Px 0.2 #14
Open
Px 0.2 #14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
strict type and event data length check Required FW for bcm4339 >= 6.37.32.RC23.34.43 BUG=26492805 Change-Id: I70cefc1228ebe7c92a206154bfce9d240257b246 Signed-off-by: Jerry Lee <[email protected]>
fix to prevent untrusted userspace pointer in actuator kernel driver to lead DoS Bug: 28768281 Change-Id: I1b64270deb494530d268539e7b420be5ec79b658 Signed-off-by: Vasko Kalanoski <[email protected]> Signed-off-by: Siqi Lin <[email protected]>
Data passed in from userspace should be validated to be within the appropriate ranges. Bug: 28769221 Change-Id: I50ff818a2b03c1fff55f44403f0f1b67c26d9f0e Signed-off-by: Terence Hampson <[email protected]> Signed-off-by: Siqi Lin <[email protected]>
I2C command length is of 11 bytes, it includes 10 bytes of data and 1 byte of WR command. Use 11 bytes char array to create command. Bug: 28770207 Signed-off-by: Rajesh Bondugula <[email protected]> Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f
Currently buffer is unmapped if iommu is attached. This can lead to potential unmap issues if wrong addresses are sent and are tried to unmap without mapping. Hence ensure unmap is done only when buffer is mapped. Bug: 28815158 Change-Id: I6d7f1eb1e951cd314a4c3c35551c87930af5118e Signed-off-by: Jayant Shekhar <[email protected]> Signed-off-by: Siqi Lin <[email protected]>
In mmc_block_test, the debug_fs based read function handlers write to an arbitrary buffer which is given by any user. We add an access_ok check to verify that the address pointed by *buffer is not in kernel space. Only if the buffer is valid, do we continue the read handler. Bug: 28769208 Change-Id: I35fe9bb70df8de92cb4d3b15c851aa9131a0e8d9 Signed-off-by: Lee Susman <[email protected]>
DMA mapping permissions were being derived from pgprot_kernel directly without using PAGE_KERNEL. This causes them to be marked with executable permission, which is not what we want. Fix this. Bug: 28803642 Change-Id: Ib40f59f3c569f82409943cf8f9a86a9869d922cc Signed-off-by: Russell King <[email protected]> Git-commit: 0ea1ec713f04bdfac343c9702b21cd3a7c711826 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git [[email protected]: dropped functions not in older builds] Signed-off-by: Laura Abbott <[email protected]>
memset() the structure ethtool_wolinfo that has padded bytes but the padded bytes have not been zeroed out. Bug: 28803952 Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe Signed-off-by: Avijit Kanti Das <[email protected]>
struct media_link_desc is copy_to_user'ed as the return value of MEDIA_IOC_ENUM_LINKS. When copying, the driver is omitting to initialise the reserved fields. This commit fixes that by initialising the reserved fields to 0. Bug: 28750150 CRs-Fixed: 570757 Change-Id: I230e2666c0845cc36399518a0f2c94db664382d1 Signed-off-by: Deva Ramasubramanian <[email protected]> Signed-off-by: Siqi Lin <[email protected]>
Add more reliable size check for gamut LUTs to prevent potential security issues such as information leak. Bug: 28747914 Change-Id: I32be41a2612a100b9ba6167737c2f8778f720fa2 Signed-off-by: Ping Li <[email protected]> Signed-off-by: Siqi Lin <[email protected]>
Check for invalid parameters passed in user invocation and validate the return values using appropriate macros. Bug: 28767593 Change-Id: I4a937427a7cbf242f935f4514a1fceef446da803 Signed-off-by: Yuan Lin <[email protected]>
Upper and lower bound checks are enforced for num_cid which is passed from userspace with lower as 1 and max of 16. Bug: 28747684 Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954 Signed-off-by: Hariram Purushothaman <[email protected]>
At certain point in diag driver there can be integer underflow and thus can lead to memory leak. Bound checks are placed to ensure correct behavior of condition statements. Bug: 28768146 Change-Id: I9133e6622def3f09ac7ac6a5a3273158831a0446 Signed-off-by: Katish Paran <[email protected]> Signed-off-by: Yuan Lin <[email protected]>
At certain point in diag driver there can be integer overflow thus can lead to memory leak. Added a safegaurd for it. Bug: 28769912 Change-Id: I0be399c45f9cec9ebbc7f0730d8aa6e89be8d1eb Signed-off-by: Katish Paran <[email protected]> Signed-off-by: Yuan Lin <[email protected]>
