Select Git revision
Search by author
- Any Author
- authors
-
72162444 72162444 gaochangning
-
Aakash Dave aakash.dave
-
Aaron Kim akim
-
Aaron Kloc akloc
-
Aaron Lan aaron.lan
-
Aaron Nabil aaronna
-
Aaron Pohle aaron.pohle
-
Abbott Chung chung.abbott
-
Abdallah Omar abdallah_omar
-
Abdessamii Chalbi abdessamii.chalbi
-
Abdul Hussain Sirajudeen abdul.hussain
-
Abdullah Alghamdi a.alghamdi
-
Abdullah Elmarghany abdullah_elmarghany
-
Abel Fang abel_fang
-
Abel Vesa
abel.vesa
-
Abhijeet Badurkar abhijeet.badurkar
-
Abhijit Adsule adsule
-
Abhijit Murthy abhijit
-
Abhi Khanal akhanal
-
Abhilash Sahoo abhilashsahoo
- Feb 24, 2017
-
-
Jim Lin authored
When gadget is disconnected, running sequence is like this. . android_work: sent uevent USB_STATE=DISCONNECTED . Call trace: usb_string_copy+0xd0/0x128 gadget_config_name_configuration_store+0x4 gadget_config_name_attr_store+0x40/0x50 configfs_write_file+0x198/0x1f4 vfs_write+0x100/0x220 SyS_write+0x58/0xa8 . configfs_composite_unbind . configfs_composite_bind In configfs_composite_bind, it has "cn->strings.s = cn->configuration;" When usb_string_copy is invoked. it would allocate memory, copy input string, release previous pointed memory space, and use new allocated memory. When gadget is connected, host sends down request to get information. Call trace: usb_gadget_get_string+0xec/0x168 lookup_string+0x64/0x98 composite_setup+0xa34/0x1ee8 android_setup+0xb4/0x140 If gadget is disconnected and connected quickly, in the failed case, cn->configuration memory has been released by usb_string_copy kfree but configfs_composite_bind hasn't been run in time to assign new allocated "cn->configuration" pointer to "cn->strings.s". When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling memory is accessed, "BUG: KASAN: use-after-free" error occurs. BUG=chrome-os-partner:58412 TEST=After smaug device was connected to ubuntu PC host, detached and attached type-C cable quickly several times without seeing "BUG: KASAN: use-after-free in usb_gadget_get_string". Bug: 31614969 Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Jim Lin <jilin@nvidia.com> Signed-off-by:
Siqi Lin <siqilin@google.com> Reviewed-on: https://android.intel.com/569912 Reviewed-by:
Louis, FabienX <fabienx.louis@intel.com> Tested-by:
Dubray, SimonX <simonx.dubray@intel.com> Reviewed-by:
Akue, LoicX <loicx.akue@intel.com> Reviewed-by:
Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
-
Andrew Chant authored
Place file offset validity checks under mutex. BUG: 33555878 BUG: 33002026 Change-Id: I1945cfc8af7d1a310ae0d7bbb85002d4c448f30b Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Andrew Chant <achant@google.com> Reviewed-on: https://android.intel.com/569911 Reviewed-by:
Hu, Bingquan <bingquan.hu@intel.com> Reviewed-by:
-
Eric Dumazet authored
CAP_NET_ADMIN users should not be allowed to set negative sk_sndbuf or sk_rcvbuf values, as it can lead to various memory corruptions, crashes, OOM... Note that before commit 82981930 ("net: cleanups in sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF and SO_RCVBUF were vulnerable. This needs to be backported to all known linux kernels. Again, many thanks to syzkaller team for discovering this gem. Change-Id: I158db8dd09043734287ba70be657881c5185fd71 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
Andrey Konovalov <andreyknvl@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Reviewed-on: https://android.intel.com/569900 Reviewed-by:
Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com> Reviewed-by:
-
Philip Pettersson authored
When packet_set_ring creates a ring buffer it will initialize a struct timer_list if the packet version is TPACKET_V3. This value can then be raced by a different thread calling setsockopt to set the version to TPACKET_V1 before packet_set_ring has finished. This leads to a use-after-free on a function pointer in the struct timer_list when the socket is closed as the previously initialized timer will not be deleted. The bug is fixed by taking lock_sock(sk) in packet_setsockopt when changing the packet version while also taking the lock at the start of packet_set_ring. Change-Id: Ia7b15ac2269ec7dc8806cb7eeb3a45be8743a881 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by:
Philip Pettersson <philip.pettersson@gmail.com> Signed-off-by:
-
Guillaume Nault authored
Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind(). Without lock, a concurrent call could modify the socket flags between the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way, a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it would then leave a stale pointer there, generating use-after-free errors when walking through the list or modifying adjacent entries. BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8 Write of size 8 by task syz-executor/10987 CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0 Call Trace: [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15 [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [< inline >] __write_once_size ./include/linux/compiler.h:249 [< inline >] __hlist_del ./include/linux/list.h:622 [< inline >] hlist_del_init ./include/linux/list.h:637 [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239 [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570 [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017 [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208 [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff813774f9>] task_work_run+0xf9/0x170 [<ffffffff81324aae>] do_exit+0x85e/0x2a00 [<ffffffff81326dc8>] do_group_exit+0x108/0x330 [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307 [<ffffffff811b49af>] do_signal+0x7f/0x18f0 [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448 Allocated: PID = 10987 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0 [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0 [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20 [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417 [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708 [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716 [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721 [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326 [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388 [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182 [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153 [ 1116.897025] [< inline >] sock_create net/socket.c:1193 [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223 [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203 [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 10987 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0 [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0 [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352 [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 1116.897025] [< inline >] slab_free mm/slub.c:2951 [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973 [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369 [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444 [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452 [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460 [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471 [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589 [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243 [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570 [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017 [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208 [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244 [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170 [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00 [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330 [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307 [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0 [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table. Change-Id: I6bff1df385742b1d836d43180dc87fadcea80784 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Reported-by:Baozeng Ding <sploving1@gmail.com> Reported-by:
