- Aug 17, 2016
-
-
steven_syu authored
Subject: [PATCH] USB: usbfs: fix potential infoleak in devio The stack object "ci" has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland via "copy_to_user". Change-Id: I0e72b4f00bf253d472bfce2660e5370de99d0018 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249847 Reviewed-by: Steven Syu <steven_syu@asus.com> Tested-by: Steven Syu <steven_syu@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-
- Aug 12, 2016
-
-
Ken Cheng authored
Asoc:msm:Added Buffer overflow check The overflow check is required to ensure that user space data in kernel may not go beyond buffer boundary. Change-Id: I0bbae3c7ec979e2e59f5ca6e49d13ca9e53dd700 CRs-Fixed: 563086 Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249264 Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
- Aug 11, 2016
-
-
josh_hsu authored
pv6: add complete rcu protection around np->opt This patch addresses multiple problems : UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions while socket is not locked : Other threads can change np->opt concurrently. Dmitry posted a syzkaller (http://github.com/google/syzkaller) program desmonstrating use-after-free. Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock() and dccp_v6_request_recv_sock() also need to use RCU protection to dereference np->opt once (before calling ipv6_dup_options()) This patch adds full RCU protection to np->opt Change-Id: I93a999026e0f95d2ae0cc03948d2cfff6e62a2d5 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249052 Tested-by: Carol_Jiang <carol_jiang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-
josh_hsu authored
Change-Id: Iadb460ac84124c9095704f3dcc4d5981f6c547ab Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249051 Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
shunmin_wang authored
Change-Id: Ifd29eb66aad5e5f177d76f7dc55a87f1e421f722 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249050 Reviewed-by: shunmin_wang <shunmin_wang@asus.com> Tested-by: shunmin_wang <shunmin_wang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-
Tingyi Kuo authored
Diag driver holds on to the socket process task structure even after signaling the process to exit. This patch clears the internal handle after signaling. Change-Id: I0cc0be474a1cb64bbe55e1dd5d7418591389a2a1 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249012 Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
josh_hsu authored
msm: mdss: Unmap only when buffer was mapped Currently buffer is unmapped if iommu is attached. This can lead to potential unmap issues if wrong addresses are sent and are tried to unmap without mapping. Hence ensure unmap is done only when buffer is mapped. Change-Id: I339d6aefa501cda0ed0cf8f6b9c516b64d892b82 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248994 Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
- Aug 09, 2016
-
-
Hammer_Tsao authored
ANDROID-28939037 vfs:make AIO use the proper rw_verify_area() area helpers Change-Id: Id262f81c76851b1f79607fcc820eead56aede9bb Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248118 Reviewed-by: Hammer_Tsao <Hammer_Tsao@asus.com> Tested-by: Hammer_Tsao <Hammer_Tsao@asus.com> Reviewed-by: Tony1_Yu <tony1_yu@asus.com> Tested-by: Tony1_Yu <tony1_yu@asus.com>
-
Allen Huang authored
Elevation of privilege vulnerability in kernel performance subsystem CVE Reference Severity Updated AOSP versions Date reported CVE-2016-3843 ANDROID-29119870 High 6.0, 6.1 Google internal Elevation of privilege vulnerabilities in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because of the kernel attack surface available for attackers to exploit. Note: This is a platform level update designed to mitigate a class of vulnerabilities such as CVE-2016-3843 (ANDROID-28086229). Kernel patches for versions 3.4, 3.10 and 3.18 are required in addition to the AOSP patches. A code snippet for the kernel patch is provided in the bulletin patches zip file on Google Drive. Additional technical details: Bug Details ANDROID-29119870 The kernel performance subsystem is intended for developers and should not be exposed by default on production builds. Developers may still optionally expose perf using adb. The fix is designed to restrict unprivileged use of performance events. Change-Id: I0a6dc6c8d0b25eba40eac565ccd751009ed8e341 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248102 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
