Permalink
Commits on Apr 6, 2018
  1. iovec: make sure the caller actually wants anything in memcpy_fromiov…

    Paul Lawrence authored and mdmower committed Oct 18, 2017
    …ecend
    
    Based on upstream change 06ebb06d49486676272a3c030bfeef4bd969a8e6
    
    One more instance when the caller requests 0 bytes instead of running
    off and dereferencing potentially invalid iovecs.
    
    Signed-off-by: Paul Lawrence <paullawrence@google.com>
    Bug: 36279469
    Change-Id: Ib8d529e17c07c77357ab70bd6a2d7e305d6b27f0
Commits on Jan 20, 2018
  1. ak8789: Make the hall sensor generate SW_LID on flip cover events

    crpalmer authored and mdmower committed Apr 3, 2016
    * Read the switch state immediately after probe
    
    Change-Id: I4ba07900beb9a9cdefae57280b089a96c6796d89
Commits on Jan 19, 2018
  1. ASoC: wcd9xxx: restrict debugfs permission

    Karthikeyan Mani authored and mdmower committed Oct 2, 2017
    Remove read permission for debugfs reg dump node
    for group and users to not allow reading of wcd9xxx
    registers.
    
    CRs-fixed: 2113240
    Bug: 62464339
    Change-Id: I73a22e140446828e694fdc95fde7ac4e051c9548
    Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
  2. msm: mt2: Regenerate defconfig

    mdmower committed Jan 19, 2018
    Change-Id: Ia7bf354dffc81ff989c0bc808ca56b1a6d4f137b
  3. clocksource: arch_timer: make virtual counter access configurable

    greghackmann authored and mdmower committed Sep 19, 2017
    Bug: 68266545
    Change-Id: Ibdb1fd768b748002b90bfc165612c12c8311f8a2
  4. staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl

    ViktorSlavkovic authored and mdmower committed Oct 2, 2017
    A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
    race condition when mmap is called. After the !asma->file check, before
    setting asma->size, asma->file can be set in mmap. That would result in
    having different asma->size than the mapped memory size. Combined with
    ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
    corruption.
    
    Bug: 66954097
    Signed-off-by: Viktor Slavkovic <viktors@google.com>
    Change-Id: Ia52312a75ade30bc94be6b94420f17f34e0c1f86
  5. crypto: algif_skcipher - Load TX SG list after waiting

    herbertx authored and mdmower committed Jan 18, 2016
    commit 4f0414e54e4d1893c6f08260693f8ef84c929293 upstream.
    
    We need to load the TX SG list in sendmsg(2) after waiting for
    incoming data, not before.
    
    [connoro@google.com: backport to 3.18, where the relevant logic is
    located in skcipher_recvmsg() rather than skcipher_recvmsg_sync()]
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Connor O'Brien <connoro@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commits on Jan 4, 2018
  1. ipsec: Fix aborted xfrm policy dump crash

    bwhacks authored and mdmower committed Dec 9, 2017
    commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream.
    
    This is a fix for CVE-2017-16939 suitable for older stable branches.
    The upstream fix is commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2,
    from which the following explanation is taken:
    
        An independent security researcher, Mohamed Ghannam, has reported
        this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
        program.
    
        The xfrm_dump_policy_done function expects xfrm_dump_policy to
        have been called at least once or it will crash.  This can be
        triggered if a dump fails because the target socket's receive
        buffer is full.
    
    It was not possible to define a 'start' callback for netlink dumps
    until Linux 4.5, so instead add a check for the initialisation flag in
    the 'done' callback.
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  2. mac80211: use constant time comparison with keys

    zx2c4 authored and mdmower committed Oct 17, 2017
    Otherwise we risk leaking information via timing side channel.
    
    Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  3. mac80211: accept key reinstall without changing anything

    jmberg authored and mdmower committed Sep 5, 2017
    When a key is reinstalled we can reset the replay counters
    etc. which can lead to nonce reuse and/or replay detection
    being impossible, breaking security properties, as described
    in the "KRACK attacks".
    
    In particular, CVE-2017-13080 applies to GTK rekeying that
    happened in firmware while the host is in D3, with the second
    part of the attack being done after the host wakes up. In
    this case, the wpa_supplicant mitigation isn't sufficient
    since wpa_supplicant doesn't know the GTK material.
    
