Add:
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
to android-base.cfg
The kernel.perf_event_paranoid sysctl is set to 3 by default.
No unprivileged use of the perf_event_open syscall will be
permitted unless it is changed.
Bug: 29054680
Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
https://lkml.org/lkml/2016/1/11/587
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bug: 29054680
Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
perf_event_paranoid was only documented in source code and a perf error
message. Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.
BACKPORT notes:
The error printing from upstream does not exist in the 3.4 kernel.
Only backporting the documentation update from this commit.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Bug: 29054680
Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Bug: 28980217
Change-Id: Iff69ca708e0022ce9301efae798798b9bfcf9e25
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6)
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Bug: 28980217
Change-Id: I2bef279bbaa1f20ea831d364b3a4a09a27f07025
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit e4ec8cc8039a7063e24204299b462bd1383184a5)
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Bug: 28980557
Change-Id: Ib66cfcc1e36025255d7f518f3df2c39a21858886
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e)
ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object. A simplistic fix is to make
each ioctl exclusive. We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.
The downside is, of course, the worse concurrency. But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.
Bug: 28694392
Change-Id: I1ac52f1cba5e7408fd88c8fc1c30ca2e83967ebb
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit af368027a49a751d6ff4ee9e3f9961f35bb4fede)
[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]
This patch addresses multiple problems :
UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np->opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.
Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np->opt once (before calling ipv6_dup_options())
This patch adds full RCU protection to np->opt
BUG: 28746669
Change-Id: I207da29ac48bb6dd7c40d65f9e27c4e3ff508da0
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Pierre Imai <imaipi@google.com>
Bug: 28744625
In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.
(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
Change-Id: Id1708db3833ade7f1406b941f0bc20671c9c3b3b
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 28759139
Change-Id: I561a14b514d714838ef539a94275b117d7f475f4
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
the stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”
Bug: 28620102
Change-Id: I13da380c6fe8abca49e3cf9f05293c02b44d2e5e
Signed-off-by: kangjie <kangjielu@gmail.com>
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.
Bug: 28619695
Change-Id: I170754d659d0891c075f85211b5e3970b114f097
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If we add the mem entry pointer in the process idr and rb tree
too early, other threads can do operations on the entry by
guessing the ID or GPU address before the object gets returned
by the creating operation.
Allocate an ID for the object but don't assign the pointer until
right before the creating function returns ensuring that another
operation can't access it until it is ready.
Bug: 28026365
CRs-Fixed: 1002974
Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Signed-off-by: Santhosh Punugu <spunug@codeaurora.org>
Validate pointers send from user space and pointers
embedded within the mesasge sent from user space.
Bug: 28769920
Change-Id: I1be54924ef3d301908af6e8d4e6506f2aa7f6428
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Gilad Avidov <giladavidov@google.com>
Validate the caller is the right type for the IOCTL being
issued and inputs are valid.
Bug: 28747998
Change-Id: Iad71f0f5ed4d53c5d011bd55cdf74ec053d09af5
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
make sure cmd buffer address to be within shared bufffer.
Bug: 28804057
Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
Bug: 28751152
Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1
CRs-Fixed: 563086
Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
Printing a string with that does not have null terminated character,
would lead to overflow, as the print continues until it finds a null
terminated character.
Avoid this issue by explicitly assigning a string with null termination.
Bug: 28749708
Change-Id: I9528db2ba046c514d829097d08c09540588bb1a2
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Add check in order to fix possible integer underflow
during HDLC encoding which may lead to buffer
overflow. Also added check for packet length to
avoid buffer overflow.
Bug: 28767796
Change-Id: Ic91b5ee629066f013022ea139b4a23ec661aa77a
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
The permissions of /proc/iomem currently are -r--r--r--. Everyone can
see its content. As iomem contains information about the physical memory
content of the device, restrict the information only to root.
Change-Id: If0be35c3fac5274151bea87b738a48e6ec0ae891
bug: 28814213
CRs-Fixed: 786116
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
This change fixes several incorrect or missing array index bound checks.
Bug: 28814502
Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
Since commit 6a1c53124a the user writeable TLS register was zeroed to
prevent it from being used as a covert channel between two tasks.
There are more and more applications coming to Windows RT,
Wine could support them, but mostly they expect to have
the thread environment block (TEB) in TPIDRURW.
This patch preserves that register per thread instead of clearing it.
Unlike the TPIDRURO, which is already switched, the TPIDRURW
can be updated from userspace so needs careful treatment in the case that we
modify TPIDRURW and call fork(). To avoid this we must always read
TPIDRURW in copy_thread.
Change-Id: Ib1e25be7b9faa846ba5335aad2574e21a1246066
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jonathan Austin <jonathan.austin@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Git-commit: a4780adeef
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[joonwoop@codeaurora.org: fixed merge conflict]
CRs-fixed: 561044
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Bug: 28749743
snd_compr_tstamp is initialized using aggregate initialization
that does not zero out the padded bytes. Initialize timestamp
structure to zero using memset to avoid this.
Bug: 28770164
CRs-Fixed: 568717
Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
At certain point in diag driver there can be integer underflow
thus can lead to memory leak. Added a safeguard for that.
Bug: 28750726
Change-Id: I8cc6a8336cd2c5c88c49748c0be2df1696894f2b
Signed-off-by: Yuan Lin <yualin@google.com>
Check for invalid parameters passed in user invocation
and validate the return values using appropriate macros.