Vegard Nossum authored
We're copying the on-stack structure to userspace, but forgot to give the right number of bytes to copy. This allows the calling process to obtain up to PAGE_SIZE bytes from the stack (and possibly adjacent kernel memory). This fix copies only as much as we actually have on the stack (attr->size defaults to the size of the struct) and leaves the rest of the userspace-provided buffer untouched. Found using kmemcheck + trinity. Fixes: d50dde5a ("sched: Add new scheduler syscalls to support an extended scheduling parameters ABI") Cc: Dario Faggioli <raistlin@linux.it> Cc: Juri Lelli <juri.lelli@gmail.com> Cc: Ingo Molnar <mingo@kernel.org> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/r/1392585857-10725-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Change-Id: I9b942c19a7bb3301e2e94f26372cf0ce5d20824d Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248109 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
jay_chuang authored
ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: Takashi Iwai <tiwai@suse.de> ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Change-Id: Ic48233e7e5dda5e1565307dadf0d1bc0c7b4a89b Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: Takashi Iwai <tiwai@suse.de> ALSA: timer: Fix leak in events via snd_timer_user_ccallback The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: Takashi Iwai <tiwai@suse.de> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/242811 Reviewed-by: jay_chuang <jay_chuang@asus.com> Tested-by: jay_chuang <jay_chuang@asus.com> Reviewed-by: Eric1 Lin <Eric1_Lin@asus.com> Change-Id: I0a290d94b336001ee4c6fceb012ae5fb9519db08 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248051 Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
jay_chuang authored
ALSA: seq: Fix race at timer setup and close ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> ALSA: timer: Fix race among timer ioctls ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> ALSA: compress: fix an integer overflow check I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Change-Id: I39d409a8f737c83880bc7f1383dc066c3afb1beb Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248049 Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
- Jul 19, 2016
-
-
Hammer_Tsao authored
ANDROID-28588279 Change-Id: Icd0dca9b8481a4de8ce597cb3ae45ceb109e1acb Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/244392 Reviewed-by: Hammer_Tsao <Hammer_Tsao@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
jason2_chang authored
Change-Id: I77f8a2bf31657910e0a68232516130108ff829e5 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/243699 Reviewed-by: jason2_chang <jason2_chang@asus.com> Tested-by: jason2_chang <jason2_chang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-
steven_syu authored
Subject: USB: fix invalid memory access in hub_activate() Commit 8520f380 ("USB: change hub initialization sleeps to delayed_work") changed the hub_activate() routine to make part of it run in a workqueue. However, the commit failed to take a reference to the usb_hub structure or to lock the hub interface while doing so. As a result, if a hub is plugged in and quickly unplugged before the work routine can run, the routine will try to access memory that has been deallocated. Or, if the hub is unplugged while the routine is running, the memory may be deallocated while it is in active use. This patch fixes the problem by taking a reference to the usb_hub at the start of hub_activate() and releasing it at the end (when the work is finished), and by locking the hub interface while the work routine is running. It also adds a check at the start of the routine to see if the hub has already been disconnected, in which nothing should be done. Change-Id: Ib776038c6da7151e87cd0fdc5928d0e65081d2dc Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/240760 Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
Manu Gautam authored