    In case this happens, simply silently accept the new key
    coming from userspace but don't take any action on it since
    it's the same key; this keeps the PN replay counters intact.
    
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Commits on Dec 14, 2017
  1. BACKPORT: dentry name snapshots

    Al Viro authored and mdmower committed Jul 7, 2017
    commit 49d31c2f389acfe83417083e1208422b4091cd9e upstream.
    
    take_dentry_name_snapshot() takes a safe snapshot of dentry name;
    if the name is a short one, it gets copied into caller-supplied
    structure, otherwise an extra reference to external name is grabbed
    (those are never modified).  In either case the pointer to stable
    string is stored into the same structure.
    
    dentry must be held by the caller of take_dentry_name_snapshot(),
    but may be freely dropped afterwards - the snapshot will stay
    until destroyed by release_dentry_name_snapshot().
    
    Intended use:
    	struct name_snapshot s;
    
    	take_dentry_name_snapshot(&s, dentry);
    	...
    	access s.name
    	...
    	release_dentry_name_snapshot(&s);
    
    Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name
    to pass down with event.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    [carnil: backport 4.9: adjust context]
    [bwh: Backported to 3.16:
     - External names are not ref-counted, so copy them
     - Adjust context]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    [ghackmann@google.com: backported to 3.10: adjust context]
    Signed-off-by: Greg Hackmann <ghackmann@google.com>
    
    Change-Id: I612e687cbffa1a03107331a6b3f00911ffbebd8e
    Bug: 63689921
  2. Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealin…

    Al Viro authored and mdmower committed Dec 19, 2014
    …g with l2cap socket
    
    ... rather than relying on ciptool(8) never passing it anything else.  Give
    it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
    trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
    
    Bug: 33982955
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Change-Id: I078260c1b5be6a96b54c265da0236bf84842e450
  3. Bluetooth: bnep: bnep_add_connection() should verify that it's dealin…

    Al Viro authored and mdmower committed Sep 29, 2017
    …g with l2cap socket
    
    same story as cmtp
    
    Bug: 33982955
    Change-Id: I60ce3e3b5a5a0e41ddaec155a0c6a46307eedeb7
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
  4. Bluetooth: hidp: verify l2cap sockets

    dvdhrm authored and mdmower committed Apr 5, 2013
    We need to verify that the given sockets actually are l2cap sockets. If
    they aren't, we are not supposed to access bt_sk(sock) and we shouldn't
    start the session if the offsets turn out to be valid local BT addresses.
    
    That is, if someone passes a TCP socket to HIDCONNADD, then we access some
    random offset in the TCP socket (which isn't even guaranteed to be valid).
    
    Fix this by checking that the socket is an l2cap socket.
    
    Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
    Acked-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
  5. msm: mt2: Regenerate defconfig

    mdmower committed Dec 14, 2017
    Change-Id: Ic9452f59c90376ed85c7e1b47d76883af5ab4a38
  6. msm: gud: Remove gud driver

    Trudy Shearer authored and mdmower committed May 18, 2017
    Complete removal of gud mobicore driver.
    The driver author delivers an updated version of this driver to
    interested parties directly rendering this version obsolete.
    
    Bug: 65468975
    Change-Id: I40498d3203b1d6ca04f2b5a2e65461851d84d2d4
    Acked-by: Tony Hamilton <tonyh@qti.qualcomm.com>
    Signed-off-by: Trudy Shearer <tshearer@codeaurora.org>
    Signed-off-by: Siqi Lin <siqilin@google.com>
  7. msm: Disable 'reboot edl' interface

    mdmower committed Dec 14, 2017
    Based on:
      angler: remove 'reboot edl' interface for security.
      Wei Li <sirius.liwei@huawei.com>
      Change-Id: If6cb5ce50524d34b30f09a22eeb76d2cd3a0e834
    
    Change-Id: I5e01937b8b38db84799df939ec30a46714e262f7
  8. ANDROID: scsi: Add segment checking in sg_read

    Roberto Pereira authored and mdmower committed Oct 11, 2017
    Bug: 65023233
    Signed-off-by: Roberto Pereira <rpere@google.com>
    Change-Id: Ib45f402cf304f9b8bf18884738f92b9c3db55573
  9. ANDROID: usb: gadget: f_mtp: Return error if count is negative

    Jerry Zhang authored and mdmower committed Sep 26, 2017
    If the user passes in a negative file size in a int64,
    this will compare to be smaller than buffer length,
    and it will get truncated to form a read length that
    is larger than the buffer length.
    
