From a7fd5812f90fcb5d8314f09966f326da54d4a301 Mon Sep 17 00:00:00 2001 From: Deepak Kumar Date: Fri, 19 Feb 2021 23:35:25 +0530 Subject: [PATCH 1/4] msm: kgsl: Access map_count only if entry is successfully allocated In kgsl_mem_entry_create, access map_count only if entry is allocated successfully to avoid invalid access. Change-Id: I57bce1aec2da6a27b6d13dbee96ed86a45c9660c Signed-off-by: Deepak Kumar --- drivers/gpu/msm/kgsl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c index 3a84ce41d788..c9e853007c86 100644 --- a/drivers/gpu/msm/kgsl.c +++ b/drivers/gpu/msm/kgsl.c @@ -263,9 +263,9 @@ kgsl_mem_entry_create(void) kref_init(&entry->refcount); /* put this ref in userspace memory alloc and map ioctls */ kref_get(&entry->refcount); + atomic_set(&entry->map_count, 0); } - atomic_set(&entry->map_count, 0); return entry; } #ifdef CONFIG_DMA_SHARED_BUFFER From 60dc8c0a099cf2bb0f681c49a6d4785ce46fa5f0 Mon Sep 17 00:00:00 2001 From: Sharath Chandra Vurukala Date: Fri, 4 Sep 2020 20:20:25 +0530 Subject: [PATCH 2/4] net:sockev: hold file reference till the sock event is sent hold file reference till the sock event is sent. Change-Id: I14d581f210c86e5771bec22a9aca7c78630e9ac1 Signed-off-by: Sharath Chandra Vurukala --- net/socket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/socket.c b/net/socket.c index f16035c7ad33..4fac892daba9 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1426,9 +1426,10 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) (struct sockaddr *) &address, addrlen); } - fput_light(sock->file, fput_needed); if (!err) sockev_notify(SOCKEV_BIND, sock); + + fput_light(sock->file, fput_needed); } return err; } @@ -1455,9 +1456,10 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog) if (!err) err = sock->ops->listen(sock, backlog); - fput_light(sock->file, fput_needed); if (!err) sockev_notify(SOCKEV_LISTEN, sock); + + fput_light(sock->file, fput_needed); } return err; } From ddc41aeaf8432ac2f419ad43d13cb5c5a86b1d6a Mon Sep 17 00:00:00 2001 From: Monika Singh Date: Mon, 1 Feb 2021 17:02:57 +0530 Subject: [PATCH 3/4] crypto: Fix possible stack out-of-bound error Adding fix to check the upper limit on the length of the destination array while copying elements from source address to avoid stack out of bound error. Change-Id: I39d5768fa97f9d269cfb101a389bb771d13c7538 Signed-off-by: Monika Singh --- drivers/crypto/msm/qce50.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c index cf539f1107dc..3215b9543ff4 100644 --- a/drivers/crypto/msm/qce50.c +++ b/drivers/crypto/msm/qce50.c @@ -1,7 +1,7 @@ /* * QTI Crypto Engine driver. * - * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -870,6 +870,11 @@ static int _ce_setup_cipher(struct qce_device *pce_dev, struct qce_req *creq, break; case CIPHER_ALG_3DES: if (creq->mode != QCE_MODE_ECB) { + if (ivsize > MAX_IV_LENGTH) { + pr_err("%s: error: Invalid length parameter\n", + __func__); + return -EINVAL; + } _byte_stream_to_net_words(enciv32, creq->iv, ivsize); pce = cmdlistinfo->encr_cntr_iv; pce->data = enciv32[0]; @@ -918,6 +923,11 @@ static int _ce_setup_cipher(struct qce_device *pce_dev, struct qce_req *creq, } } if (creq->mode != QCE_MODE_ECB) { + if (ivsize > MAX_IV_LENGTH) { + pr_err("%s: error: Invalid length parameter\n", + __func__); + return -EINVAL; + } if (creq->mode == QCE_MODE_XTS) _byte_stream_swap_to_net_words(enciv32, creq->iv, ivsize); From c86a1b0afc95080103764aebc6069cd768c89e82 Mon Sep 17 00:00:00 2001 From: Jeya R Date: Thu, 18 Mar 2021 14:04:49 +0530 Subject: [PATCH 4/4] msm: adsprpc: overflow vulnerability by race condition in adsprpc driver Create local copy of current->comm to avoid the possibility of modification in race condition. Change-Id: Ie10f6577ed7edb9279a36039348e7a1ad25239f9 Acked-by: Nishant Chaubey Signed-off-by: Jeya R --- drivers/char/adsprpc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 51fb97074556..debb82d9ca4f 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -3604,22 +3604,26 @@ static int fastrpc_set_process_info(struct fastrpc_file *fl) { int err = 0, buf_size = 0; char strpid[PID_SIZE]; + char cur_comm[TASK_COMM_LEN]; + memcpy(cur_comm, current->comm, TASK_COMM_LEN); + cur_comm[TASK_COMM_LEN-1] = '\0'; fl->tgid = current->tgid; snprintf(strpid, PID_SIZE, "%d", current->pid); - buf_size = strlen(current->comm) + strlen("_") + strlen(strpid) + 1; + buf_size = strlen(cur_comm) + strlen("_") + strlen(strpid) + 1; fl->debug_buf = kzalloc(buf_size, GFP_KERNEL); if (!fl->debug_buf) { err = -ENOMEM; return err; } - snprintf(fl->debug_buf, UL_SIZE, "%.10s%s%d", - current->comm, "_", current->pid); + snprintf(fl->debug_buf, buf_size, "%.10s%s%d", + cur_comm, "_", current->pid); fl->debugfs_file = debugfs_create_file(fl->debug_buf, 0644, debugfs_root, fl, &debugfs_fops); if (!fl->debugfs_file) pr_warn("Error: %s: %s: failed to create debugfs file %s\n", - current->comm, __func__, fl->debug_buf); + cur_comm, __func__, fl->debug_buf); + return err; }