Permalink
Commits on Oct 5, 2017
  1. msm: sps: Fix race condition in SPS debugfs APIs

    Siva Kumar Akkireddi Sean McCreary
    Siva Kumar Akkireddi authored and Sean McCreary committed May 11, 2017
    SPS debugfs APIs can be called concurrently which can result
    in dangling pointer access. This change synchronizes access
    to the SPS debugfs buffer.
    
    Change-Id: I409b3f0618f760cb67eba47b43c81d166cdae4aa
    Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
    (cherry picked from commit de875dd095d3ec0906c77518d28f793e6c69a9da)
Commits on Oct 2, 2017
  1. prima: Drop assoc request if RSNIE/WPAIE parsing fail

    Kapil Gupta Sean McCreary
    Kapil Gupta authored and Sean McCreary committed May 16, 2017
    Add changes to drop assoc request and return error if RSNIE or
    WPAIE parsing fail during parsing of assoc request.
    
    CRs-Fixed: 2046578
    Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
    (cherry picked from commit aae237dfbaf8edcf310eeb84b887b20e7e9c0ff3)
Commits on Sep 26, 2017
  1. net: wireless: bcmdhd: remove unsed WEXT file.

    Insun Song Sean McCreary
    Insun Song authored and Sean McCreary committed Jan 4, 2017
    WEXT API was already obsoleted and should be removed.
    
    Bug: 34199963
    Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
    Signed-off-by: Insun Song <insun.song@broadcom.com>
    Bug: 32124445
    (cherry picked from commit 9c5e11d)
Commits on Sep 14, 2017
  1. Bluetooth: Properly check L2CAP config option output buffer length

    Ben Seri Sean McCreary
    Ben Seri authored and Sean McCreary committed Sep 9, 2017
    Validate the output buffer length for L2CAP config requests and responses
    to avoid overflowing the stack buffer used for building the option blocks.
    
    Change-Id: I7a0ff0b9dd0156c0e6383214a9c86e4ec4c0d236
    Cc: stable@vger.kernel.org
    Signed-off-by: Ben Seri <ben@armis.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    CVE-2017-1000251
    Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Commits on Sep 11, 2017
  1. ashmem: remove cache maintenance support

    Dennis Cagle Sean McCreary
    Dennis Cagle authored and Sean McCreary committed May 4, 2017
    The cache maintenance routines in ashmem were causing
    several security issues. Since they are not being used
    anymore by any drivers, its well to remove them entirely.
    
    Bug: 34126808
    Bug: 34173755
    Bug: 34203176
    CRs-Fixed: 1107034, 2001129, 2007786
    Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
    Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
    Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
    (cherry picked from commit e7f623aa1b8ba3b843c70eeae99aae95bddfe03d)
  2. fs/exec: fix use after free in execve

    aagit authored and Sean McCreary committed Jul 25, 2017
    "file" can be already freed if bprm->file is NULL after
    search_binary_handler() return. binfmt_script will do exactly that for
    example. If the VM reuses the file after fput run(), this will result in
    a use ater free.
    
    So obtain d_is_su before search_binary_handler() runs.
    
    This should explain this crash:
    
    [25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
    [..]
    [25333.009918] [2:             am:21861] PC is at do_execve+0x354/0x474
    
    Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
    Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Commits on Sep 9, 2017
  1. IKHSS7-18791 msm:fix the list usage in msm_bus_dbg

    Lianwei Wang Sean McCreary
    Lianwei Wang authored and Sean McCreary committed Mar 29, 2012
    The list usage in msm_bus_dbg driver are not correct which will cause
    kernel panic.
      . The list operation should be protected by a lock, e.g. mutex_lock.
      . The list entry should only be operated on a valid entry.
    