Guillaume Nault <g.nault@alphalink.fr> Signed-off-by:
-
Daniel Rosenberg authored
Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Bug: 31992382 Test: See bug for poc Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Daniel Rosenberg <drosen@google.com> Reviewed-on: https://android.intel.com/569892 Reviewed-by:
-
Mark Salyzyn authored
Sysrq must be enabled via /proc/sys/kernel/sysrq as a security measure to enable various critical fiq debugger commands that either leak information or can be used as a system attack. Default disabled, this will leave the reboot, reset, irqs, sleep, nosleep, console and ps commands. Reboot and reset commands will be restricted from taking any parameters. We will also switch to showing the limited command set in this mode. Bug: 32402555 Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Mark Salyzyn <salyzyn@google.com> Reviewed-on: https://android.intel.com/569870 Reviewed-by:
-
Kai Qiang authored
change the tilt threshold degree from 20 to 15 Change-Id: I054523324172d4dda84477183bb084837ef10195 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4187 Signed-off-by:
Kai Qiang <kaix.qiang@intel.com> Reviewed-on: https://android.intel.com/567758 Reviewed-by:
jenkins_ndg <jenkins_ndg@intel.com> Tested-by:
Whitfield, MichaelX <michaelx.whitfield@intel.com> Reviewed-by:
Ghaddab, RiadhX <riadhx.ghaddab@intel.com> Reviewed-by:
-
Andrey Ryabinin authored
This fixes CVE-2016-8650. If mpi_powm() is given a zero exponent, it wants to immediately return either 1 or 0, depending on the modulus. However, if the result was initalised with zero limb space, no limbs space is allocated and a NULL-pointer exception ensues. Fix this by allocating a minimal amount of limb space for the result when the 0-exponent case when the result is 1 and not touching the limb space when the result is 0. This affects the use of RSA keys and X.509 certificates that carry them. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 PGD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 task: ffff8804011944c0 task.stack: ffff880401294000 RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 Stack: ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 Call Trace: [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66 [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146 [<ffffffff8132a95c>] rsa_verify+0x9d/0xee [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1 [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228 [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4 [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1 [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1 [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61 [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399 [<ffffffff812fe227>] SyS_add_key+0x154/0x19e [<ffffffff81001c2b>] do_syscall_64+0x80/0x191 [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25 Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP <ffff880401297ad8> CR2: 0000000000000000 ---[ end trace d82015255d4a5d8d ]--- Basically, this is a backport of a libgcrypt patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 Change-Id: I77e53254632ed7c0bad865e3ae156fafc02c6251 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)") Signed-off-by:
Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by:
David Howells <dhowells@redhat.com> cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> cc: linux-ima-devel@lists.sourceforge.net cc: stable@vger.kernel.org Signed-off-by:
James Morris <james.l.morris@oracle.com> Reviewed-on: https://android.intel.com/569859 Reviewed-by:
-
- Feb 21, 2017
-
-
MorganX Binet authored
- Currently a wakelock is held only when the cable type is DCP. SDP and CDP cable types are handled in OTG driver. - This patches includes the other types of cable Change-Id: I14083df70b20c73de6322df62ea8756100caa96e Tracked-On: https://jira01.devtools.intel.com/browse/AW-2877 Signed-off-by:
MorganX Binet <morganx.binet@intel.com> Reviewed-on: https://android.intel.com/568927 Reviewed-by:
Chaumette, HubertX <hubertx.chaumette@intel.com> Reviewed-by:
Saadani, MarouaneX <marouanex.saadani@intel.com> Reviewed-by:
Ferrari, AlainX <alainx.ferrari@intel.com> Reviewed-by:
-
- Feb 20, 2017
-
-
Julien Masson authored
On power on sequence, we should rotate screen to 180 degree. Change-Id: I59b774d0bd2d99165438ff88f4c88907dcef2585 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4188 Signed-off-by:
Julien Masson <julienx.masson@intel.com> Reviewed-on: https://android.intel.com/567406 Reviewed-by:
Gong, Sophia <sophia.gong@intel.com> Reviewed-by:
Liu, WeiX W <weix.w.liu@intel.com> Reviewed-by:
Ledentec, AlexandreX <alexandrex.ledentec@intel.com> Reviewed-by:
-
- Feb 16, 2017
-
-
Kai Qiang authored
modified scale from 2G to 8G of st_lsm6ds3h Change-Id: I83184453d1d0d361e8a3381fb654d26fb6538598 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3409 Signed-off-by:
Bel Aj Ali, HabibX <habibx.bel.aj.ali@intel.com> Reviewed-by:
-
- Feb 15, 2017
-
-
Sophia Gong authored
This patch is to WA below CTS 7.1-r1 dEQP mem stress failures. The failed case intends to create 128 EGL contexts. Each 3D EGL context allocates about 1.5MB memory. 1MB of them are for 3D heap size. This patch decreases PDS/USC heap size to 48MB for overall 128 EGL contexts. Full CTS-7.1, gfx smooth validation shows no side effects. dEQP-EGL.functional.multicontext#non_shared dEQP-EGL.functional.multicontext#non_shared_clear dEQP-EGL.functional.multicontext#non_shared_make_current Change-Id: I26c55ec940ab154986f475e16c72fb0a807fde18 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3635 Signed-off-by:
wenshelx <wenshengx.wang@intel.com> Reviewed-on: https://android.intel.com/567744 Reviewed-by:
-
- Feb 09, 2017
-
-
Greg Hackmann authored
Bug: 32838767 Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Signed-off-by:
Greg Hackmann <ghackmann@google.com> Reviewed-on: https://android.intel.com/565598 Reviewed-by:
Ben Abdessalem, AmrX <amrx.ben.abdessalem@intel.com> Reviewed-by:
-
Adrian Salido authored
As mentioned in commit 52ee2dfd ("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns helpers used to be buggy. The commit addresses most of the helpers but is missing task_tgid_xxx() Without this protection there is a possible use after free reported by kasan instrumented kernel: ================================================================== BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr *** Read of size 8 by task cat/2472 CPU: 1 PID: 2472 Comm: cat Tainted: **** Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) Call trace: [<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c [<ffffffc00020aec0>] show_stack+0x18/0x24 [<ffffffc0011573d0>] dump_stack+0x94/0x100 [<ffffffc0003c7dc0>] kasan_report+0x308/0x554 [<ffffffc0003c7518>] __asan_load8+0x20/0x7c [<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44 [<ffffffc00046951c>] proc_pid_status+0x444/0x1080 [<ffffffc000460f60>] proc_single_show+0x8c/0xdc [<ffffffc0004081b0>] seq_read+0x2e8/0x6f0 [<ffffffc0003d1420>] vfs_read+0xd8/0x1e0 [<ffffffc0003d1b98>] SyS_read+0x68/0xd4 Accessing group_leader while holding rcu_lock and using the now safe helpers introduced in the commit mentioned, this race condition is addressed. Bug: 31495866 Signed-off-by:
Adrian Salido <salidoa@google.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b Reviewed-on: https://android.intel.com/565596 Reviewed-by:
-
Simon Dubray authored
Handle properly return values in tmd26723 probe to return negative values when data structures have been free'd. Change-Id: I6b7ba86bdac9dac9544dcb3bd979f18e6b4e4c64 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4020 Signed-off-by:
-
Jann Horn authored
