- Sep 21, 2016
-
-
Rainer Weikusat authored
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes: An AF_UNIX datagram socket being the client in an n:1 association with some server socket is only allowed to send messages to the server if the receive queue of this socket contains at most sk_max_ack_backlog datagrams. This implies that prospective writers might be forced to go to sleep despite none of the message presently enqueued on the server receive queue were sent by them. In order to ensure that these will be woken up once space becomes again available, the present unix_dgram_poll routine does a second sock_poll_wait call with the peer_wait wait queue of the server socket as queue argument (unix_dgram_recvmsg does a wake up on this queue after a datagram was received). This is inherently problematic because the server socket is only guaranteed to remain alive for as long as the client still holds a reference to it. In case the connection is dissolved via connect or by the dead peer detection logic in unix_dgram_sendmsg, the server socket may be freed despite "the polling mechanism" (in particular, epoll) still has a pointer to the corresponding peer_wait queue. There's no way to forcibly deregister a wait queue with epoll. Based on an idea by Jason Baron, the patch below changes the code such that a wait_queue_t belonging to the client socket is enqueued on the peer_wait queue of the server whenever the peer receive queue full condition is detected by either a sendmsg or a poll. A wake up on the peer queue is then relayed to the ordinary wait queue of the client socket via wake function. The connection to the peer wait queue is again dissolved if either a wake up is about to be relayed or the client socket reconnects or a dead peer is detected or the client socket is itself closed. This enables removing the second sock_poll_wait from unix_dgram_poll, thus avoiding the use-after-free, while still ensuring that no blocked writer sleeps forever. Signed-off-by:
Rainer Weikusat <rweikusat@mobileactivedefense.com> Fixes: ec0d215f ("af_unix: fix 'poll for write'/connected DGRAM sockets") Reviewed-by:
Jason Baron <jbaron@akamai.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Bug: 29119002 (cherry picked from commit 7d267278) Signed-off-by:
Aarthi Thiruvengadam <athiru@google.com> Bug: 31554728 Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e Tracked-On: https://jira01.devtools.intel.com/browse/AW-1795 Signed-off-by:
Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
-
Yueyao (Nathan) Zhu authored
Bug: 29823941 If __key_link_begin() failed then "edit" would be uninitialized. I've added a check to fix that. This allows a random user to crash the kernel, though it's quite difficult to achieve. There are three ways it can be done as the user would have to cause an error to occur in __key_link(): (1) Cause the kernel to run out of memory. In practice, this is difficult to achieve without ENOMEM cropping up elsewhere and aborting the attempt. (2) Revoke the destination keyring between the keyring ID being looked up and it being tested for revocation. In practice, this is difficult to time correctly because the KEYCTL_REJECT function can only be used from the request-key upcall process. Further, users can only make use of what's in /sbin/request-key.conf, though this does including a rejection debugging test - which means that the destination keyring has to be the caller's session keyring in practice. (3) Have just enough key quota available to create a key, a new session keyring for the upcall and a link in the session keyring, but not then sufficient quota to create a link in the nominated destination keyring so that it fails with EDQUOT. The bug can be triggered using option (3) above using something like the following: echo 80 >/proc/sys/kernel/keys/root_maxbytes keyctl request2 user debug:fred negate @t The above sets the quota to something much lower (80) to make the bug easier to trigger, but this is dependent on the system. Note also that the name of the keyring created contains a random number that may be between 1 and 10 characters in size, so may throw the test off by changing the amount of quota used. Assuming the failure occurs, something like the following will be seen: kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h ------------[ cut here ]------------ kernel BUG at ../mm/slab.c:2821! ... RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25 RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092 RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000 RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300 RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202 R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001 ... Call Trace: kfree+0xde/0x1bc assoc_array_cancel_edit+0x1f/0x36 __key_link_end+0x55/0x63 key_reject_and_link+0x124/0x155 keyctl_reject_key+0xb6/0xe0 keyctl_negate_key+0x10/0x12 SyS_keyctl+0x9f/0xe7 do_syscall_64+0x63/0x13a entry_SYSCALL64_slow_path+0x25/0x25 Fixes: f70e2e06 ('KEYS: Do preallocation for __key_link()') Signed-off-by:Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