Bug: 28767593
Change-Id: I9a067f2ab151084b46e9d4d5fb945320a27bb7ba
Signed-off-by: Yuan Lin <yualin@google.com>
Added bounds check to user input num_streams at several location,
without checking a position outside array could be dereferenced
Bug: 28749629
Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96
Signed-off-by: Jim Rasche <jrasche@codeaurora.org>
I2C command length is of 11 bytes, it includes 10 bytes of data and
1 byte of WR command. Use 11 bytes char array to create command.
Bug: 28770207
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f
Some security vulnerabilities were found.
To fix them, additional verifications of some input parameters
are required.
bug: 28814690
CRs-Fixed: 554575, 554560, 555030
Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020
Signed-off-by: Baruch Eruchimovitch <baruche@codeaurora.org>
Diag driver holds on to the socket process task structure even
after signaling the process to exit. This patch clears the internal
handle after signaling.
bug: 28803962
Change-Id: I642fb595fc2caebc6f2f5419efed4fb560e4e4db
Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>
The index of used stats register is derived from a stream handle least
significant byte and thus can be up to 255. However the stats registers
are up to 8 depending of the target. Thus a bound check is done before
use of the received stats register index value.
Bug: 28749728
Change-Id: I23f1add81eb8e0844103a3a3f59f4e4c2af14ffd
Add a check for the stats index MAX using
MSM_ISP_STATS_MAX before accessing stream info
using that index to avoid any invalid memory access.
Bug: 28749728
Change-Id: I29d9b62cec045598645fbc0e6e62c500eb74bb97
The value csi_lane_mask which is uint16_t is controllable from userspace.
The while loop can loop for 2^16 - 1, Hence extract the required
bit combination from the userspace argument, used it for further
processing.
Bug: 28749721
CRs-Fixed: 511976
Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a
Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
Added checks for DCI request packets to be greater than the minimum
packet length. We would drop the request and print an error otherwise.
CRs-Fixed: 483310
Bug: 28767589
Change-Id: Ib7a713be3d6f5a6e0ec3ac280aebd800058447c7
Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
At certain point in diag driver there can be integer overflow
thus can lead to memory leak. Added a safegaurd for it.
Bug: 28769912
Change-Id: Ib7070218b9ea7a1b9efca02b4c456ad9501085cd
Signed-off-by: Katish Paran <kparan@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
Upper and lower bound checks are enforced for num_cid
which is passed from userspace with lower as 1 and
max of 16.
Bug: 28747684
Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
At certain point in diag driver there can be integer underflow
and thus can lead to memory leak. Bound checks are placed to
ensure correct behavior of condition statements.
Bug: 28768146
Change-Id: I87b57a8b5f32886ada7725f1e8c97cc93de112ec
Signed-off-by: Katish Paran <kparan@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
A bounds check has to be done for r/g/b stages variables
to avoid undetermined behaviour.
Bug: 28398884
Change-Id: Ibdc96e79b36cf188d4b5c42d8e2d9ece8e9ace8a
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
struct media_link_desc is copy_to_user'ed as the return value of
MEDIA_IOC_ENUM_LINKS. When copying, the driver is omitting to initialise
the reserved fields. This commit fixes that by initialising the
reserved fields to 0.
Bug: 28750150
CRs-Fixed: 570757
Change-Id: I230e2666c0845cc36399518a0f2c94db664382d1
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
DMA mapping permissions were being derived from pgprot_kernel directly
without using PAGE_KERNEL. This causes them to be marked with executable
permission, which is not what we want. Fix this.
Bug: 28803642
Change-Id: Ib40f59f3c569f82409943cf8f9a86a9869d922cc
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Git-commit: 0ea1ec713f
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[lauraa@codeaurora.org: dropped functions not in older builds]
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
memset() the structure ethtool_wolinfo that has padded bytes
but the padded bytes have not been zeroed out.
Bug: 28803952
Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
The function snprintf() do not write more than size bytes (including
the terminating null byte ('\0')). If the output was truncated due
to this limit then the return value is the number of characters
(excluding the terminating null byte) which would have been written
to the final string if enough space had been available. Thus, a
return value of size or more means that the output was truncated.
Bug: 28670333
Change-Id: I2b6c7f8262361046536b55262b3d7c30cb5b282e
Signed-off-by: Yuan Lin <yualin@google.com>
Fix the possible buffer overflow in IE parsing.
Bug: 28668638
Change-Id: I61e3b20276bdf329a1ef64a3189f172b231a3d15
Signed-off-by: Yuan Lin <yualin@google.com>
Before writing to a userspace address, verification
of the validity of user space address is required.
Bug: 28769352
Change-Id: I9141e44a6c11aaf3f4d57c08bb0dd26a7b214f34
CRs-fixed: 556356
Signed-off-by: Deepak Verma <dverma@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
FM radio is not used on flo.
Bug: 28769368
Bug: 28769546
Change-Id: Ice4c4cb66e7ea7b7e34efe125e29377f896e80f1
Signed-off-by: Siqi Lin <siqilin@google.com>
Use copy_from_user kernel api to copy any data from user space
to kernel space.
Bug: 28769546
Change-Id: Ia3b7bb0f98180bd8792c1c18e930cb5609b8dc82
CRs-Fixed: 540320
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