    Change-Id: I19efeb346d1bacf129ccfd7a6511bc795c029afc
    Signed-off-by: Lianwei Wang <lian-wei.wang@motorola.com>
    Reviewed-on: http://gerrit.pcs.mot.com/384275
    Reviewed-by: Guo-Jian Chen <A21757@motorola.com>
    Reviewed-by: Ke Lv <a2435c@motorola.com>
    Tested-by: Jira Key <JIRAKEY@motorola.com>
    Reviewed-by: Jeffrey Carlyle <jeff.carlyle@motorola.com>
    Reviewed-by: Check Patch <CHEKPACH@motorola.com>
    Reviewed-by: Klocwork kwcheck <klocwork-kwcheck@sourceforge.mot.com>
    Reviewed-by: Tao Hu <taohu@motorola.com>
    (cherry picked from commit d109d8d7e2998a635406215a559e298fa7ef4bb8)
Commits on Sep 5, 2017
  1. msm: camera: Allow driver file to be opend only once.

    Trishansh Bhardwaj Sean McCreary
    Trishansh Bhardwaj authored and Sean McCreary committed Apr 7, 2017
    Use proper synchronization to ensure driver file is opened
    only once.
    
    CRs-Fixed: 2023513
    Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5
    Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
    (cherry picked from commit 84f8c42e5d848b1d04f49d253f98296e8c2280b9)
  2. ASoC: msm: qdsp6v2: extend validation of virtual address

    Siena Richard Sean McCreary
    Siena Richard authored and Sean McCreary committed Jan 11, 2017
    Validate a buffer virtual address is fully within the region before
    returning the region to ensure functionality for an extended edge
    case.
    
    Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
    Signed-off-by: Siena Richard <sienar@codeaurora.org>
    CRs-fixed: 1108461
    (cherry picked from commit 208e72e59c8411e75d4118b48648a5b7d42b1682)
  3. ASoC: msm: remove unused msm-compr-q6-v2

    Xiaojun Sang Sean McCreary
    Xiaojun Sang authored and Sean McCreary committed Apr 27, 2017
    msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used.
    
    CRs-Fixed: 2022953
    Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7
    Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
    (cherry picked from commit dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b)
  4. mm: Fix incorrect type conversion for size during dma allocation

    Rohit Vaswani Sean McCreary
    Rohit Vaswani authored and Sean McCreary committed Sep 18, 2015
    This was found during userspace fuzzing test when a large size
    allocation is made from ion
    
    [<ffffffc00008a098>] show_stack+0x10/0x1c
    [<ffffffc00119c390>] dump_stack+0x74/0xc8
    [<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
    [<ffffffc00020dbd4>] kasan_report+0x34/0x40
    [<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
    [<ffffffc00020d228>] memset+0x20/0x44
    [<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
    [<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
    [<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
    [<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
    [<ffffffc000c250dc>] ion_alloc+0x264/0xb88
    [<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
    [<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
    [<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
    
    Change-Id: Idc9c19977a8cc62c7d092f689d30368704b400bc
    Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
    (cherry picked from commit 1f8f9b5)
  5. ipx: call ipxitf_put() in ioctl error path

    Dan Carpenter Sean McCreary
    Dan Carpenter authored and Sean McCreary committed May 2, 2017
    We should call ipxitf_put() if the copy_to_user() fails.
    
    Reported-by: 李强 <liqiang6-s@360.cn>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Change-Id: Ib541c679cc5f4242713eb035aed458043b8ce97e
    (cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Commits on Aug 8, 2017
  1. f2fs: sanity check checkpoint segno and blkoff

    Jin Qian Sean McCreary
    Jin Qian authored and Sean McCreary committed May 15, 2017
    Make sure segno and blkoff read from raw image are valid.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jin Qian <jinqian@google.com>
    [Jaegeuk Kim: adjust minor coding style]
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    
    Change-Id: Ie2505c071233c1a9dec2729fe1ad467689a1b7a2
    (cherry picked from commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a)
  2. f2fs: sanity check segment count

    Jin Qian Sean McCreary
    Jin Qian authored and Sean McCreary committed Apr 25, 2017
    F2FS uses 4 bytes to represent block address. As a result, supported
    size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
    
    Signed-off-by: Jin Qian <jinqian@google.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    
    Change-Id: I16b3cd6279bff1a221781a80b9b34744c9e7098f
    (cherry picked from commit b9dd46188edc2f0d1f37328637860bb65a771124)
  3. timerfd: Protect the might cancel mechanism proper

    Thomas Gleixner Sean McCreary
    Thomas Gleixner authored and Sean McCreary committed Jan 31, 2017
    The handling of the might_cancel queueing is not properly protected, so
    parallel operations on the file descriptor can race with each other and
    lead to list corruptions or use after free.
    