David Howells <dhowells@redhat.com> cc: stable@vger.kernel.org Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 38327424b40bcebe2de92d07312c89360ac9229a) Bug: 31554728 Change-Id: Ia9616cce142a616beea0ef20bde49129939d2d2d Tracked-On: https://jira01.devtools.intel.com/browse/AW-1795 Signed-off-by:
-
- Sep 13, 2016
-
-
Kangjie Lu authored
The stack object “map” has a total size of 32 bytes. Its last 4 bytes are padding generated by compiler. These padding bytes are not initialized and sent out via “nla_put”. Bug: 30609570 Change-Id: I2a6f83631853e395f2e618faaebf7e3d5620fbff Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Kangjie Lu <kjlu@gatech.edu> Signed-off-by:
Erwan Mahe <erwan.mahe@intel.com>
-
Erwan Mahe authored
An elevation of privilege vulnerability in the ION driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Bug: 30609570 Change-Id: I550acbf7bb641e3d044dbbdebb77ee77df30573c Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Kangjie Lu authored
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 30609570 Change-Id: I3c04e39cdc47e70817d93dfe5d17ac6d228a0dc7 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Kangjie Lu authored
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 30609570 Change-Id: I633f3603c00a89e7fa71862d840199e9eeeaf22e Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Kangjie Lu authored
The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 30609570 Change-Id: Ic18aa03a7c8726ff9ed937659088fc3b4a75f6ce Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Kangjie Lu authored
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland via “copy_to_user”. Bug: 30609570 Change-Id: I6714f9732c1e797be262f5f92d27d3d3513bf5d9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
-
Mekala Natarajan authored
Bug: 30609570 Change-Id: I1b1384d5aed35a0c5f7618373274de77c54a6fea Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Mekala Natarajan <mnatarajan@google.com> Signed-off-by:
-
Jeff Vander Stoep authored
Add: CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y to android-base.cfg The kernel.perf_event_paranoid sysctl is set to 3 by default. No unprivileged use of the perf_event_open syscall will be permitted unless it is changed. Bug: 30609570 Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Erwan Mahe authored
When kernel.perf_event_open is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that makes this value the default. This is based on a similar feature in grsecurity (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making the variable read-only. It also allows enabling further restriction at run-time regardless of whether the default is changed. https://lkml.org/lkml/2016/1/11/587 Signed-off-by:
Ben Hutchings <ben@decadent.org.uk> Bug: 30609570 Change-Id: Ie120da23fbfe5ca260cab69c1dffb191a01600c6 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Ben Hutchings authored
perf_event_paranoid was only documented in source code and a perf error message. Copy the documentation from the error message to Documentation/sysctl/kernel.txt. Signed-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Bug: 30609570 Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Linus Torvalds authored
We had for some reason overlooked the AIO interface, and it didn't use the proper rw_verify_area() helper function that checks (for example) mandatory locking on the file, and that the size of the access doesn't cause us to overflow the provided offset limits etc. Instead, AIO did just the security_file_permission() thing (that rw_verify_area() also does) directly. This fixes it to do all the proper helper functions, which not only means that now mandatory file locking works with AIO too, we can actually remove lines of code. Bug: 30609570 Change-Id: I3ad4b846f19c60cb12224020cd20c9ee7c761f23 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Reported-by:
Manish Honap <manish_honap_vit@yahoo.co.in> Cc: stable@vger.kernel.org Signed-off-by:
-
Dan Carpenter authored
I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Bug: 30609570 Change-Id: I0823fae32063a64d677f504de6686f99a233acdb Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Fixes: b35cc822 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by:
-
Takashi Iwai authored
ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Bug: 30609570 Change-Id: I8fd084a0535cc39b3e4eebe924adccc3c0b8d732 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Reported-by:
Dmitry Vyukov <dvyukov@google.com> Tested-by:
-
Takashi Iwai authored
ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Bug: 30609570 Change-Id: I0fa8940a4f15a4f2a4b2a288e0b728fb0d925ec6 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Reported-by:
-
- Sep 12, 2016
-
-
Hector Marco-Gisbert authored
Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files (libraries, vDSO, etc.). This patch enables randomization for the libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. By default on i386 there are 8 bits for the randomization of the libraries, vDSO and mmaps which only uses 1MB of VA. This patch preserves the original randomness, using 1MB of VA out of 3GB or 4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR. The first obvious security benefit is that all objects are randomized (not only the stack and the executable) in legacy mode which highly increases the ASLR effectiveness, otherwise the attackers may use these non-randomized areas. But also sensitive setuid/setgid applications are more secure because currently, attackers can disable the randomization of these applications by setting the ulimit stack to "unlimited". This is a very old and widely known trick to disable the ASLR in i386 which has been allowed for too long. Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE personality flag, but fortunately this doesn't work on setuid/setgid applications because there is security checks which clear Security-relevant flags. This patch always randomizes the mmap_legacy_base address, removing the possibility to disable the ASLR by setting the stack to "unlimited". Bug: 30609570 Change-Id: Idbea7473e2f0713b8ae126c9de6de38ab0dac3f4 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Hector Marco-Gisbert <hecmargi@upv.es> Acked-by:
Ismael Ripoll Ripoll <iripoll@upv.es> Acked-by:
Kees Cook <keescook@chromium.org> Acked-by:
Arjan van de Ven <arjan@linux.intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: akpm@linux-foundation.org Cc: kees Cook <keescook@chromium.org> Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es Signed-off-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
-
- Aug 16, 2016
-
-
Julie Regairaz authored
This patch is to downgrade SDIO host controller from 3.0 version to 2.0 Version to force registering the wifi chip as a 2.0 SDIO HW since it is advertising that it's 3.0 while the datasheet shows that it only supports 2.0, know that this didn't cause an issue with CDP platform, but with Shasta, it leads to have WIFI chip not correctly probed. Change-Id: I015123c8899263f9b505cf1c0ce86155f794754d Tracked-On: https://jira01.devtools.intel.com/browse/AW-181 Signed-off-by:
Julie Regairaz <julie.regairaz@intel.com> Signed-off-by:
Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com> Reviewed-on: https://android.intel.com/489688 Reviewed-by:
jenkins_ndg <jenkins_ndg@intel.com> Reviewed-by:
Jarzmik, Robert <robert.jarzmik@intel.com>
-
Sophia Gong authored
At each display power on, flip panel and DC frame buffer from one direction to the other (0°->180° and 180°->0°). Change-Id: I273852d2147f272fad85f9ffaf78afd1dc7d1410 Tracked-On: https://jira.ndg.intel.com/browse/SUS-163 Signed-off-by:
Sophia Gong <sophia.gong@intel.com> Signed-off-by:
Alexandre Ledentec <alexandrex.ledentec@intel.com> Reviewed-on: https://android.intel.com/521188 Reviewed-by:
-
- Jul 21, 2016
-
-
Saadi Maalem authored
Bug: 28447556 Change-Id: I3916c50903fe7d16f28f28d4b4360f1205e596ef Tracked-On: https://jira01.devtools.intel.com/browse/AW-1173 Signed-off-by:
Saadi Maalem <saadi.maalem@intel.com>
-
Saadi Maalem authored
Bug: 27532522 Change-Id: Ia0967c5a070534f91c2fea858403486c84bd6ec2 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1173 Signed-off-by:
-
Greg Kroah-Hartman authored
commit ff19ac8f upstream In Linus's tree, the iovec code has been reworked massively, but in older kernels the AIO layer should be checking this before passing the request on to other layers. Many thanks to Ben Hawkes of Google Project Zero for pointing out the issue. Bug: 28588279 Reported-by:
Ben Hawkes <hawkes@google.com> Acked-by:
Benjamin LaHaise <bcrl@kvack.org> Tested-by:
Willy Tarreau <w@1wt.eu> [backported to 3.10 - willy] Signed-off-by:
Greg Kroah-Hartman <gregkh@google.com> Change-Id: I409982523282bcff0eacb8b4285670abe9c90793
-
Alan Stern authored
