- Jul 06, 2016
-
-
Alan Stern authored
Commit 8520f380 ("USB: change hub initialization sleeps to delayed_work") changed the hub_activate() routine to make part of it run in a workqueue. However, the commit failed to take a reference to the usb_hub structure or to lock the hub interface while doing so. As a result, if a hub is plugged in and quickly unplugged before the work routine can run, the routine will try to access memory that has been deallocated. Or, if the hub is unplugged while the routine is running, the memory may be deallocated while it is in active use. This patch fixes the problem by taking a reference to the usb_hub at the start of hub_activate() and releasing it at the end (when the work is finished), and by locking the hub interface while the work routine is running. It also adds a check at the start of the routine to see if the hub has already been disconnected, in which nothing should be done. CVE:CVE-2015-8816 Bug:ANDROID-28712303 Change-Id: I4a3e860c0af40b676e420fec8c1980a4e9aba917 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Alexandru Cornea <alexandru.cornea@intel.com> Tested-by: Alexandru Cornea <alexandru.cornea@intel.com> Fixes: 8520f380 ("USB: change hub initialization sleeps to delayed_work") CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- Jun 07, 2016
-
-
Zhao Xuewen authored
check net admin capability for ioctl calls CVE-2016-2475 BUG=26425765 Change-Id: I02d471d8f486e4773d72c67244dcb03b2b4835ed Signed-off-by: Jerry Lee <jerrylee@broadcom.com>
-
Zhao Xuewen authored
Ensure SSID length is checked unsigned maximum CVE-2016-2493 Bug: 26571522 Bug: 27240072 Signed-off-by: Mark Salyzyn <salyzyn@google.com> Change-Id: I6cf37634e3a21eac6a90049a2dcc2912345f77f9
-
Zhao Xuewen authored
Fix overwrite of updt_params allocated in heap, and stack overread where param pointer is passed from user space. CVE:CVE-2016-2066 Bug:ANDROID-26876409 CRs-Fixed: 989628 Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66 Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
-
Zhao Xuewen authored
In _kgsl_sharedmem_page_alloc(), check for boundary limits of requested alloc size before honoring. CVE:CVE-2016-2468 Bug:ANDROID-27475454 Change-Id: I8b9e225e515a0f31593df6f4cad253236475d0ae Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
-
Zhao Xuewen authored
In adreno_perfcounter_query_group() make sure to cast the user passed count to an unsigned int before comparing it to the group count. Otherwise the user count could be interpeted as a signed int and hilarity ensues. CVE:CVE-2016-2062 Bug:ANDROID-27364029 Change-Id: Ic0dedbad825f5b3fd4434f9b9f6d4d308206c0d9 Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
-
Zhao Xuewen authored
There are few cases where the count argument passed by the user space is not validated, which can potentially lead to out of bounds or overflow issues. In some cases, kernel might copy more data than what is requested. Add necessary checks to avoid such cases. CVE:CVE-2016-2489 Bug:ANDROID-27407629 Change-Id: Ifa42fbd475665a0ca581c907ce5432584ea0e7ed [veeras@codeaurora.org: Resolved conflicts in mdss_debug.c] Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
-
- May 18, 2016
-
-
Shuo Yan authored
LP/HS mode configuration for DCS Commands in currently not supported on MDP5 targets. Add the required support to meet all panel requirements. Bug:28803695 Change-Id: I6d6dd989af322b15fad729edce1349889476565f Signed-off-by: Shuo Yan <shuoy@codeaurora.org> Signed-off-by: WANG XING <raymond.wangxing@huawei.com>
-
- May 03, 2016
-
-
Zhao Xuewen authored
Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. CVE-2016-0774 Bug:ANDROID-27721803 Change-Id: I988802f38acf40c7671fa0978880928b02d29b56 References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by: Ben Hutchings <ben@decadent.org.uk> (cherry picked from commit feae3ca2)
-
Zhao Xuewen authored
A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. CVE-2016-2438 Bug:ANDROID-26636060 Change-Id: I86feccec1bf3c800c1eef280f7f12c79d12e1f60 Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- Apr 26, 2016