    Protect the context for these operations with a seperate lock.
    
    The wait queue lock cannot be reused for this because that would create a
    lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
    atomic (atomic_t or atomic bit) does not help either because it still can
    race vs. the actual list operation.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: "linux-fsdevel@vger.kernel.org"
    Cc: syzkaller <syzkaller@googlegroups.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: linux-fsdevel@vger.kernel.org
    Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    
    Change-Id: I1f2d38a919ceb1ca1c7c9471dece0c1126383912
    (cherry picked from commit 1e38da300e1e395a15048b0af1e5305bd91402f6)
  4. sg_start_req(): make sure that there's not too many elements in iovec

    Al Viro Sean McCreary
    Al Viro authored and Sean McCreary committed Mar 22, 2015
    unfortunately, allowing an arbitrary 16bit value means a possibility of
    overflow in the calculation of total number of pages in bio_map_user_iov() -
    we rely on there being no more than PAGE_SIZE members of sum in the
    first loop there.  If that sum wraps around, we end up allocating
    too small array of pointers to pages and it's easy to overflow it in
    the second loop.
    
    X-Coverup: TINC (and there's no lumber cartel either)
    Cc: stable@vger.kernel.org # way, way back
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Change-Id: I9d8176f3db43bf94e2c48dfd2f4094dfc7c72e90
    (cherry picked from commit 451a2886b6bf90e2fb378f7c46c655450fb96e81)
    (with trivial backport from http://seclists.org/oss-sec/2015/q3/271)
Commits on Jul 17, 2017
  1. ipv4: keep skb->dst around in presence of IP options

    Eric Dumazet Sean McCreary
    Eric Dumazet authored and Sean McCreary committed Feb 4, 2017
    Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
    is accessed.
    
    ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
    are present.
    
    We could refine the test to the presence of ts_needtime or srr,
    but IP options are not often used, so let's be conservative.
    
    Thanks to syzkaller team for finding this bug.
    
    Fixes: d826eb1 ("ipv4: PKTINFO doesnt need dst reference")
    Change-Id: I4684e44431021585a6b967feb1cba2ded8c5bddc
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  2. ALSA: timer: Fix race between read and ioctl

    tiwai authored and Sean McCreary committed Jun 2, 2017
    The read from ALSA timer device, the function snd_timer_user_tread(),
    may access to an uninitialized struct snd_timer_user fields when the
    read is concurrently performed while the ioctl like
    snd_timer_user_tselect() is invoked.  We have already fixed the races
    among ioctls via a mutex, but we seem to have forgotten the race
    between read vs ioctl.
    
    This patch simply applies (more exactly extends the already applied
    range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
    race window.
    
    Change-Id: I3b539d6e01d86d5b9cbe813e2616894e6202225f
    Reported-by: Alexander Potapenko <glider@google.com>
    Tested-by: Alexander Potapenko <glider@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  3. ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT

    tiwai authored and Sean McCreary committed Jun 2, 2017
    snd_timer_user_tselect() reallocates the queue buffer dynamically, but
    it forgot to reset its indices.  Since the read may happen
    concurrently with ioctl and snd_timer_user_tselect() allocates the
    buffer via kmalloc(), this may lead to the leak of uninitialized
    kernel-space data, as spotted via KMSAN:
    
      BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
      CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:16
       dump_stack+0x143/0x1b0 lib/dump_stack.c:52
       kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
       kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
       copy_to_user ./arch/x86/include/asm/uaccess.h:725
       snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
       do_loop_readv_writev fs/read_write.c:716
       __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
       do_readv_writev fs/read_write.c:894
       vfs_readv fs/read_write.c:908
       do_readv+0x52a/0x5d0 fs/read_write.c:934
       SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
       SyS_readv+0x87/0xb0 fs/read_write.c:1018
    
    This patch adds the missing reset of queue indices.  Together with the
    previous fix for the ioctl/read race, we cover the whole problem.
    