Commit 8520f380 ("USB: change hub initialization sleeps to delayed_work") changed the hub_activate() routine to make part of it run in a workqueue. However, the commit failed to take a reference to the usb_hub structure or to lock the hub interface while doing so. As a result, if a hub is plugged in and quickly unplugged before the work routine can run, the routine will try to access memory that has been deallocated. Or, if the hub is unplugged while the routine is running, the memory may be deallocated while it is in active use. This patch fixes the problem by taking a reference to the usb_hub at the start of hub_activate() and releasing it at the end (when the work is finished), and by locking the hub interface while the work routine is running. It also adds a check at the start of the routine to see if the hub has already been disconnected, in which nothing should be done. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Reported-by:
Alexandru Cornea <alexandru.cornea@intel.com> Tested-by:
-
Mark Salyzyn authored
(cherry pick from commit 179448bfe4cd201e98e728391c6b01b25c849fe8) This patch adds a max block check for get_data_block_bmap. Trinity test program will send a block number as parameter into ioctl_fibmap, which will be used in get_node_path(), when the block number large than f2fs max blocks, it will trigger kernel bug. Signed-off-by:
Yunlei He <heyunlei@huawei.com> Signed-off-by:
Xue Liu <liuxueliu.liu@huawei.com> [Jaegeuk Kim: fix missing condition, pointed by Chao Yu] Signed-off-by:
Jaegeuk Kim <jaegeuk@kernel.org> Bug: 28271368 Change-Id: Ia5acae04522993d5b60a0bcb5ccc184c66532be8
-
Mohamad Ayyash authored
BUG: 27577101 BUG: 27532522 Change-Id: I890831a72e5ad4485fdf30e51a146712b18052ed Signed-off-by:Mohamad Ayyash <mkayyash@google.com>
-
Peter Hurley authored
ioctl(TIOCGETD) retrieves the line discipline id directly from the ldisc because the line discipline id (c_line) in termios is untrustworthy; userspace may have set termios via ioctl(TCSETS*) without actually changing the line discipline via ioctl(TIOCSETD). However, directly accessing the current ldisc via tty->ldisc is unsafe; the ldisc ptr dereferenced may be stale if the line discipline is changing via ioctl(TIOCSETD) or hangup. Wait for the line discipline reference (just like read() or write()) to retrieve the "current" line discipline id. Change-Id: I3b451e3d0d9e90d9ecf838d10510118e9bcf8a7d Cc: <stable@vger.kernel.org> Signed-off-by:
Peter Hurley <peter@hurleysoftware.com> Signed-off-by:
-
Saadi Maalem authored
Ensure SSID length is checked unsigned maximum Bug: 26571522 Bug: 27241903 Change-Id: Ica71368b26d4a6036396d92cb372d69c79e497cc Tracked-On: https://jira01.devtools.intel.com/browse/AW-1173 Signed-off-by:
Mark Salyzyn <salyzyn@google.com> Signed-off-by:
-
- Jun 08, 2016
-
-
Victor Tasayco Loarte authored
(cherry pick from commit c8a8d33845f07755f3bab9af3ac6a6fa18a09b3d) Ensure SSID length is correct before memcpy Signed-off-by:
Ashwin <ashwin.bhat@broadcom.com> Bug: 26571522 Bug: 27240072 Change-Id: I2b0279cd360fad613546c8aa280e0c6f4524763c Tracked-On: https://jira01.devtools.intel.com/browse/AW-691 Signed-off-by:
-
Victor Tasayco Loarte authored
(cherry pick from commit 7b4bd6e41ed514dddf9e403472b1fb6f808d3f4b) check net admin capability for ioctl calls Signed-off-by:
Jerry Lee <jerrylee@broadcom.com> Bug: 26425765 Bug: 27997075 Change-Id: Iae1b53aa62fdc24530bb1b85cb69740c87d182e9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-691 Signed-off-by:
-
- May 03, 2016
-
-
Sophia Gong authored
This bias current increase is recommended by the panel vendor to ensure proper voltage ramp for the display driver IC. Change-Id: I33f851055194136d6bed118349d23453b8c132ec Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1055 Signed-off-by:
-
- Apr 21, 2016
-
-
Julien Masson authored
When no SPID is provisionned, it is possible that the structure holding the charging_profile is NULL. This can result in a panic atr boot in the bq24232 driver. Setting a default charging_profile and checking NULL pointer fixes this issue. Change-Id: I3ce0a5db9963f26c87e51ea534d857faf0b089ad Tracked-On: https://jira01.devtools.intel.com/browse/AW-325 Signed-off-by:
Julien Masson <julienx.masson@intel.com> Reviewed-on: https://android.intel.com/494634 Reviewed-by:
-
- Apr 15, 2016
-
-
Ben Hutchings authored
Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. Bug: 28054181 Change-Id: I988802f38acf40c7671fa0978880928b02d29b56 References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by:
-
Ben Hutchings authored
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, the first time atomically and the second time not. The second attempt needs to continue from the iovec position, pipe buffer offset and remaining length where the first attempt failed, but currently the pipe buffer offset and remaining length are reset. This will corrupt the piped data (possibly also leading to an information leak between processes) and may also corrupt kernel memory. This was fixed upstream by commits f0d1bec9 ("new helper: copy_page_from_iter()") and 637b58c2 ("switch pipe_read() to copy_page_to_iter()"), but those aren't suitable for stable. This fix for older kernel versions was made by Seth Jennings for RHEL and I have extracted it from their update. CVE-2015-1805 Bug: 27275324 Bug: 28054181 Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4 References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855 Signed-off-by: -