usb: f_serial: Check for SMD data length in GSER_IOCTL If user tries to send SMD data more than the driver buffer can handle then fail the same and print error message. This smd_write is exposed to userspace through ioctl using a misc device. Change-Id: Ie8a1c1c0799cd10cef512ad6b1e1e95001dd43b2 Signed-off-by: Manu Gautam <mgautam@codeaurora.org> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/240759 Reviewed-by: Steven Syu <steven_syu@asus.com> Tested-by: Steven Syu <steven_syu@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-
josh_hsu authored
Change-Id: Iceb98647f3031f4329b720f7a8441eab41bbf33b Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/237524 Reviewed-by: Josh Hsu <josh_hsu@asus.com> Tested-by: Josh Hsu <josh_hsu@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-
Ken Cheng authored
[CVE-2016-2068] apply the part of the patch for integer overflow check in asm driver ASoC: msm: audio-effects: misc fixes in h/w accelerated effect Adding memory copy size check and integer overflow check in h/w accelerated effect driver. Change-Id: I17d4cc0a38770f0c5067fa8047cd63e7bf085e48 CRs-Fixed: 1006609 Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/237100 Reviewed-by: Ken Cheng <ken_cheng@asus.com> Tested-by: Ken Cheng <ken_cheng@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
Allen Huang authored
Elevation of Privilege Vulnerability in Qualcomm Performance Component (Device Specific) CVE Android bugs Severity Updated kernel versions Date reported CVE-2016-3768 ANDROID-28172137 Critical 3.4, 3.10 Apr 9, 2016 An elevation of privilege vulnerability in the Qualcomm performance component could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. ANDROID-28172137 (Qualcomm ref#: CR#1010644) During a perf_event_enable, an event could be enabled on multiple hw_events. However, during the perf_release, the event struct is freed and only one hw_event is released. This could lead to dereferencing the invalid pointer and Use-After-Free vulnerability. The fix is designed to return an error in the case of event duplication. Change-Id: Ica19b394c7d8adbedfa8c3c0b23461da4284fda6 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/236713 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
- Jul 13, 2016
-
-
jason2_chang authored
Change-Id: I9260705c7a51a13b95004946024f1fcd6a032463 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/243314 Reviewed-by: Tom Chu <tom_chu@asus.com> Tested-by: Tom Chu <tom_chu@asus.com>
-
- Jun 22, 2016
-
-
shunmin_wang authored
In _kgsl_sharedmem_page_alloc(), check for boundary limits of requested alloc size before honoring. Change-Id: Ib76926a6c5994065d5c8f4a9e36b34dff5d4596b Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/238963 Reviewed-by: shunmin_wang <shunmin_wang@asus.com> Tested-by: shunmin_wang <shunmin_wang@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-
- Jun 20, 2016
-
-
shunmin_wang authored
Change-Id: I548669d4373f30cf63ec59621124a3260151dfe4 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/236401 Reviewed-by: shunmin_wang <shunmin_wang@asus.com> Tested-by: shunmin_wang <shunmin_wang@asus.com>
-
shunmin_wang authored
Change-Id: Ic58bcaf01ae999c173a3ccd0523f79aafcca7267 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/236400 Reviewed-by: shunmin_wang <shunmin_wang@asus.com> Tested-by: shunmin_wang <shunmin_wang@asus.com>
-
shunmin_wang authored
In adreno_perfcounter_query_group() make sure to cast the user passed count to an unsigned int before comparing it to the group count. Otherwise the user count could be interpeted as a signed int and hilarity ensues. Change-Id: I743d50234780a1a6e9495c3911a83e3624a0347d Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/231414 Reviewed-by: shunmin_wang <shunmin_wang@asus.com> Tested-by: shunmin_wang <shunmin_wang@asus.com>
-
shunmin_wang authored
msm: mdss: fix possible out-of-bounds and overflow issue in mdp debugfs (CVE-2016-2489)(CVE-2016-2465) There are few cases where the count argument passed by the user space is not validated, which can potentially lead to out of bounds or overflow issues. In some cases, kernel might copy more data than what is requested. Add necessary checks to avoid such cases. Change-Id: I8a76fe64d2885879870c4e239333bc3da2c2256c Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/231138 Reviewed-by: shunmin_wang <shunmin_wang@asus.com> Tested-by: shunmin_wang <shunmin_wang@asus.com>
-
- Jun 06, 2016
