731
      Vasily Kulikov authored
      Poison pointer values should be small enough to find a room in
      non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
      is located starting from 0x0.  Given unprivileged users cannot mmap
      anything below mmap_min_addr, it should be safe to use poison pointers
      lower than mmap_min_addr.
      
      The current poison pointer values of LIST_POISON{1,2} might be too big for
      mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
      uses only 0x10000).  There is little point to use such a big value given
      the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
      to a smaller value solves the problem for small mmap_min_addr setups.
      
      The values are suggested by Solar Designer:
      http://www.openwall.com/lists/oss-security/2015/05/02/6
      
      
      
      Bug: 26186802
      Change-Id: I88328e7fbe8aba1fd0c5dae27649253f0e74a58d
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      4bb3f731
  4. Dec 21, 2015
    • Wish Wu's avatar
      msm: null pointer dereferencing · 08bf1b37
      Wish Wu authored
      
      Prevent unintended kernel NULL pointer dereferencing.
      
      Code:
        hlist_del_rcu(&event->hlist_entry);
      
      Fix: Adding pointer check:
        if(!hlist_unhashed(&p_event->hlist_entry))
          hlist_del_rcu(&p_event->hlist_entry);
      
      Bug: 25364034
      Change-Id: Ib13a7400d4a36a4b08b0afc9b7d69c6027e741b6
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      08bf1b37
  5. Dec 09, 2015
  6. Dec 01, 2015
    • dataanddreams's avatar
      bcmdhd: Add checks for stack buffer overflows · 0334cdac
      dataanddreams authored
      These two checks prevent exploitable buffer overflows in two scenarios.
      1. Long WPS_ID_DEVICE_NAME in WPS info elements
      2. Invalid SSID determined in certain scan results
      
      Bug: 25258438
      Change-Id: I63348c6a14914194b6bd27057075d6c9071b6e1d
      0334cdac
  7. Nov 04, 2015
  8. Nov 02, 2015
  9. Oct 22, 2015
  10. Oct 15, 2015
  11. Oct 14, 2015
  12. Oct 12, 2015
  13. Oct 08, 2015
    • Riley Andrews's avatar
      cpuset: Make cpusets restore on hotplug · 33b98df0
      Riley Andrews authored
      This deliberately changes the behavior of the per-cpuset
      cpus file to not be effected by hotplug. When a cpu is offlined,
      it will be removed from the cpuset/cpus file. When a cpu is onlined,
      if the cpuset originally requested that that cpu was part of the cpuset, that
      cpu will be restored to the cpuset. The cpus files still
      have to be hierachical, but the ranges no longer have to be out of
      the currently online cpus, just the physically present cpus.
      
      Change-Id: I3efbae24a1f6384be1e603fb56f0d3baef61d924
      33b98df0
    • Riley Andrews's avatar
      cpuset: Add allow_attach hook for cpusets on android. · 62df3edc
      Riley Andrews authored
      Change-Id: Ic1b61b2bbb7ce74c9e9422b5e22ee9078251de21
      62df3edc
    • Tim Murray's avatar
      shamu: add cpuset support · 9bf8a3e3
      Tim Murray authored
      enables cpusets for Shamu.
      
      bug 24773526
      
      Change-Id: Ia0b146f5848a6a790399a683b8b4d20ac498964f
      9bf8a3e3
    • Praveen Chavan's avatar
      msm: vidc: Allow clients to specify/query the colorspace · ca747d97
      Praveen Chavan authored
      
      When encoder clients specify the color space, the resulting bitstream
      will have the color space embedded in it.  This allows for the
      decoder to display the picture accurately without the color being
      skewed.
      
      Similarly decoder clients can query the color space of the bitstream by
      enabling MSM_VIDC_EXTRADATA_VUI_DISPLAY_INFO.  If the bitstream contains
      the colorspace hint, the appropriate extradata will be emitted by the
      decoder.
      
      Author: Deva Ramasubramanian <dramasub@codeaurora.org>
      
      Change-Id: I83a3e28b13c3aa306e7cc2d1552a6d39c0d3d49f
      Signed-off-by: default avatarDeva Ramasubramanian <dramasub@codeaurora.org>
      Signed-off-by: default avatarPraveen Chavan <pchavan@codeaurora.org>
      ca747d97
  14. Aug 31, 2015
  15. Aug 28, 2015
  16. Aug 25, 2015
  17. Aug 19, 2015
  18. Aug 18, 2015
  19. Aug 17, 2015
  20. Aug 13, 2015
  21. Aug 12, 2015
    • Lorenzo Colitti's avatar
      Don't call acct_update_power on ARCH=um. · 78283445
      Lorenzo Colitti authored
      
      kernel/sched/core.c calls acct_update_power, but that function is
      only compiled if CONFIG_CPU_FREQ_STAT is enabled. This breaks the
      ability to run kernel unit tests because the kernel won't link
      on ARCH=um. #ifdef out the code on ARCH=um.
      
      BUG=21498425
      BUG=23016816
      Change-Id: I7a95c842ac7eb9017d5e2ff554c9ab8a011a3e4d
      Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
      78283445
  22. Aug 07, 2015
  23. Aug 06, 2015
  24. Aug 04, 2015