-
-
Zhao Xuewen authored
Fix a multi thread sync issue descript as blew steps, this issue case BT HCI command timeout issue. a)sps connection can be closed in msm_hs_check_clock_off(the first time). b)msm_hs_check_clock_off return 0 after send a clk_off_timer msg to close sps connection c)when clk_off_timer is timeout, hsuart_clock_off_work will be invoked, so msm_hs_check_clock_off is invoked for the second time d)if there is a data/command comes from stack now, uart circular buf won't be empty, that meas uart_circ_empty(tx_buf) will return false e)if uart_circ_empty(tx_buf) return fasle, msm_hs_check_clock_off only set msm_uport->clk_state to MSM_HS_CLK_ON. but the sps connection will not be opened any more. f)now if there a data/command from stack again because the sps connection is still close, so the uart can't thansfer the command/data any more. so here open sps connection again BUG=27536255 Change-Id: Ia5791af06ea7b7e898edcf2536b04179545df9b9 Signed-off-by: z00184990 <z00184990@notesmail.huawei.com> (cherry picked from commit a4eae2c1)
-
- Apr 12, 2016
-
-
Zhao Xuewen authored
There is not a parameter check for parameter len, which is passed from user space. This vulnerability could trigger arbitrary code execution in the kernel. CVE-2016-2409 Bug:ANDROID-25981545 Change-Id: I3f99a49e83765742b7e3897caa6851a6410e0f97 Signed-off-by: Zhao Xuewen <zhaoxuewen@huawei.com>
-
- Apr 11, 2016
-
-
Ben Hutchings authored
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, the first time atomically and the second time not. The second attempt needs to continue from the iovec position, pipe buffer offset and remaining length where the first attempt failed, but currently the pipe buffer offset and remaining length are reset. This will corrupt the piped data (possibly also leading to an information leak between processes) and may also corrupt kernel memory. This was fixed upstream by commits f0d1bec9 ("new helper: copy_page_from_iter()") and 637b58c2 ("switch pipe_read() to copy_page_to_iter()"), but those aren't suitable for stable. This fix for older kernel versions was made by Seth Jennings for RHEL and I have extracted it from their update. CVE-2015-1805 Bug: 27275324 Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4 References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
-
Swetha Chikkaboraiah authored
In function krait_pmu_disable_event, parameter hwc comes from userspace and is untrusted.The function krait_clearpmu is called after the function get_krait_evtinfo. Function get_krait_evtinfo as parameter krait_evt_type variable which is used to extract the groupcode(reg) which is bound to KRAIT_MAX_L1_REG (is 3). After validation,one code path modifies groupcode(reg):If this code path executes, groupcode(reg) can be 3,4, 5, or 6. In krait_clearpmu groupcode used to access array krait_functions whose size is 3. Since groupcode can be 3,4,5,6 accessing array krait_functions lead to bufferoverlflow. This change will validate groupcode not to exceed 3. CVE-2016-0805 Bug:ANDROID-25773204 Change-Id: I48c92adda137d8a074b4e1a367a468195a810ca1 CRs-fixed: 962450 Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org> Signed-off-by: Karthik Jadala <karthikjk@codeaurora.org>
-
Mahesh Sivasubramanian authored
The cluster id flag is passed in from the userspace through ioctl interface. Ensure correctness of cluster id to avoid out of bounds array accesses. CVE-2016-2411 Bug:ANDROID-26866053 CRS-fixed: 977508 Change-Id: I778b962d347b90488b983a15087b13e90ad06688 Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org> Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
-
- Apr 08, 2016
-
-
Zhao Xuewen authored
Ensure SSID length is correct before memcpy Bug: 26571522 Bug: 27240072 Change-Id: I2b0279cd360fad613546c8aa280e0c6f4524763c Signed-off-by: Ashwin <ashwin.bhat@broadcom.com>
-
Zhao Xuewen authored