-
-
Ken Cheng authored
[CVE-2016-2066] apply the part of the patch for audio effect Equalizer only [PATCH] ASoC: msm: audio-effects: fix stack overread and heap overwrite Fix overwrite of updt_params allocated in heap, and stack overread where param pointer is passed from user space. CRs-Fixed: 989628 [CVE-2016-2469] disable compilation of the modules DTS and Dolby DAP Change-Id: I05ad0c7f61511f7ac76e3f1e45ad246e999f3fa1 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/235772 Reviewed-by: Ken Cheng <ken_cheng@asus.com> Tested-by: Ken Cheng <ken_cheng@asus.com>
-
- May 11, 2016
-
-
Allen Huang authored
From 8f32bdf1 Mon Sep 17 00:00:00 2001 From: Kaushal Kumar <kaushalk@codeaurora.org> Date: Fri, 12 Feb 2016 13:20:17 +0530 Subject: [PATCH] defconfig: msm: Disable CONFIG_SYSVIPC As per latest upstream status, android SELinux policies block SysV IPC and new kernels should not be built with it. Disable SYSVIPC for all msm defconfigs. Change-Id: I025dc1a8a01f4b433f1e78cd5b19f412c4061911 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229951 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com>
-
Android SELinux policies block SysV IPC. New kernels should not be built with it. Bug: 22300191 Change-Id: Ia4bcb179ff71825cab19eed603d4064a8d061a93 Signed-off-by: Greg Hackmann <ghackmann@google.com> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229950 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com>
-
- May 10, 2016
-
-
josh_hsu authored
Fix a multi thread sync issue descript as blew steps, this issue case BT HCI command timeout issue. a)sps connection can be closed in msm_hs_check_clock_off(the first time). b)msm_hs_check_clock_off return 0 after send a clk_off_timer msg to close sps connection c)when clk_off_timer is timeout, hsuart_clock_off_work will be invoked, so msm_hs_check_clock_off is invoked for the second time d)if there is a data/command comes from stack now, uart circular buf won't be empty, that meas uart_circ_empty(tx_buf) will return false e)if uart_circ_empty(tx_buf) return fasle, msm_hs_check_clock_off only set msm_uport->clk_state to MSM_HS_CLK_ON. but the sps connection will not be opened any more. f)now if there a data/command from stack again because the sps connection is still close, so the uart can't thansfer the command/data any more. so here open sps connection again Change-Id: If81fdcfb376ef50667dc6ff9762cd05238d13dd6 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229789 Reviewed-by: Chance Chen <chance_chen@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
-
- May 09, 2016
-
-
jason2_chang authored
Change-Id: I33af309f19c56beab90a28444437e8f925d9a9e9 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229459 Reviewed-by: jason2_chang <jason2_chang@asus.com> Tested-by: jason2_chang <jason2_chang@asus.com>
-
Luis Henriques authored
This is a note to let you know that I have just added a patch titled KEYS: Fix keyring ref leak in join_session_keyring() to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue This patch is scheduled to be released in version 3.16.7-ckt23. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.16.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ---8<------------------------------------------------------------ >From f3e9ef6b8ef8849f32fb7929c0f1582f1c8354b1 Mon Sep 17 00:00:00 2001 From: Yevgeny Pats <yevgeny@perception-point.io> Date: Tue, 19 Jan 2016 22:09:04 +0000 Subject: KEYS: Fix keyring ref leak in join_session_keyring() commit 23567fd0 upstream. This fixes CVE-2016-0728. If a thread is asked to join as a session keyring the keyring that's already set as its session, we leak a keyring reference. This can be tested with the following program: #include <stddef.h> #include <stdio.h> #include <sys/types.h> #include <keyutils.h> int main(int argc, const char *argv[]) { int i = 0; key_serial_t serial; serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) { perror("keyctl"); return -1; } for (i = 0; i < 100; i++) { serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } } return 0; } If, after the program has run, there something like the following line in /proc/keys: 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty with a usage count of 100 * the number of times the program has been run, then the kernel is malfunctioning. If leaked-keyring has zero usages or has been garbage collected, then the problem is fixed. Reported-by: Yevgeny Pats <yevgeny@perception-point.io> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Don Zickus <dzickus@redhat.com> Acked-by: Prarit Bhargava <prarit@redhat.com> Acked-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Change-Id: I9e4826bb62e7e36dbf709078eab0b404b8ae51b7 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229398 Reviewed-by: LiJen_Chang <LiJen_Chang@asus.com> Tested-by: LiJen_Chang <LiJen_Chang@asus.com>