    Change-Id: I5143563a56255d4063992e75f360972658b3eb21
    Reported-by: Alexander Potapenko <glider@google.com>
    Tested-by: Alexander Potapenko <glider@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  4. hid: usbhid: Changes to prevent buffer overflow

    Sriharsha Allenki Sean McCreary
    Sriharsha Allenki authored and Sean McCreary committed Dec 22, 2016
    Moved some value checks to right positions to prevent
    buffer flow, which may be possible before. Previously
    these value checks are in an else statement which may
    not be executed.
    
    Change-Id: I02dbecd074183581a6bdae6377097bc004bd3d3c
    CRs-fixed: 1102936
    Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
Commits on Jul 9, 2017
  1. udf: Check path length when reading symlink

    jankara authored and Flex1911 committed Dec 18, 2014
    Symlink reading code does not check whether the resulting path fits into
    the page provided by the generic code. This isn't as easy as just
    checking the symlink size because of various encoding conversions we
    perform on path. So we have to check whether there is still enough space
    in the buffer on the fly.
    
    Change-Id: Id56d129029eaf2e651cf7236103fb73aa540ae1f
    CC: stable@vger.kernel.org
    Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    Signed-off-by: Jan Kara <jack@suse.cz>
  2. USB: iowarrior: fix NULL-deref at probe

    jhovold authored and Flex1911 committed Mar 7, 2017
    Make sure to check for the required interrupt-in endpoint to avoid
    dereferencing a NULL-pointer should a malicious device lack such an
    endpoint.
    
    Note that a fairly recent change purported to fix this issue, but added
    an insufficient test on the number of endpoints only, a test which can
    now be removed.
    
    Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
    Fixes: 946b960 ("USB: add driver for iowarrior devices.")
    Change-Id: If94c965de37c95d8dd4f111d6ab03c72822fd328
    Cc: stable <stable@vger.kernel.org>	# 2.6.21
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  3. USB: iowarrior: fix oops with malicious USB descriptors

    Josh Boyer authored and Flex1911 committed Mar 14, 2016
    The iowarrior driver expects at least one valid endpoint.  If given
    malicious descriptors that specify 0 for the number of endpoints,
    it will crash in the probe function.  Ensure there is at least
    one endpoint on the interface before using it.
    
    The full report of this issue can be found here:
    http://seclists.org/bugtraq/2016/Mar/87
    
    Change-Id: I78dfd62f4d0a77d8145dfba5c479e6ac766374cc
    Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  4. Input: gtco - fix crash on detecting device without endpoints

    nefigtut authored and Flex1911 committed Mar 31, 2016
    The gtco driver expects at least one valid endpoint. If given malicious
    descriptors that specify 0 for the number of endpoints, it will crash in
    the probe function. Ensure there is at least one endpoint on the interface
    before using it.
    
    Also let's fix a minor coding style issue.
    
    The full correct report of this issue can be found in the public
    Red Hat Bugzilla:
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1283385
    
    Change-Id: Ie90df605d0412aa31fa57047edc0dd59bc3f136b
    Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
    Signed-off-by: Vladis Dronov <vdronov@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
  5. Input: powermate - fix oops with malicious USB descriptors

    Josh Boyer authored and Flex1911 committed Mar 14, 2016
    The powermate driver expects at least one valid USB endpoint in its
    probe function.  If given malicious descriptors that specify 0 for
    the number of endpoints, it will crash.  Validate the number of
    endpoints on the interface before using them.
    
