- Sep 13, 2016
-
-
Kangjie Lu authored
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 30609570 Change-Id: I3c04e39cdc47e70817d93dfe5d17ac6d228a0dc7 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Kangjie Lu <kjlu@gatech.edu> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
Erwan Mahe <erwan.mahe@intel.com>
-
Kangjie Lu authored
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 30609570 Change-Id: I633f3603c00a89e7fa71862d840199e9eeeaf22e Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Kangjie Lu authored
The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 30609570 Change-Id: Ic18aa03a7c8726ff9ed937659088fc3b4a75f6ce Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Kangjie Lu authored
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland via “copy_to_user”. Bug: 30609570 Change-Id: I6714f9732c1e797be262f5f92d27d3d3513bf5d9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
-
Mekala Natarajan authored
Bug: 30609570 Change-Id: I1b1384d5aed35a0c5f7618373274de77c54a6fea Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Mekala Natarajan <mnatarajan@google.com> Signed-off-by:
-
Jeff Vander Stoep authored
Add: CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y to android-base.cfg The kernel.perf_event_paranoid sysctl is set to 3 by default. No unprivileged use of the perf_event_open syscall will be permitted unless it is changed. Bug: 30609570 Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Erwan Mahe authored
When kernel.perf_event_open is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that makes this value the default. This is based on a similar feature in grsecurity (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making the variable read-only. It also allows enabling further restriction at run-time regardless of whether the default is changed. https://lkml.org/lkml/2016/1/11/587 Signed-off-by:
Ben Hutchings <ben@decadent.org.uk> Bug: 30609570 Change-Id: Ie120da23fbfe5ca260cab69c1dffb191a01600c6 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Ben Hutchings authored
perf_event_paranoid was only documented in source code and a perf error message. Copy the documentation from the error message to Documentation/sysctl/kernel.txt. Signed-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Bug: 30609570 Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
-
Linus Torvalds authored
We had for some reason overlooked the AIO interface, and it didn't use the proper rw_verify_area() helper function that checks (for example) mandatory locking on the file, and that the size of the access doesn't cause us to overflow the provided offset limits etc. Instead, AIO did just the security_file_permission() thing (that rw_verify_area() also does) directly. This fixes it to do all the proper helper functions, which not only means that now mandatory file locking works with AIO too, we can actually remove lines of code. Bug: 30609570 Change-Id: I3ad4b846f19c60cb12224020cd20c9ee7c761f23 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Reported-by:
Manish Honap <manish_honap_vit@yahoo.co.in> Cc: stable@vger.kernel.org Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Dan Carpenter authored
I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Bug: 30609570 Change-Id: I0823fae32063a64d677f504de6686f99a233acdb Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Fixes: b35cc822 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Takashi Iwai authored
ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Bug: 30609570 Change-Id: I8fd084a0535cc39b3e4eebe924adccc3c0b8d732 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Reported-by:
Dmitry Vyukov <dvyukov@google.com> Tested-by:
-
Takashi Iwai authored
ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Bug: 30609570 Change-Id: I0fa8940a4f15a4f2a4b2a288e0b728fb0d925ec6 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Reported-by:
-
- Sep 12, 2016
-
-
Hector Marco-Gisbert authored
Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files (libraries, vDSO, etc.). This patch enables randomization for the libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. By default on i386 there are 8 bits for the randomization of the libraries, vDSO and mmaps which only uses 1MB of VA. This patch preserves the original randomness, using 1MB of VA out of 3GB or 4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR. The first obvious security benefit is that all objects are randomized (not only the stack and the executable) in legacy mode which highly increases the ASLR effectiveness, otherwise the attackers may use these non-randomized areas. But also sensitive setuid/setgid applications are more secure because currently, attackers can disable the randomization of these applications by setting the ulimit stack to "unlimited". This is a very old and widely known trick to disable the ASLR in i386 which has been allowed for too long. Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE personality flag, but fortunately this doesn't work on setuid/setgid applications because there is security checks which clear Security-relevant flags. This patch always randomizes the mmap_legacy_base address, removing the possibility to disable the ASLR by setting the stack to "unlimited". Bug: 30609570 Change-Id: Idbea7473e2f0713b8ae126c9de6de38ab0dac3f4 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1818 Signed-off-by:
Hector Marco-Gisbert <hecmargi@upv.es> Acked-by:
Ismael Ripoll Ripoll <iripoll@upv.es> Acked-by:
Kees Cook <keescook@chromium.org> Acked-by:
Arjan van de Ven <arjan@linux.intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: akpm@linux-foundation.org Cc: kees Cook <keescook@chromium.org> Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es Signed-off-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
-
- Aug 16, 2016
-
-
Julie Regairaz authored
This patch is to downgrade SDIO host controller from 3.0 version to 2.0 Version to force registering the wifi chip as a 2.0 SDIO HW since it is advertising that it's 3.0 while the datasheet shows that it only supports 2.0, know that this didn't cause an issue with CDP platform, but with Shasta, it leads to have WIFI chip not correctly probed. Change-Id: I015123c8899263f9b505cf1c0ce86155f794754d Tracked-On: https://jira01.devtools.intel.com/browse/AW-181 Signed-off-by:
Julie Regairaz <julie.regairaz@intel.com> Signed-off-by:
Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com> Reviewed-on: https://android.intel.com/489688 Reviewed-by:
Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com> Reviewed-by:
jenkins_ndg <jenkins_ndg@intel.com> Reviewed-by:
Jarzmik, Robert <robert.jarzmik@intel.com>
-
Sophia Gong authored
At each display power on, flip panel and DC frame buffer from one direction to the other (0°->180° and 180°->0°). Change-Id: I273852d2147f272fad85f9ffaf78afd1dc7d1410 Tracked-On: https://jira.ndg.intel.com/browse/SUS-163 Signed-off-by:
Sophia Gong <sophia.gong@intel.com> Signed-off-by:
Alexandre Ledentec <alexandrex.ledentec@intel.com> Reviewed-on: https://android.intel.com/521188 Reviewed-by:
-
- Jul 21, 2016
-
-
Saadi Maalem authored
Bug: 28447556 Change-Id: I3916c50903fe7d16f28f28d4b4360f1205e596ef Tracked-On: https://jira01.devtools.intel.com/browse/AW-1173 Signed-off-by:
Saadi Maalem <saadi.maalem@intel.com>
-
Saadi Maalem authored
Bug: 27532522 Change-Id: Ia0967c5a070534f91c2fea858403486c84bd6ec2 Tracked-On: https://jira01.devtools.intel.com/browse/AW-1173 Signed-off-by:
-
Greg Kroah-Hartman authored
commit ff19ac8f upstream In Linus's tree, the iovec code has been reworked massively, but in older kernels the AIO layer should be checking this before passing the request on to other layers. Many thanks to Ben Hawkes of Google Project Zero for pointing out the issue. Bug: 28588279 Reported-by:
Ben Hawkes <hawkes@google.com> Acked-by:
Benjamin LaHaise <bcrl@kvack.org> Tested-by:
Willy Tarreau <w@1wt.eu> [backported to 3.10 - willy] Signed-off-by:
Greg Kroah-Hartman <gregkh@google.com> Change-Id: I409982523282bcff0eacb8b4285670abe9c90793
-
Alan Stern authored
Commit 8520f380 ("USB: change hub initialization sleeps to delayed_work") changed the hub_activate() routine to make part of it run in a workqueue. However, the commit failed to take a reference to the usb_hub structure or to lock the hub interface while doing so. As a result, if a hub is plugged in and quickly unplugged before the work routine can run, the routine will try to access memory that has been deallocated. Or, if the hub is unplugged while the routine is running, the memory may be deallocated while it is in active use. This patch fixes the problem by taking a reference to the usb_hub at the start of hub_activate() and releasing it at the end (when the work is finished), and by locking the hub interface while the work routine is running. It also adds a check at the start of the routine to see if the hub has already been disconnected, in which nothing should be done. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Reported-by:
Alexandru Cornea <alexandru.cornea@intel.com> Tested-by:
-
Mark Salyzyn authored
(cherry pick from commit 179448bfe4cd201e98e728391c6b01b25c849fe8) This patch adds a max block check for get_data_block_bmap. Trinity test program will send a block number as parameter into ioctl_fibmap, which will be used in get_node_path(), when the block number large than f2fs max blocks, it will trigger kernel bug. Signed-off-by:
Yunlei He <heyunlei@huawei.com> Signed-off-by:
Xue Liu <liuxueliu.liu@huawei.com> [Jaegeuk Kim: fix missing condition, pointed by Chao Yu] Signed-off-by:
Jaegeuk Kim <jaegeuk@kernel.org> Bug: 28271368 Change-Id: Ia5acae04522993d5b60a0bcb5ccc184c66532be8
-