This ensures that do_mmap() won't implicitly make AIO memory mappings executable if the READ_IMPLIES_EXEC personality flag is set. Such behavior is problematic because the security_mmap_file LSM hook doesn't catch this case, potentially permitting an attacker to bypass a W^X policy enforced by SELinux. I have tested the patch on my machine. To test the behavior, compile and run this: #define _GNU_SOURCE #include <unistd.h> #include <sys/personality.h> #include <linux/aio_abi.h> #include <err.h> #include <stdlib.h> #include <stdio.h> #include <sys/syscall.h> int main(void) { personality(READ_IMPLIES_EXEC); aio_context_t ctx = 0; if (syscall(__NR_io_setup, 1, &ctx)) err(1, "io_setup"); char cmd[1000]; sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'", (int)getpid()); system(cmd); return 0; } In the output, "rw-s" is good, "rwxs" is bad. Signed-off-by:Jann Horn <jann@thejh.net> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a) Bug: 31711619 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Change-Id: Ib4ffd30b61f1d9ba629049f65a21afbf94e25cfd Reviewed-on: https://android.intel.com/565587 Reviewed-by:
-
- Feb 03, 2017
-
-
MorganX Binet authored
previous VINDPM implementation did not take into account that register is reset at each cable connection so VINDPM is forced every minute at the same time as threshold value update Change-Id: I249666e061eec3d73c45e6ee4af37fb3562d53e0 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3147 Signed-off-by:
-
Julien Masson authored
This type aims to be the reference for display device. Change-Id: Ib21b3a93587ad0ac3b0e35ac7ab413557a6811ee Tracked-On: https://jira01.devtools.intel.com/browse/AW-2918 Signed-off-by:
Afonso, PhilippeX <philippex.afonso@intel.com> Reviewed-by:
-
- Jan 25, 2017
-
-
Hu Bingquan authored
The mod_timer might be called the workqueue handler, and also from the power_enable sys nodes, they might collide. The fix is to protect again this collision. Change-Id: Iae939ab1fe4dfdf9b1fb1c75d19ebfe146ae9dcd Tracked-On: https://jira01.devtools.intel.com/browse/AW-3861 Signed-off-by:
Nassiet, GaelleX <gaellex.nassiet@intel.com> Reviewed-by:
Rouis, KhalifaX <khalifax.rouis@intel.com> Reviewed-by:
Lachaud, EtienneX <etiennex.lachaud@intel.com> Reviewed-by:
-
Simon Dubray authored
lowmemorykiller was not taking into account unevictable pages when deciding what level to kill. If significant amounts of memory were pinned, this caused lowmemorykiller to effectively stop at a much higher level than it should. Change-Id: I4cdbe9bd8546b3d8eb9ec6c2f463e82fe7fa15e9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3921 Signed-off-by:
Ben Alaya, AymenX <aymenx.ben.alaya@intel.com> Reviewed-by:
-
- Jan 20, 2017
-
-
Amr BEN ABDESSALEM authored
This patch fixes a faced memory leak caused by not detaching sih structure if firmware download fails. unreferenced object 0xffff8800091ae300 (size 256): comm "WifiStateMachin", pid 621, jiffies 4296455689 (age 869.950s) backtrace: [<ffffffff829c2449>] kmemleak_alloc+0x49/0xb0 [<ffffffff821817ef>] __kmalloc+0x12f/0x2c0 [<ffffffff8243ba6c>] osl_malloc+0x6c/0xa0 [<ffffffff8243baae>] osl_mallocz+0xe/0x30 [<ffffffff8243fd12>] si_attach+0x32/0x110 [<ffffffff8248308b>] dhdsdio_probe_attach+0x43b/0xd20 [<ffffffff8248dc0d>] dhd_bus_devreset+0x16d/0x2e0 [<ffffffff8242d098>] dhd_net_bus_devreset+0x48/0xf0 [<ffffffff82444372>] wl_android_wifi_on+0xe2/0x160 [<ffffffff82430e89>] dhd_open+0xb9/0x270 unreferenced object 0xffff880010154000 (size 2048): comm "WifiStateMachin", pid 621, jiffies 4296455689 (age 870.010s) backtrace: [<ffffffff829c2449>] kmemleak_alloc+0x49/0xb0 [<ffffffff821817ef>] __kmalloc+0x12f/0x2c0 [<ffffffff8243ba6c>] osl_malloc+0x6c/0xa0 [<ffffffff8243baae>] osl_mallocz+0xe/0x30 [<ffffffff8243fd2b>] si_attach+0x4b/0x110 [<ffffffff8248308b>] dhdsdio_probe_attach+0x43b/0xd20 [<ffffffff8248dc0d>] dhd_bus_devreset+0x16d/0x2e0 [<ffffffff8242d098>] dhd_net_bus_devreset+0x48/0xf0 [<ffffffff82444372>] wl_android_wifi_on+0xe2/0x160 [<ffffffff82430e89>] dhd_open+0xb9/0x270 Change-Id: I1a63e33e0a7e1f91bdf061dc519f418f7fdfb698 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3799 Signed-off-by:
-
Sebastien MICHEL authored
Change-Id: I48e1e1dcfbd70e1de8d6e9aeb262594204f86bb7 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3920 Signed-off-by:
Sebastien MICHEL <sebastien.michel@intel.com> Signed-off-by:
-
- Jan 19, 2017
-
-
Ben Abdessalem, AmrX authored
Cypress proposed an other patch for fixing this issue; to be aligned, we revert so. This reverts commit 42f53e7b. Change-Id: Ib7c2b7c12f85fcea34632752584a2d9addf16e4d Tracked-On: https://jira01.devtools.intel.com/browse/AW-3799 Signed-off-by:
-
Kai Qiang authored
When the proximity sensor was not well configured the thresholds has been lowered to 0x60 in a range of (0x0 -> 0x3ff) measured data. This threshold has to be increased to 0x100 as for some devices (DVT) the reported data for a far distance corresponds to a value near 0xa0 Change-Id: Id455c1a02ae1c943026a81dd7e9fa7f338c18b8e Tracked-On: https://jira01.devtools.intel.com/browse/AW-3821 Signed-off-by:
Samoun, JacquesX <jacquesx.samoun@intel.com> Reviewed-by:
-
- Jan 18, 2017
-
-
Riadh GHADDAB authored
- This patch resolves the false detection issues due to a storm of interrupts coming from the proximity sensor - It is achieved by changing the comparison logic to detect proximity and by initialize a proximity read on probe and on resume. - A reconfiguration of the device is also added in the resume function - Change deprecated function __cancel_scheduled_work Change-Id: I35f881079fadecdc18fcb053247075858301e0e2 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3821 Signed-off-by:
Bride, Jacques <jacques.bride@intel.com> Reviewed-by:
-
MorganX Binet authored
bq25898 reboot notifier was not called after a "reboot -p" command because of shutdown called previously by osip reboot notifier increasing its priority in order to be called before shutdown Change-Id: Ia39ae08270df534aad2f1f9b7f08754b623f0039 Tracked-On: https://jira01.devtools.intel.com/browse/AW-2906 Signed-off-by:
-
Riadh GHADDAB authored
- This patch corrects some coding style errors in the proximity sensor driver. - It adds as well some logs to help debugging the driver Change-Id: I12e81ffdc7c776a4d3fadc908b8e7190fe526efa Tracked-On: https://jira01.devtools.intel.com/browse/AW-3821 Signed-off-by:
-
- Jan 16, 2017
-
-
Peiqian Li authored
This reverts commit 09af6739. With the new HW variant SPL SP3, the coordinate flip is not needed, the fix was verified ok. Change-Id: I7e0e1702956eeb125995d0a482c1fc639ada6bc9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3736 Signed-off-by:
Peiqian Li <peiqianx.li@intel.com> Reviewed-on: https://android.intel.com/561284 Reviewed-by:
-
- Jan 13, 2017
-
-
MorganX Binet authored
when VUSB is low (~ 4.5V-4.7V), the charger behaves wrongly (toggling between charging and stop charging) HW team propose to fix it by setting VINDPM voltage within the charger every minute at a value where VINDPM = VBAT + 400mV FORCE_VINDPM should be forced to 1 Change-Id: Idfe9c0f39b03ae6e0344d4b4338121d4d27e1bae Tracked-On: https://jira01.devtools.intel.com/browse/AW-3147 Signed-off-by:
-
Louis, FabienX authored
This patch fix an issue introduced by the following commit : fbe2f38d8f6f8c127f93a197a5abe73b45c7393b Change-Id: I9144e991e6370f973c0715abf18b27f37dd1f30e Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Korpershoek, MattijsX <mattijsx.korpershoek@intel.com> Reviewed-by:
-
- Jan 12, 2017
-
-
Andrew Wyper authored
Patch to adjust the timer/wakelock delays in the BT LPM driver, improving bt power consumption. Change-Id: I9129f0426571a814d134f11ec4d7923cf28735bf Tracked-On: https://jira01.devtools.intel.com/browse/AW-1701 Signed-off-by:
Andrew Wyper <andrewx.wyper@intel.com> Reviewed-on: https://android.intel.com/562195 Reviewed-by:
Ferraton, Jean RegisX <jean.regisx.ferraton@intel.com> Tested-by:
Ranquet, Guillaume <guillaume.ranquet@intel.com> Reviewed-by:
-
- Jan 09, 2017
-
-
Sudhir Kohalli authored
Security Vulnerability fix for memory overflow wifi driver function wl_cfgvendor_rtt_set_config. In the current fix added check to validate if the target_cnt is valid or not if it is not valid then parse error. Since target_cnt can be controlled by user netlink input which needs to validated at the DHD level. Bug: 32219255 Signed-off-by:
Sudhir Kohalli <sudhir.kohalli@broadcom.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Change-Id: I5cf771c60a6ae8019e5e36571197e2849c572b40 Reviewed-on: https://android.intel.com/560338 Reviewed-by:
Maalem, Saadi <saadi.maalem@intel.com> Reviewed-on: https://android.intel.com/561355
-
Insun Song authored
In case PCIe BUS already down, we're not supposed to do access BAR0 area in any reason. One instance seen on test that made kernel panic. removed disable irq calling which is useless in bus down case. bug=24739315 Change-Id: I474e08c14c4dec0f4cc4cd207f29fef32e85ead7 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Insun Song <isong@broadcom.com> Reviewed-on: https://android.intel.com/557914 Reviewed-by:
-
Ram Sripathi authored
handled heap overwrite with checks Bug: 31822524 Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Ram Sripathi <ram.sripathi@broadcom.com> Reviewed-on: https://android.intel.com/557932 Reviewed-by:
-
Daniel Rosenberg authored
If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC on the just allocated id, and the copy_to_user fails, the cleanup code will attempt to free an already freed handle. This adds a wrapper for ion_alloc that adds an ion_handle_get to avoid this. Bug: 31568617 Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
-
Insun Song authored
1. added limit check for GSCAN-PNO max channel bucket 2. added length check in each NL TLV parsing and error handling Bug: 32174590 Signed-off-by:
Insun Song <insun.song@broadcom.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Change-Id: Ic946bfa3b3ab6b2b201043371c27ee7dbedb7e75 Reviewed-on: https://android.intel.com/557933 Reviewed-by:
-
Siqi Lin authored
snd_info_entry_write() resizes the buffer with an unsigned long size argument that gets truncated because resize_info_buffer() takes the size parameter as an unsigned int. On 64-bit kernels, this causes the following copy_to_user() to write out-of-bounds if (pos + count) can't be represented by an unsigned int. Bug: 32510733 Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
-
John Dias authored
When perf_group_detach is called on a group leader, it should empty its sibling list. Otherwise, when a sibling is later deallocated, list_del_event() removes the sibling's group_entry from its current list, which can be the now-deallocated group leader's sibling list (use-after-free bug). Bug: 32402548 Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
John Dias <joaodias@google.com> Reviewed-on: https://android.intel.com/557910 Reviewed-by:
-
David Howells authored
This fixes CVE-2016-7042. Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector is turned on, this can cause a panic due to stack corruption. The problem is that xbuf[] is not big enough to hold a 64-bit timeout rendered as weeks: (gdb) p 0xffffffffffffffffULL/(60*60*24*7) $2 = 30500568904943 That's 14 chars plus NUL, not 11 chars plus NUL. Expand the buffer to 16 chars. I think the unpatched code apparently works if the stack-protector is not enabled because on a 32-bit machine the buffer won't be overflowed and on a 64-bit machine there's a 64-bit aligned pointer at one side and an int that isn't checked again on the other side. The panic incurred looks something like: Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679 Call Trace: [<ffffffff813d941f>] dump_stack+0x63/0x84 [<ffffffff811b2cb6>] panic+0xde/0x22a [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0 [<ffffffff81350410>] ? key_validate+0x50/0x50 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20 [<ffffffff8126b31c>] seq_read+0x2cc/0x390 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70 [<ffffffff81244fc7>] __vfs_read+0x37/0x150 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0 [<ffffffff81246156>] vfs_read+0x96/0x130 [<ffffffff81247635>] SyS_read+0x55/0xc0 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4 Change-Id: Idb71b0d6658bf9eb6d9deaaec735b851a48782cc Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Reported-by:
Ondrej Kozina <okozina@redhat.com> Signed-off-by:
-