    The full report for this issue can be found here:
    http://seclists.org/bugtraq/2016/Mar/85
    
    Change-Id: I8c78d5e01fca172d438c3d782c75b865a116d516
    Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
  6. Input: ati_remote2 - fix crashes on detecting device with invalid des…

    nefigtut authored and Flex1911 committed Mar 23, 2016
    …criptor
    
    The ati_remote2 driver expects at least two interfaces with one
    endpoint each. If given malicious descriptor that specify one
    interface or no endpoints, it will crash in the probe function.
    Ensure there is at least two interfaces and one endpoint for each
    interface before using it.
    
    The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
    
    Change-Id: Ibf24e78c84f06ab92198ebff76df8655363a45b2
    Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
    Signed-off-by: Vladis Dronov <vdronov@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Commits on Jul 4, 2017
  1. lockdep: Silence warning if CONFIG_LOCKDEP isn't set

    pebolle authored and Flex1911 committed Jan 24, 2013
    commit 5cd3f5a upstream.
    
    Since commit c9a4962 ("nfsd:
    make client_lock per net") compiling nfs4state.o without
    CONFIG_LOCKDEP set, triggers this GCC warning:
    
        fs/nfsd/nfs4state.c: In function ‘free_client’:
        fs/nfsd/nfs4state.c:1051:19: warning: unused variable ‘nn’ [-Wunused-variable]
    
    The cause of that warning is that lockdep_assert_held() compiles
    away if CONFIG_LOCKDEP is not set. Silence this warning by using
    the argument to lockdep_assert_held() as a nop if CONFIG_LOCKDEP
    is not set.
    
    Change-Id: Id12b4476ab4fe06ab61f1144367d1193777817fb
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: J. Bruce Fields <bfields@redhat.com>
    Link: http://lkml.kernel.org/r/1359060797.1325.33.camel@x61.thuisdomein
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    [bwh: Backported to 3.2: adjust context]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  2. mm: Tighten x86 /dev/mem with zeroing reads

    kees authored and Flex1911 committed Apr 5, 2017
    Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
    disallowed. However, on x86, the first 1MB was always allowed for BIOS
    and similar things, regardless of it actually being System RAM. It was
    possible for heap to end up getting allocated in low 1MB RAM, and then
    read by things like x86info or dd, which would trip hardened usercopy:
    
    usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)
    
    This changes the x86 exception for the low 1MB by reading back zeros for
    System RAM areas instead of blindly allowing them. More work is needed to
    extend this to mmap, but currently mmap doesn't go through usercopy, so
    hardened usercopy won't Oops the kernel.
    
    Change-Id: I27594af6146e7643217e3babcfd088592b7dbd4b
    Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com>
    Tested-by: Tommi Rantala <tommi.t.rantala@nokia.com>
    Signed-off-by: Kees Cook <keescook@chromium.org>
  3. mm/mempolicy.c: fix error handling in set_mempolicy and mbind.

    salls authored and Flex1911 committed Apr 8, 2017
    In the case that compat_get_bitmap fails we do not want to copy the
    bitmap to the user as it will contain uninitialized stack data and leak
    sensitive data.
    
    Change-Id: Ia02cc50f336357469af11d8b3135e48be294f7e0
    Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  4. net/packet: fix overflow in check for tp_frame_nr

    xairy authored and Flex1911 committed Mar 29, 2017
    When calculating rb->frames_per_block * req->tp_block_nr the result
    can overflow.
    
    Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
    
    Since frames_per_block <= tp_block_size, the expression would
    never overflow.
    
    Change-Id: I3598423e621275aa1d890b80bcf9018929087d90
    Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
  5. net/packet: fix overflow in check for tp_reserve

    xairy authored and Flex1911 committed Mar 29, 2017
    When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
    
    Fix by checking that tp_reserve <= INT_MAX on assign.
    
    Change-Id: I6a4ea0cbe87cfd3db0979896c9bf9b3c626ec1d6
    Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
Commits on Jul 3, 2017
  1. KEYS: Change the name of the dead type to ".dead" to prevent user access

    dhowells authored and Flex1911 committed Apr 18, 2017
    commit c1644fe041ebaf6519f6809146a77c3ead9193af upstream.
    