The value csi_lane_mask which is uint16_t is controllable from userspace. The while loop can loop for 2^16 - 1, Hence extract the required bit combination from the userspace argument, used it for further processing. Bug: 28749721 CRs-Fixed: 511976 Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a Signed-off-by: Lakshmi Narayana Kalavala <[email protected]>
CPP frame message is used to send all frame data to Microcontroller. It is sent every frame. CPP kernel driver has to add information to it before transfer it. The message has to be validated before manipulations. If it is not valid the message and corresponding frame are discarded. Bug: 28803645 Change-Id: Ieb3aee7e8dfdfd08211fbef0c226de1788a58729
Add a check for the stats index MAX using MSM_ISP_STATS_MAX before accessing stream info using that index to avoid any invalid memory access. Bug: 28749728 Change-Id: I02b5907c593516803a5287374823af6a2ddd6764
The index of used stats register is derived from a stream handle least significant byte and thus can be up to 255. However the stats registers are up to 8 depending of the target. Thus a bound check is done before use of the received stats register index value. Bug: 28749728 Change-Id: Icf48eb4def8d9961d5f5268b24de55b8bb8f1d51
and bound check for msm_isp_set_src_state Bug: 28749803 Change-Id: I57cf4b7f38024ca431c97577fafb96b8848dd5ed
Diag driver holds on to the socket process task structure even after signaling the process to exit. This patch clears the internal handle after signaling. bug: 28803962 Change-Id: I642fb595fc2caebc6f2f5419efed4fb560e4e4db Signed-off-by: Ravi Aravamudhan <[email protected]>
Added bounds check to user input num_streams at several location, without checking a position outside array could be dereferenced Bug: 28749629 Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96 Signed-off-by: Jim Rasche <[email protected]>
Some security vulnerabilities were found. To fix them, additional verifications of some input parameters are required. bug: 28814690 CRs-Fixed: 554575, 554560, 555030 Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020 Signed-off-by: Baruch Eruchimovitch <[email protected]>
The null pointer check is required to ensure that userspace data in kernalspace is not null. Change-Id: I9e522c393ae643626a4bae03731a73f5d6db6458 CRs-Fixed: 563752 Bug: 28769856 Signed-off-by: Mohammad Johny Shaik <[email protected]> Signed-off-by: Mekala Natarajan <[email protected]>
This change adds boundary check before copying data from userspace buffer to ehci local buffer. The third parameter passed to copy_from_user() should be minimum of the two values between userpsace buffer size count and (local_buffer size - 1). The last one byte in local_buffer should be reserved for null terminator. CRs-Fixed: 547910 Bug: 28803909 Change-Id: Id3c5432aa3fae3ce9759056b5481b9f516df7764 Signed-off-by: Saket Saurabh <[email protected]> Signed-off-by: Mekala Natarajan <[email protected]>
Add format specifier in snprintf to avoid security vulnerability issues. Bug: 28769959 Change-Id: I6ea67633348341267e0646912a6b428709410c78 Signed-off-by: Dipen Parmar <[email protected]> Signed-off-by: Mekala Natarajan <[email protected]>
ION memory is used for user space to kernel space data passing. This is directly accessible in kernel. But, if the IOCTL is called from user space without using User space library, then data might be pointing to some other memory location, in which case, it would not be possible to dereference this location in kernel & hence it would be accessing invalid memory. Bug: 28749283 Change-Id: Ic50c76ee8b2a696dbb786fce3a68cdc782e15268 Signed-off-by: Hariprasad Dhalinarasimha <[email protected]>
snd_compr_tstamp is initialized using aggregate initialization that does not zero out the padded bytes. Initialize timestamp structure to zero using memset to avoid this. Bug: 28770164 CRs-Fixed: 568717 Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d Signed-off-by: Krishnankutty Kolathappilly <[email protected]>
At certain point in diag driver there can be integer underflow thus can lead to memory leak. Added a safeguard for that. Bug: 28750726 Change-Id: I01d2c16dad4d1e02abc07ba796814a610262ddef Signed-off-by: Yuan Lin <[email protected]>