Bug: 27142322 Change-Id: I631f87dcafe8423221099c285332a0b6f86b9ea8 Signed-off-by: Patrick Tjin <pattjin@google.com>
-
Zhao Xuewen authored
Check the datalen field is less than the size of packet received from the network. Bug: 25306181 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I3b021d88a95bd7d4e6e0d745d2527d73487bcadc
-
Zhao Xuewen authored
Validate the amount of remaining space in the WPS IE to prevent reading past the end of the buffer. Change-Id: I897ef4c54b6830f1f24bb958965bdf6c3b83758a Signed-off-by: Patrick Tjin <pattjin@google.com>
-
- Apr 05, 2016
-
-
Zhao Xuewen authored
Validate input argument before writing into pmu_constraints_codes array. CRs-Fixed: 975404 CVE-2016-0843 Bug:ANDROID-25801197 Change-Id: Id68b1d2201ab1af783af2236833b1dc894e08cc7 Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
-
Zhao Xuewen authored
Poison pointer values should be small enough to find a room in non-mmap'able/hardly-mmap'able space. E.g. on x86 "poison pointer space" is located starting from 0x0. Given unprivileged users cannot mmap anything below mmap_min_addr, it should be safe to use poison pointers lower than mmap_min_addr. The current poison pointer values of LIST_POISON{1,2} might be too big for mmap_min_addr values equal or less than 1 MB (common case, e.g. Ubuntu uses only 0x10000). There is little point to use such a big value given the "poison pointer space" below 1 MB is not yet exhausted. Changing it to a smaller value solves the problem for small mmap_min_addr setups. The values are suggested by Solar Designer: http://www.openwall.com/lists/oss-security/2015/05/02/6 CVE-2016-0821 Bug:ANDROID-26186802 Change-Id: I04cb70ca118651770c7fe3bd5a99d3c74de04a41 Signed-off-by: Vasily Kulikov <segoon@openwall.com> Cc: Solar Designer <solar@openwall.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- Mar 23, 2016
-
-
Krishnankutty Kolathappilly authored
Check for validity of length of ioctl pointer. Change-Id: I6103a5ad7a9842b1a2de8bdb53959df8a5f5cfcc Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
-
Skylar Chang authored
Add the check on ipa wan-driver to check if receiving more than MAX_NUM_OF_MUX_CHANNEL times different RMNET_IOCTL_ADD_MUX_CHANNEL ioctls from netmgrd. CRs-Fixed: 956393 Change-Id: Ic8890b084a8da69fdcf54541e82f6e4961492ce1 Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
-
Vidyakumar Athota authored
Since LAB buffers are not reset during LAB_STOP command, there is a chance that the userspace get stale data from the previous LAB data buffers. Clear the buffers at every LAB_STOP command. Change-Id: Id410dbe28d2f62e52c56677a8b0f297369111385 Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
-
Vidyakumar Athota authored
Add ignore suspend for input and output widgets so that dapm will not power down these widgets while they are in use and the system is going to suspend. Change-Id: I97deccc341cef6eb723c38febe921c0c5a33a706 Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
-
Vidyakumar Athota authored
Currently LAB maximum buffer size duration is defined as 1 second. There is a chance that this buffer might overwrite some times. Increase the buffer size duration to 2 seconds to match ADSP side buffering. Change-Id: Ia610fa29d8a8004c64a15295e2fe2d1b8930e204 Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
-
Siva Yarravarapu authored
Enables NETFILTER_XT_TARGET_NFLOG required to properly enable strict mode. The change fixes following cts failure: android.os.cts.StrictModeTest#testCleartextNetwork Change-Id: Iaba0dd709350dd2fa34015941b12e4eb0bc6f711 Signed-off-by: Siva Yarravarapu <sivay@codeaurora.org>
-
Vidyakumar Athota authored
Sound model buffer is allocated and mapped to DSP during sound model registration. This memory is not unmapped and freed during deregistration of sound model in case of ADSP based SVA. Fix this issue by calling q6lsm_snd_model_buf_free() after sound model deregistration. Change-Id: I8ffe3b4c26cdf90c716bf7f68435712dd8de6950 Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