    This fixes CVE-2017-6951.
    
    Userspace should not be able to do things with the "dead" key type as it
    doesn't have some of the helper functions set upon it that the kernel
    needs.  Attempting to use it may cause the kernel to crash.
    
    Fix this by changing the name of the type to ".dead" so that it's rejected
    up front on userspace syscalls by key_get_type_from_user().
    
    Though this doesn't seem to affect recent kernels, it does affect older
    ones, certainly those prior to:
    
    	commit c06cfb0
    	Author: David Howells <dhowells@redhat.com>
    	Date:   Tue Sep 16 17:36:06 2014 +0100
    	KEYS: Remove key_type::match in favour of overriding default by match_preparse
    
    which went in before 3.18-rc1.
    
    Change-Id: Ie5b45fceec53036f21c37ee6e1c151f1b1227584
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  2. packet: fix races in fanout_add()

    Eric Dumazet authored and Flex1911 committed Feb 14, 2017
    Multiple threads can call fanout_add() at the same time.
    
    We need to grab fanout_mutex earlier to avoid races that could
    lead to one thread freeing po->rollover that was set by another thread.
    
    Do the same in fanout_release(), for peace of mind, and to help us
    finding lockdep issues earlier.
    
    Fixes: dc99f60 ("packet: Add fanout support.")
    Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
    Change-Id: Ic6b803a8c631e0f305a636c129ddb122d1958f88
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  3. irda: Fix lockdep annotations in hashbin_delete().

    davem330 authored and Flex1911 committed Feb 17, 2017
    A nested lock depth was added to the hasbin_delete() code but it
    doesn't actually work some well and results in tons of lockdep splats.
    
    Fix the code instead to properly drop the lock around the operation
    and just keep peeking the head of the hashbin queue.
    
    Change-Id: Id4984e9a2ed3f5289da26ffe48d1b638ed1883b6
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  4. selinux: fix off-by-one in setprocattr

    stephensmalley authored and Flex1911 committed Jan 31, 2017
    commit 0c461cb727d146c9ef2d3e86214f498b78b7d125 upstream.
    
    SELinux tries to support setting/clearing of /proc/pid/attr attributes
    from the shell by ignoring terminating newlines and treating an
    attribute value that begins with a NUL or newline as an attempt to
    clear the attribute.  However, the test for clearing attributes has
    always been wrong; it has an off-by-one error, and this could further
    lead to reading past the end of the allocated buffer since commit
    bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
    switch to memdup_user()").  Fix the off-by-one error.
    
    Even with this fix, setting and clearing /proc/pid/attr attributes
    from the shell is not straightforward since the interface does not
    support multiple write() calls (so shells that write the value and
    newline separately will set and then immediately clear the attribute,
    requiring use of echo -n to set the attribute), whereas trying to use
    echo -n "" to clear the attribute causes the shell to skip the
    write() call altogether since POSIX says that a zero-length write
    causes no side effects. Thus, one must use echo -n to set and echo
    without -n to clear, as in the following example:
    $ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
    $ cat /proc/$$/attr/fscreate
    unconfined_u:object_r:user_home_t:s0
    $ echo "" > /proc/$$/attr/fscreate
    $ cat /proc/$$/attr/fscreate
    
    Note the use of /proc/$$ rather than /proc/self, as otherwise
    the cat command will read its own attribute value, not that of the shell.
    
    There are no users of this facility to my knowledge; possibly we
    should just get rid of it.
    
    UPDATE: Upon further investigation it appears that a local process
    with the process:setfscreate permission can cause a kernel panic as a
    result of this bug.  This patch fixes CVE-2017-2618.
    
    Change-Id: I646d6db150ae470b25cade2d8442199fb133f8dc
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    [PM: added the update about CVE-2017-2618 to the commit description]
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Signed-off-by: James Morris <james.l.morris@oracle.com>
    Signed-off-by: Willy Tarreau <w@1wt.eu>