    To fix, return -EINVAL if the count argument is negative,
    so the loop will never happen.
    
    Bug: 37429972
    Test: Test with PoC
    Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4
    Signed-off-by: Jerry Zhang <zhangjerry@google.com>
  10. msm: kgsl: Protect the event->handle with spinlock

    Sunil Khatri authored and mdmower committed Aug 9, 2017
    event->handle pointer can be used after free due to
    the race condition between kgsl_sync_callback and
    kgsl_sync_fence_async_cancel.
    
    Protect the event->handle with a spinlock to
    avoid concurrent access issues.
    
    Bug: 62949902
    Change-Id: I3719e401af9ece82ac68b72f2aef784c7fdc1104
    Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
  11. msm_fb: display: Enable display debugging through mdp debugfs

    Naseer Ahmed authored and mdmower committed Mar 16, 2016
    Change the config from DEBUG_FS to MDP_DEBUG_FS to dump and
    write the MDP, MDDI and HDMI debug registers. By default
    CONFIG_MDP_DEBUG_FS should be disabled and can be enabled
    through defconfig file.
    
    Change-Id: I2ed8dcc30b19a80912734ec13f24a67351c38315
    Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
    Signed-off-by: Naseer Ahmed <naseer@codeaurora.org>
    BUG=26404525
Commits on Nov 13, 2017
  1. net: socket: fix recvmmsg not returning error from sock_error

    Maxime Jayat authored and mdmower committed Feb 21, 2017
    commit e623a9e9dec29ae811d11f83d0074ba254aba374 upstream.
    
    Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"),
    changed the exit path of recvmmsg to always return the datagrams
    variable and modified the error paths to set the variable to the error
    code returned by recvmsg if necessary.
    
    However in the case sock_error returned an error, the error code was
    then ignored, and recvmmsg returned 0.
    
    Change the error path of recvmmsg to correctly return the error code
    of sock_error.
    
    The bug was triggered by using recvmmsg on a CAN interface which was
    not up. Linux 4.6 and later return 0 in this case while earlier
    releases returned -ENETDOWN.
    
    Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
    Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Willy Tarreau <w@1wt.eu>
Commits on Nov 11, 2017
  1. msm: sensor: Fix crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG

    Haibin Liu authored and mdmower committed Aug 9, 2017
    Issue:
    the invalid slave_info is used by msm_sensor_driver_probe.
    This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly.
    
    Fix:
    1) avoid the same msm_sd_subdev added into the ordered_sd_list.
    2) enlarge the buffer size for i2c addr and data.
    
    Bug: 36492827
    Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54
    Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
  2. cfg80211: Check if PMKID attribute is of expected size

    Srinivas Dasari authored and mdmower committed Jul 6, 2017
    nla policy checks for only maximum length of the attribute data
    when the attribute type is NLA_BINARY. If userspace sends less
    data than specified, the wireless drivers may access illegal
    memory. When type is NLA_UNSPEC, nla policy check ensures that
    userspace sends minimum specified length number of bytes.
    
    Remove type assignment to NLA_BINARY from nla_policy of
    NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
    WLAN_PMKID_LEN bytes are received from userspace with
    NL80211_ATTR_PMKID.
    
    Fixes: 67fbb16 ("nl80211: PMKSA caching support")
    Cc: stable@vger.kernel.org
    Bug: 36818836
    Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
    Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
    Git-commit: 9361df14d1cbf966409d5d6f48bb334384fbe138
    Change-Id: I5feb729a9ef48f67c4ee460e7e133d5fc8cecd4f
    CRs-Fixed: 2061676
    Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
  3. cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE

    Srinivas Dasari authored and mdmower committed Jul 6, 2017
    Buffer overread may happen as nl80211_set_station() reads 4 bytes
    from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
    validating the size of data received when userspace sends less
    than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
    Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
    the buffer overread.
    
    Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
    Cc: stable@vger.kernel.org
    Bug: 36819059
    Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
    Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
    Git-commit: 8feb69c7bd89513be80eb19198d48f154b254021
    Change-Id: Ie20993309501fd242782311b9fe787931f716116
    CRs-Fixed: 2055013
    Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
  4. SoC: msm: audio-effects: return directly to avoid integer overflow

    Weiyin Jiang authored and mdmower committed Jul 28, 2017
    Return error code directly to avoid further integer overflow leading
    to buffer overflow.
    