Mohamad Ayyash authored
BUG: 27577101 BUG: 27532522 Change-Id: I890831a72e5ad4485fdf30e51a146712b18052ed Signed-off-by:Mohamad Ayyash <mkayyash@google.com>
-
Peter Hurley authored
ioctl(TIOCGETD) retrieves the line discipline id directly from the ldisc because the line discipline id (c_line) in termios is untrustworthy; userspace may have set termios via ioctl(TCSETS*) without actually changing the line discipline via ioctl(TIOCSETD). However, directly accessing the current ldisc via tty->ldisc is unsafe; the ldisc ptr dereferenced may be stale if the line discipline is changing via ioctl(TIOCSETD) or hangup. Wait for the line discipline reference (just like read() or write()) to retrieve the "current" line discipline id. Change-Id: I3b451e3d0d9e90d9ecf838d10510118e9bcf8a7d Cc: <stable@vger.kernel.org> Signed-off-by:
Peter Hurley <peter@hurleysoftware.com> Signed-off-by:
-
Saadi Maalem authored
Ensure SSID length is checked unsigned maximum Bug: 26571522 Bug: 27241903 Change-Id: Ica71368b26d4a6036396d92cb372d69c79e497cc Tracked-On: https://jira01.devtools.intel.com/browse/AW-1173 Signed-off-by:
Mark Salyzyn <salyzyn@google.com> Signed-off-by:
-
- Jun 08, 2016
-
-
Victor Tasayco Loarte authored
(cherry pick from commit c8a8d33845f07755f3bab9af3ac6a6fa18a09b3d) Ensure SSID length is correct before memcpy Signed-off-by:
Ashwin <ashwin.bhat@broadcom.com> Bug: 26571522 Bug: 27240072 Change-Id: I2b0279cd360fad613546c8aa280e0c6f4524763c Tracked-On: https://jira01.devtools.intel.com/browse/AW-691 Signed-off-by:
-
Victor Tasayco Loarte authored
(cherry pick from commit 7b4bd6e41ed514dddf9e403472b1fb6f808d3f4b) check net admin capability for ioctl calls Signed-off-by:
Jerry Lee <jerrylee@broadcom.com> Bug: 26425765 Bug: 27997075 Change-Id: Iae1b53aa62fdc24530bb1b85cb69740c87d182e9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-691 Signed-off-by:
-
- May 03, 2016
-
-
Sophia Gong authored
This bias current increase is recommended by the panel vendor to ensure proper voltage ramp for the display driver IC. Change-Id: I33f851055194136d6bed118349d23453b8c132ec Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1055 Signed-off-by:
-
- Apr 21, 2016
-
-
Julien Masson authored
When no SPID is provisionned, it is possible that the structure holding the charging_profile is NULL. This can result in a panic atr boot in the bq24232 driver. Setting a default charging_profile and checking NULL pointer fixes this issue. Change-Id: I3ce0a5db9963f26c87e51ea534d857faf0b089ad Tracked-On: https://jira01.devtools.intel.com/browse/AW-325 Signed-off-by:
Julien Masson <julienx.masson@intel.com> Reviewed-on: https://android.intel.com/494634 Reviewed-by:
-
- Apr 15, 2016
-
-
Ben Hutchings authored
Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. Bug: 28054181 Change-Id: I988802f38acf40c7671fa0978880928b02d29b56 References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by:
-
Ben Hutchings authored
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, the first time atomically and the second time not. The second attempt needs to continue from the iovec position, pipe buffer offset and remaining length where the first attempt failed, but currently the pipe buffer offset and remaining length are reset. This will corrupt the piped data (possibly also leading to an information leak between processes) and may also corrupt kernel memory. This was fixed upstream by commits f0d1bec9 ("new helper: copy_page_from_iter()") and 637b58c2 ("switch pipe_read() to copy_page_to_iter()"), but those aren't suitable for stable. This fix for older kernel versions was made by Seth Jennings for RHEL and I have extracted it from their update. CVE-2015-1805 Bug: 27275324 Bug: 28054181 Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4 References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855 Signed-off-by: -
Takashi Iwai authored
(cherry pick from commit b5a663aa426f4884c71cd8580adae73f33570f0d) A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. Change-Id: I62e7f671a298e70fe6e6e64ddc3ff92106d2adf8 Reported-by:
-
- Apr 01, 2016
-
-
Sophia Gong authored
1.readback panel gamma register values when exit ambient power mode. 2.check if these values are correct. 3.reconfigure if any of these values are wrong. Change-Id: I88d6efaef9c8ad1a30c78d0c0a3d7bfc694f3916 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1228 Signed-off-by:
WeiX Liu <weix.w.liu@intel.com> Signed-off-by:
-
- Mar 25, 2016
-
-
Victor Tasayco Loarte authored
Bug: 25981545 Bug: 27634138 Change-Id: Ifa2d926b8cbd58e80c266b914144c6fa4ae58798 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1570 Signed-off-by:
-
Victor Tasayco Loarte authored
Ported from Kernel Fugu x86_64: https://android.googlesource.com/kernel/x86_64/+/a2e03edde8609aee2e945d3cb84b0227498b275d Bug: 27142322 Bug: 27634138 Change-Id: I8103be6bb456ae436a7927fa0ad9a89efefef36d Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1570 Signed-off-by:
Patrick Tjin <pattjin@google.com> Signed-off-by:
-
Kirill A. Shutemov authored
(cherry pick from commit ab676b7d) As pointed by recent post[1] on exploiting DRAM physical imperfection, /proc/PID/pagemap exposes sensitive information which can be used to do attacks. This disallows anybody without CAP_SYS_ADMIN to read the pagemap. [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [ Eventually we might want to do anything more finegrained, but for now this is the simple model. - Linus ] Signed-off-by:
Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by:
Konstantin Khlebnikov <khlebnikov@openvz.org> Acked-by:
Andy Lutomirski <luto@amacapital.net> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Mark Seaborn <mseaborn@chromium.org> Cc: stable@vger.kernel.org Signed-off-by:
-
Victor Tasayco Loarte authored
Poison pointer values should be small enough to find a room in non-mmap'able/hardly-mmap'able space. E.g. on x86 "poison pointer space" is located starting from 0x0. Given unprivileged users cannot mmap anything below mmap_min_addr, it should be safe to use poison pointers lower than mmap_min_addr. The current poison pointer values of LIST_POISON{1,2} might be too big for mmap_min_addr values equal or less than 1 MB (common case, e.g. Ubuntu uses only 0x10000). There is little point to use such a big value given the "poison pointer space" below 1 MB is not yet exhausted. Changing it to a smaller value solves the problem for small mmap_min_addr setups. The values are suggested by Solar Designer: http://www.openwall.com/lists/oss-security/2015/05/02/6 Bug: 26186802 Bug: 27453997 Change-Id: I5586529168e5e94d7de2c213664d1e8d6edb1284 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1527 Signed-off-by:Yuan Lin <yualin@google.com> Signed-off-by:
-
Yevgeny Pats authored
(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2) This fixes CVE-2016-0728. If a thread is asked to join as a session keyring the keyring that's already set as its session, we leak a keyring reference. This can be tested with the following program: #include <stddef.h> #include <stdio.h> #include <sys/types.h> #include <keyutils.h> int main(int argc, const char *argv[]) { int i = 0; key_serial_t serial; serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) { perror("keyctl"); return -1; } for (i = 0; i < 100; i++) { serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } } return 0; } If, after the program has run, there something like the following line in /proc/keys: 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty with a usage count of 100 * the number of times the program has been run, then the kernel is malfunctioning. If leaked-keyring has zero usages or has been garbage collected, then the problem is fixed. Bug: 26636379 Bug: 27453997 Reported-by:Yevgeny Pats <yevgeny@perception-point.io> Signed-off-by:
David Howells <dhowells@redhat.com> Acked-by:
Don Zickus <dzickus@redhat.com> Acked-by:
Prarit Bhargava <prarit@redhat.com> Acked-by:
Jarod Wilson <jarod@redhat.com> Signed-off-by:
James Morris <james.l.morris@oracle.com> Change-Id: I10177a58a7b3178eda95017557edaa7298594d06 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1527 Reviewed-on: https://android.intel.com/483556 Reviewed-by:
-
Victor Tasayco Loarte authored
Ported from Kernel Fugu x86_64: https://android.googlesource.com/kernel/x86_64/+/64d43b680dc74f35e9f6e4778ad5755c91395969 Bug: 25364034 Bug: 27453997 Change-Id: I99eab0b81e3c17fbe90ac2188fabbe949ad06411 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1527 Signed-off-by:
-
Victor Tasayco Loarte authored
Ported from Kernel Fugu x86_64: https://android.googlesource.com/kernel/x86_64/+/e988c7e2ff5a2a66e201cfc3eabb862e665977c9 Bug: 25364034 Bug: 27453997 Change-Id: Ib452d6357797f6688c666f8181539b87bf452a0d Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1527 Signed-off-by:
Akue, LoicX <loicx.akue@intel.com>
-
Victor Tasayco Loarte authored
Check the datalen field is less than the size of packet received from the network. Ported from Kernel Fugu x86_64: https://android.googlesource.com/kernel/x86_64/+/cf431b959eb02cd544bab5d9349f132c1cc79a83 Bug: 25306181 Bug: 25793789 Change-Id: I791460ede06d928f5c58c34155689f13bd7b3ac4 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1415 Signed-off-by:
-
Victor Tasayco Loarte authored
These two checks prevent exploitable buffer overflows in two scenarios. 1. Long WPS_ID_DEVICE_NAME in WPS info elements 2. Invalid SSID determined in certain scan results Ported from Kernel Fugu x86_64: https://android.googlesource.com/kernel/x86_64/+/ff11200f846ab83795313d1262284743cac6cb9d Bug: 25662233 Bug: 25793789 Change-Id: Icf9ba670e75c2c8596a770132f483970fd645a79 Tracked-On: https://jira.ndg.intel.com/browse/MARVIN-1415 Signed-off-by:
-