…h and fork Since commit 6a1c531 the user writeable TLS register was zeroed to prevent it from being used as a covert channel between two tasks. There are more and more applications coming to Windows RT, Wine could support them, but mostly they expect to have the thread environment block (TEB) in TPIDRURW. This patch preserves that register per thread instead of clearing it. Unlike the TPIDRURO, which is already switched, the TPIDRURW can be updated from userspace so needs careful treatment in the case that we modify TPIDRURW and call fork(). To avoid this we must always read TPIDRURW in copy_thread. Change-Id: Ib1e25be7b9faa846ba5335aad2574e21a1246066 Signed-off-by: André Hentschel <[email protected]> Signed-off-by: Will Deacon <[email protected]> Signed-off-by: Jonathan Austin <[email protected]> Signed-off-by: Russell King <[email protected]> Git-commit: a4780adeefd042482f624f5e0d577bf9cdcbb760 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git [[email protected]: fixed merge conflict] CRs-fixed: 561044 Signed-off-by: Joonwoo Park <[email protected]> Bug: 28749743
Add check in order to fix possible integer underflow during HDLC encoding which may lead to buffer overflow. Also added check for packet length to avoid buffer overflow. Bug: 28767796 Change-Id: Ifbac719a7db73aab121cb00c2090edf1bf1094bb Signed-off-by: Yuan Lin <[email protected]>
A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. Change-Id: I33fa2a4b75289557e27eb327d08be5965c1b0161 Reported-by: Dmitry Vyukov <[email protected]> Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]>
hrtimer_cancel() waits for the completion from the callback, thus it must not be called inside the callback itself. This was already a problem in the past with ALSA hrtimer driver, and the early commit [fcfdebe: ALSA: hrtimer - Fix lock-up] tried to address it. However, the previous fix is still insufficient: it may still cause a lockup when the ALSA timer instance reprograms itself in its callback. Then it invokes the start function even in snd_timer_interrupt() that is called in hrtimer callback itself, results in a CPU stall. This is no hypothetical problem but actually triggered by syzkaller fuzzer. This patch tries to fix the issue again. Now we call hrtimer_try_to_cancel() at both start and stop functions so that it won't fall into a deadlock, yet giving some chance to cancel the queue if the functions have been called outside the callback. The proper hrtimer_cancel() is called in anyway at closing, so this should be enough. Change-Id: Ib40a56bd05122f2f6e9b3e4872a3a1f5c1e285ab Reported-and-tested-by: Dmitry Vyukov <[email protected]> Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]>
commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream. An attack using the lack of sanity checking in probe is known. This patch checks for the existence of a second port. CVE-2016-3136 Change-Id: Id34312cb6a67acceef6e323f68a7019fa320ba47 Signed-off-by: Oliver Neukum <[email protected]> [johan: add error message ] Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> [bwh: Backported to 3.2: put the check in mct_u232_startup(), which already has a 'serial' variable] Signed-off-by: Ben Hutchings <[email protected]>
commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream. An attack using missing endpoints exists. CVE-2016-3137 Change-Id: I1f379d6f99a37e2da084e8aa4042ca260c187e73 Signed-off-by: Oliver Neukum <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Ben Hutchings <[email protected]>
commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream. The driver can be crashed with devices that expose crafted descriptors with too few endpoints. See: http://seclists.org/bugtraq/2016/Mar/61 Change-Id: Ie5213e429874d2dbaefdde4c51c9aa3aa48ef8ce Signed-off-by: Oliver Neukum <[email protected]> [johan: fix OOB endpoint check and add error messages ] Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <[email protected]>
commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream. The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87 Change-Id: I217381be9effd7aba4e481332020732b2b6f16a6 Reported-by: Ralf Spenneberg <[email protected]> Signed-off-by: Josh Boyer <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Ben Hutchings <[email protected]>
commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream.
Make sure to check for the required interrupt-in endpoint to avoid
dereferencing a NULL-pointer should a malicious device lack such an
endpoint.
Note that a fairly recent change purported to fix this issue, but added
an insufficient test on the number of endpoints only, a test which can
now be removed.
Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
Fixes: 946b960 ("USB: add driver for iowarrior devices.")