Takashi Iwai authored
(cherry pick from commit b5a663aa426f4884c71cd8580adae73f33570f0d) A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. Change-Id: I62e7f671a298e70fe6e6e64ddc3ff92106d2adf8 Reported-by:
-
- Apr 01, 2016
-
-
Sophia Gong authored
1.readback panel gamma register values when exit ambient power mode. 2.check if these values are correct. 3.reconfigure if any of these values are wrong. Change-Id: I88d6efaef9c8ad1a30c78d0c0a3d7bfc694f3916 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1228 Signed-off-by:
WeiX Liu <weix.w.liu@intel.com> Signed-off-by:
-
- Mar 25, 2016
-
-
Victor Tasayco Loarte authored
Bug: 25981545 Bug: 27634138 Change-Id: Ifa2d926b8cbd58e80c266b914144c6fa4ae58798 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1570 Signed-off-by:
-
Victor Tasayco Loarte authored
Ported from Kernel Fugu x86_64: https://android.googlesource.com/kernel/x86_64/+/a2e03edde8609aee2e945d3cb84b0227498b275d Bug: 27142322 Bug: 27634138 Change-Id: I8103be6bb456ae436a7927fa0ad9a89efefef36d Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1570 Signed-off-by:
Patrick Tjin <pattjin@google.com> Signed-off-by:
-
Kirill A. Shutemov authored
(cherry pick from commit ab676b7d) As pointed by recent post[1] on exploiting DRAM physical imperfection, /proc/PID/pagemap exposes sensitive information which can be used to do attacks. This disallows anybody without CAP_SYS_ADMIN to read the pagemap. [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [ Eventually we might want to do anything more finegrained, but for now this is the simple model. - Linus ] Signed-off-by:
Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by:
Konstantin Khlebnikov <khlebnikov@openvz.org> Acked-by:
Andy Lutomirski <luto@amacapital.net> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Mark Seaborn <mseaborn@chromium.org> Cc: stable@vger.kernel.org Signed-off-by:
-
Victor Tasayco Loarte authored
Poison pointer values should be small enough to find a room in non-mmap'able/hardly-mmap'able space. E.g. on x86 "poison pointer space" is located starting from 0x0. Given unprivileged users cannot mmap anything below mmap_min_addr, it should be safe to use poison pointers lower than mmap_min_addr. The current poison pointer values of LIST_POISON{1,2} might be too big for mmap_min_addr values equal or less than 1 MB (common case, e.g. Ubuntu uses only 0x10000). There is little point to use such a big value given the "poison pointer space" below 1 MB is not yet exhausted. Changing it to a smaller value solves the problem for small mmap_min_addr setups. The values are suggested by Solar Designer: http://www.openwall.com/lists/oss-security/2015/05/02/6 Bug: 26186802 Bug: 27453997 Change-Id: I5586529168e5e94d7de2c213664d1e8d6edb1284 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1527 Signed-off-by:Yuan Lin <yualin@google.com> Signed-off-by:
-
Yevgeny Pats authored
(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2) This fixes CVE-2016-0728. If a thread is asked to join as a session keyring the keyring that's already set as its session, we leak a keyring reference. This can be tested with the following program: #include <stddef.h> #include <stdio.h> #include <sys/types.h> #include <keyutils.h> int main(int argc, const char *argv[]) { int i = 0; key_serial_t serial; serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) { perror("keyctl"); return -1; } for (i = 0; i < 100; i++) { serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } } return 0; } If, after the program has run, there something like the following line in /proc/keys: 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty with a usage count of 100 * the number of times the program has been run, then the kernel is malfunctioning. If leaked-keyring has zero usages or has been garbage collected, then the problem is fixed. Bug: 26636379 Bug: 27453997 Reported-by:Yevgeny Pats <yevgeny@perception-point.io> Signed-off-by:
Don Zickus <dzickus@redhat.com> Acked-by:
Prarit Bhargava <prarit@redhat.com> Acked-by:
Jarod Wilson <jarod@redhat.com> Signed-off-by:
James Morris <james.l.morris@oracle.com> Change-Id: I10177a58a7b3178eda95017557edaa7298594d06 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1527 Reviewed-on: https://android.intel.com/483556 Reviewed-by:
-