-
ChandanaKishori Chiluveru authored
With AHB2AHB bypass mode enable, USB core depends on PNOC frequency and it is required to be fixed while USB is active. Hence, voting for max PNOC freq, which trigger device going into turbo. To avoid device going into turbo and to eliminate the dependency with PNOC freq, disabling the AHB2AHB bypass, so that USB core depends on its own USB system clock. Change-Id: I84283c692a602b8ed46ab66c34adffd608fb54c8 Signed-off-by: ChandanaKishori Chiluveru <cchilu@codeaurora.org>
-
- Feb 02, 2016
-
-
Chenjie Luo authored
Merge "BACKPORT: pagemap: do not leak physical addresses to non-privileged userspace" into android-msm-sturgeon-3.10
-
Chenjie Luo authored
Merge "UPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring()" into android-msm-sturgeon-3.10
-
Chenjie Luo authored
-
Chenjie Luo authored
-
Chenjie Luo authored
-
- Feb 01, 2016
-
-
Jacky Cheung authored
Change-Id: If51631c4ac358d3c4e37ea5c690c09cb1c61e59f
-
- Jan 29, 2016
-
-
Jacky Cheung authored
It is specific to MSM host with BCM BT chips in its current form. On Tx, the wake_peer hook is called by the serial core to wake up the serial driver and to toggle the dev wake gpio. On Rx, the driver listens to the host_wake gpio state to also wake up the serial driver to receive incoming data. The driver is also registerd to handle rfkill state changes. Change-Id: I1356f64e9c6f42a24a09f39c4f8a5258e93de602
-
Jacky Cheung authored
wake_peer hook is used to do BT chip-specific power management on Tx (e.g. toggling of BT device wake gpio). Change-Id: I7fdf5f173eea41fe791ce77c0438f814606353bf
-
- Jan 28, 2016
-
-
Kirill A. Shutemov authored
(cherry pick from commit ab676b7d) As pointed by recent post[1] on exploiting DRAM physical imperfection, /proc/PID/pagemap exposes sensitive information which can be used to do attacks. This disallows anybody without CAP_SYS_ADMIN to read the pagemap. [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [ Eventually we might want to do anything more finegrained, but for now this is the simple model. - Linus ] Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org> Acked-by: Andy Lutomirski <luto@amacapital.net> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Mark Seaborn <mseaborn@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 26038811 Change-Id: Ic8eea2f6cfd7a48c6e6c7a1d7bfc0cc4228c578c
-
Yevgeny Pats authored
(cherry pick from commit 23567fd0) This fixes CVE-2016-0728. If a thread is asked to join as a session keyring the keyring that's already set as its session, we leak a keyring reference. This can be tested with the following program: #include <stddef.h> #include <stdio.h> #include <sys/types.h> #include <keyutils.h> int main(int argc, const char *argv[]) { int i = 0; key_serial_t serial; serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) { perror("keyctl"); return -1; } for (i = 0; i < 100; i++) { serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } } return 0; } If, after the program has run, there something like the following line in /proc/keys: 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty with a usage count of 100 * the number of times the program has been run, then the kernel is malfunctioning. If leaked-keyring has zero usages or has been garbage collected, then the problem is fixed. Bug: 26636379 Reported-by: Yevgeny Pats <yevgeny@perception-point.io> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Don Zickus <dzickus@redhat.com> Acked-by: Prarit Bhargava <prarit@redhat.com> Acked-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Change-Id: I10177a58a7b3178eda95017557edaa7298594d06
-
Wish Wu authored
Prevent unintended kernel NULL pointer dereferencing. Original code: hlist_del_rcu(&event->hlist_entry); Fix: Adding pointer check: if(!hlist_unhashed(&p_event->hlist_entry)) hlist_del_rcu(&p_event->hlist_entry); Bug: 25364034 Change-Id: I9b4f9d60b8e799faeeafef8ebbd24360a7429994 Signed-off-by: Yuan Lin <yualin@google.com>
-