Change-Id: Ica55241dca314561282c0e1f9b91f96a5aaaf145
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
commit 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd upstream. Attacks that trick drivers into passing a NULL pointer to usb_driver_claim_interface() using forged descriptors are known. This thwarts them by sanity checking. Change-Id: I33d19cd77b0976513f9cfa9190fed9f856d87f23 Signed-off-by: Oliver Neukum <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <[email protected]>
commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream. An attack has become available which pretends to be a quirky device circumventing normal sanity checks and crashes the kernel by an insufficient number of interfaces. This patch adds a check to the code path for quirky devices. Change-Id: Ibe4f5425138b4ac8d00c3d37b02355d56072b13c Signed-off-by: Oliver Neukum <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Ben Hutchings <[email protected]>
commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream. The powermate driver expects at least one valid USB endpoint in its probe function. If given malicious descriptors that specify 0 for the number of endpoints, it will crash. Validate the number of endpoints on the interface before using them. The full report for this issue can be found here: http://seclists.org/bugtraq/2016/Mar/85 Change-Id: I6e2dd2e8e350cb142691e8e5f09b421a014083b2 Reported-by: Ralf Spenneberg <[email protected]> Signed-off-by: Josh Boyer <[email protected]> Signed-off-by: Dmitry Torokhov <[email protected]> Signed-off-by: Ben Hutchings <[email protected]>
…criptor commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream. The ati_remote2 driver expects at least two interfaces with one endpoint each. If given malicious descriptor that specify one interface or no endpoints, it will crash in the probe function. Ensure there is at least two interfaces and one endpoint for each interface before using it. The full disclosure: http://seclists.org/bugtraq/2016/Mar/90 Change-Id: I4b4c2b41514b5680e6bfcd98cf9b4610a1ebe0e2 Reported-by: Ralf Spenneberg <[email protected]> Signed-off-by: Vladis Dronov <[email protected]> Signed-off-by: Dmitry Torokhov <[email protected]> Signed-off-by: Ben Hutchings <[email protected]>
commit 162f98dea487206d9ab79fc12ed64700667a894d upstream. The gtco driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. Also let's fix a minor coding style issue. The full correct report of this issue can be found in the public Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283385 Change-Id: I0e058c7d60b60b4134638de367b11a2bd8718b46 Reported-by: Ralf Spenneberg <[email protected]> Signed-off-by: Vladis Dronov <[email protected]> Signed-off-by: Dmitry Torokhov <[email protected]> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <[email protected]>
As mentioned in commit 52ee2df ("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns helpers used to be buggy. The commit addresses most of the helpers but is missing task_tgid_xxx() Without this protection there is a possible use after free reported by kasan instrumented kernel: ================================================================== BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr *** Read of size 8 by task cat/2472 CPU: 1 PID: 2472 Comm: cat Tainted: **** Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) Call trace: [<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c [<ffffffc00020aec0>] show_stack+0x18/0x24 [<ffffffc0011573d0>] dump_stack+0x94/0x100 [<ffffffc0003c7dc0>] kasan_report+0x308/0x554 [<ffffffc0003c7518>] __asan_load8+0x20/0x7c [<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44 [<ffffffc00046951c>] proc_pid_status+0x444/0x1080 [<ffffffc000460f60>] proc_single_show+0x8c/0xdc [<ffffffc0004081b0>] seq_read+0x2e8/0x6f0 [<ffffffc0003d1420>] vfs_read+0xd8/0x1e0 [<ffffffc0003d1b98>] SyS_read+0x68/0xd4 Accessing group_leader while holding rcu_lock and using the now safe helpers introduced in the commit mentioned, this race condition is addressed. Signed-off-by: Adrian Salido <[email protected]> Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b Bug: 31495866
Bug: 32838767 Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29 Signed-off-by: Greg Hackmann <[email protected]>
In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl freed the entry for new TA, but didn't removed it from qseecom_registered_app_list. Make change to remove it. Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d Signed-off-by: Zhen Kong <[email protected]> Signed-off-by: Mallikarjuna Reddy Amireddy <[email protected]>
[ Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 ] The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check for a minimal message length before testing the supplied offset to be within the bounds of the message. This allows the subtraction of the nla header to underflow and therefore -- as the data type is unsigned -- allowing far to big offset and length values for the search of the netlink attribute. The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is also wrong. It has the minuend and subtrahend mixed up, therefore calculates a huge length value, allowing to overrun the end of the message while looking for the netlink attribute. The following three BPF snippets will trigger the bugs when attached to a UNIX datagram socket and parsing a message with length 1, 2 or 3. ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- | ld #0x87654321 | ldx #42 | ld #nla | ret a `--- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- | ld #0x87654321 | ldx #42 | ld #nlan | ret a `--- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- | ; (needs a fake netlink header at offset 0) | ld #0 | ldx #42 | ld #nlan | ret a `--- Fix the first issue by ensuring the message length fulfills the minimal size constrains of a nla header. Fix the second bug by getting the math for the remainder calculation right. Fixes: 4738c1d ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") Fixes: d214c75 ("filter: add SKF_AD_NLATTR_NEST to look for nested..") Change-Id: Ib8217101425294b8b0ab9c0324920bdca40d54a2 Cc: Patrick McHardy <[email protected]> Cc: Pablo Neira Ayuso <[email protected]> Signed-off-by: Mathias Krause <[email protected]> Acked-by: Daniel Borkmann <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Change-Id: Ifb05099b00c268cc40e1abdaa11af1934b5dd8b2 Signed-off-by: Lars-Peter Clausen <[email protected]> Acked-by: Jaroslav Kysela <[email protected]> Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 upstream. Symlink reading code does not check whether the resulting path fits into the page provided by the generic code. This isn't as easy as just checking the symlink size because of various encoding conversions we perform on path. So we have to check whether there is still enough space in the buffer on the fly. Change-Id: Ia5cd079f983e29c3975e86c3fc64e209b4797e0e Reported-by: Carl Henrik Lunde <[email protected]> Signed-off-by: Jan Kara <[email protected]> [lizf: Backported to 3.4: udf_get_filename() is called in do_udf_readdir()] Signed-off-by: Zefan Li <[email protected]>
Before writing to a userspace address, verification of the validity of user space address is required. Change-Id: I9141e44a6c11aaf3f4d57c08bb0dd26a7b214f34 CRs-fixed: 556356 Signed-off-by: Deepak Verma <[email protected]>
Add a simple read-only counter to super_block that indicates how deep this is in the stack of filesystems. Previously ecryptfs was the only stackable filesystem and it explicitly disallowed multiple layers of itself. Overlayfs, however, can be stacked recursively and also may be stacked on top of ecryptfs or vice versa. To limit the kernel stack usage we must limit the depth of the filesystem stack. Initially the limit is set to 2. Signed-off-by: Miklos Szeredi <[email protected]> (cherry picked from commit 69c433ed2ecd2d3264efd7afec4439524b319121) Bug: 32761463 Change-Id: I69b2fba2112db2ece09a1bf61a44f8fc4db00820
"file" can be already freed if bprm->file is NULL after search_binary_handler() return. binfmt_script will do exactly that for example. If the VM reuses the file after fput run(), this will result in a use ater free. So obtain d_is_su before search_binary_handler() runs. This should explain this crash: [25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185 [..] [25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474 Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681 Signed-off-by: Kevin F. Haggerty <[email protected]>
WEXT API was already obsoleted and should be removed. Bug: 34199963 Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f Signed-off-by: Insun Song <[email protected]> Bug: 32124445
Bug: 31906415 Bug: 31906657 Bug: 32553868 Change-Id: Iab736a5d5622098c89c76dbe6b0b395652bbae57 Signed-off-by: Nick Desaulniers <[email protected]>
Bug: 31498403 Change-Id: Ie16da820fbbc1cc5815ef9e5a2566107d666a1bb
Check integer overflow before multiplying struct size. If that happens should return immediately. In addition if param length is greater than MAX size from spec, better return error. CRs-fixed: 605273 Change-Id: Iaad5f6059f02db4899f2f1762891711b2be3d15b Signed-off-by: Fred Oh <[email protected]>
The params array is used without initialization, which may cause security issues. Initialize it as all zero after the definition. bug: 30902162 Change-Id: If462fe3d82f139d72547f82dc7eb564f83cb35bf Signed-off-by: vivek mehta <[email protected]>
Initialize param length with user space argument and check the condition for maximum length in SND_AUDIOCODEC_EAC3 format. BUG 28868303 Change-Id: Id395e4e26fecd4001711acce112cdeaae791e594 Signed-off-by: vivek mehta <[email protected]>
Currently lsm client data is deallocated when q6lsm_open() fails which can cause memory corruption if lsm client data is accessed after freed. Fix this issue by deallocating the client data only in msm_lsm_close(). Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3 Signed-off-by: Vidyakumar Athota <[email protected]> mh0rst: Backport, fixes CVE-2015-8951
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.