-
- May 06, 2016
-
-
jason2_chang authored
Android-26221024 CVE-2016-2454 Change-Id: I8ab938534d57c422baadbf21d301e2301c1078e8 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229155 Reviewed-by: jason2_chang <jason2_chang@asus.com> Tested-by: jason2_chang <jason2_chang@asus.com>
-
The service info structure is allocated with uninitialized memory for the max number of services and returns the complete structure to the usersapce resulting in the information leak if lookup operation finds less number of services than the requested number. Check the minimum of requested and available services and copy the minimum information to the user-space. CRs-Fixed: 965934 Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229017 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com>
-
prctl_set_vma_anon_name could attempt to set the name across two vmas at the same time due to a typo, which might corrupt the vma list. Fix it to use tmp instead of end to limit the name setting to a single vma at a time. Change-Id: Ie32d8ddb0fd547efbeedd6528acdab5ca5b308b4 Reported-by: Jed Davis <jld@mozilla.com> Signed-off-by: Colin Cross <ccross@android.com> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229016 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com>
-
- May 05, 2016
-
-
Kishor PK authored
Prevent unintended NULL pointer dereference in trace_event_perf. Change-Id: I35151c460b4350ebd414b67c655684c2019f799f Signed-off-by: Kishor PK <kpbhat@codeaurora.org> Signed-off-by: Srinivasarao P <spathi@codeaurora.org> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/228618 Reviewed-by: LiJen_Chang <LiJen_Chang@asus.com> Tested-by: LiJen_Chang <LiJen_Chang@asus.com>
-
a malicious app can open a perf event with constraint_duplicate bit set, disable the event, and close the fd. On closing the fd, the perf_release() modification causes the kernel to clean up the event as if it still were enabled, leading to the event being removed from a list twice. CRs-Fixed: 977563 Change-Id: I5fbec3722407d2f3d0ff0d9f7097c5889e31fd62 Signed-off-by: Srinivasarao P <spathi@codeaurora.org> Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/228533 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com>
-
- May 04, 2016
-
-
Allen Huang authored
CVE: CVE-2016-0843 Bug: ANDROID-25801197 Severity: Critical Updated versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Date reported: Nov 19, 2015 An elevation of privilege vulnerability in the performance event manager component for ARM processors from Qualcomm could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system. Change-Id: Iad30e4fe8d177b28891460a887f77a913ee61d23 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/228312 Reviewed-by: allen1_huang <allen1_huang@asus.com> Tested-by: allen1_huang <allen1_huang@asus.com>
-
LiJen_Chang authored
Change-Id: I64b926bfe44c29c3640557a257cd6483b6421571 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/228252 Reviewed-by: LiJen_Chang <LiJen_Chang@asus.com> Tested-by: LiJen_Chang <LiJen_Chang@asus.com>
-
Ben Hutchings authored
Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. Change-Id: I988802f38acf40c7671fa0978880928b02d29b56 References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by: Ben Hutchings <ben@decadent.org.uk> (cherry picked from commit feae3ca2) Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/228173 Reviewed-by: steve yang <steve2_yang@asus.com> Tested-by: steve yang <steve2_yang@asus.com>
-
steve2_yang authored
Change-Id: I414a14a60494b8066831f5aeadc0625d987d7408 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/228149 Reviewed-by: steve yang <steve2_yang@asus.com> Tested-by: steve yang <steve2_yang@asus.com>
-