    Bug: 62952032
    Change-Id: I8b74efda227726494724f4387c45b5b6fa04637b
    CRs-Fixed: 2077909
    Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
    Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
  5. prima: Add check for set_ft_ies buffer length

    Nishank Aggarwal authored and mdmower committed Jun 27, 2017
    qcacld-2.0 to prima propagation
    
    Add check for buffer length in function sme_set_ft_ies.
    
    Bug: 64431968
    
    Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a
    CRs-Fixed: 2070583
    Signed-off-by: Ecco Park <eccopark@google.com>
Commits on Nov 10, 2017
  1. net: usb: rmnet_usb_ctrl:Make sure list_head operate atomically

    Liangliang Lu authored and mdmower committed May 5, 2017
    Get and delete operation on variables "list_elem" are not atomic.
    Multiple threads may get the same "list_elem", may lead to race
    conditions.
    
    Add mutex in rmnet_ctl_open to resolve current potential race condition
    between test_bit and set_bit.
    
    Bug: 64441352
    Change-Id: I00c4e2fd4854ee17a13a0757da98c46a78eee4cb
    Signed-off-by: Liangliang Lu <luliang@codeaurora.org>
Commits on Nov 9, 2017
  1. prima: Add bound check before writing to channel list

    Srinivas Girigowda authored and mdmower committed Aug 21, 2017
    qcacld-2.0 to prima propagation
    
    In function rrm_process_beacon_report_req, add bound check before
    writing to channel list which is of fixed size.
    
    Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
    CRs-Fixed: 2060138
    Bug: 64438727
    Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
  2. prima: Skip an IE if found more its max times in a frame

    Sridhar Selvaraj authored and mdmower committed Jun 30, 2017
    Check if a IE has been encountered more than max possible for that IE
    while parsing a frame.
    
    Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
    CRs-Fixed: 2069927
  3. ANDROID: input: keychord: fix race condition bug

    jianqiangzhao authored and mdmower committed Mar 6, 2017
    Change-Id: I9c7c759c99e21cad9a7f9a09128122bf6ae11302
    Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
    Bug: 36006779
  4. ALSA: pcm: prevent UAF in snd_pcm_info

    Robb Glasser authored and mdmower committed Aug 11, 2017
    When the device descriptor is closed, the `substream->runtime` pointer
    is freed. But another thread may be in the ioctl handler, case
    SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
    calls snd_pcm_info() which accesses the now freed `substream->runtime`.
    
    Bug: 36006981
    Signed-off-by: Robb Glasser <rglasser@google.com>
    Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
    Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a
Commits on Oct 29, 2017
  1. msm: ispif: Remove handling of SD_SHUTDOWN

    Ranjith Kagathi Ananda authored and mdmower committed Sep 4, 2015
    Remove handling of SD_SHUTDOWN to avoid multiple release.
    
    Bug: 31243641
    
    Change-Id: I09db8adb766d2e7889443f779a716aaa2f6c09d1
    Signed-off-by: Harsh Shah <harshs@codeaurora.org>
    Signed-off-by: Ranjith Kagathi Ananda <ranjith@codeaurora.org>
  2. usb: diag: prevent showing the address of kernel variable 'port'

    jiayy authored and mdmower committed Sep 14, 2016
    The format specifier %p can leak kernel address while not valuing the kptr_strict system settings.
    The fix is designed to use %pK instead of %p, which also evaluates whether kptr_restrict is set.
    
    Signed-off-by: chengengjia <chengjia4574@gmail.com>
    Test: compile
    Bug: 31496950
    Change-Id: Ib93c0defdd68f4afe46b5a818ce4d1a2b850cf46
  3. binder: blacklist %p kptr_restrict

    nickdesaulniers authored and mdmower committed Feb 16, 2017
    Bug: 31495231
    Change-Id: Iebc150f6bc939b56e021424ee44fb30ce8d732fd
    Git-repo: https://android.googlesource.com/kernel/msm
    Git-commit: 0804d7840364fc1a93652632bd43a93c055c658e
    Signed-off-by: Rahul Sharma <sharah@codeaurora.org>