A bounds check has to be done for r/g/b stages variables
to avoid undetermined behaviour.
Bug: 28398884
Change-Id: Ibdc96e79b36cf188d4b5c42d8e2d9ece8e9ace8a
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
struct media_link_desc is copy_to_user'ed as the return value of
MEDIA_IOC_ENUM_LINKS. When copying, the driver is omitting to initialise
the reserved fields. This commit fixes that by initialising the
reserved fields to 0.
Bug: 28750150
CRs-Fixed: 570757
Change-Id: I230e2666c0845cc36399518a0f2c94db664382d1
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
DMA mapping permissions were being derived from pgprot_kernel directly
without using PAGE_KERNEL. This causes them to be marked with executable
permission, which is not what we want. Fix this.
Bug: 28803642
Change-Id: Ib40f59f3c569f82409943cf8f9a86a9869d922cc
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Git-commit: 0ea1ec713f
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[lauraa@codeaurora.org: dropped functions not in older builds]
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
memset() the structure ethtool_wolinfo that has padded bytes
but the padded bytes have not been zeroed out.
Bug: 28803952
Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
The function snprintf() do not write more than size bytes (including
the terminating null byte ('\0')). If the output was truncated due
to this limit then the return value is the number of characters
(excluding the terminating null byte) which would have been written
to the final string if enough space had been available. Thus, a
return value of size or more means that the output was truncated.
Bug: 28670333
Change-Id: I2b6c7f8262361046536b55262b3d7c30cb5b282e
Signed-off-by: Yuan Lin <yualin@google.com>
Fix the possible buffer overflow in IE parsing.
Bug: 28668638
Change-Id: I61e3b20276bdf329a1ef64a3189f172b231a3d15
Signed-off-by: Yuan Lin <yualin@google.com>
Before writing to a userspace address, verification
of the validity of user space address is required.
Bug: 28769352
Change-Id: I9141e44a6c11aaf3f4d57c08bb0dd26a7b214f34
CRs-fixed: 556356
Signed-off-by: Deepak Verma <dverma@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
FM radio is not used on flo.
Bug: 28769368
Bug: 28769546
Change-Id: Ice4c4cb66e7ea7b7e34efe125e29377f896e80f1
Signed-off-by: Siqi Lin <siqilin@google.com>
Use copy_from_user kernel api to copy any data from user space
to kernel space.
Bug: 28769546
Change-Id: Ia3b7bb0f98180bd8792c1c18e930cb5609b8dc82
CRs-Fixed: 540320
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
Checking if driver's buffer is large enough to copy
the data from user space.
Bug: 28769546
Change-Id: I7b4eed81cf77ce2973669ce18ccd95a5df397d82
CRs-fixed: 552329
Signed-off-by: Satish Kodishala <skodisha@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
casting a unsigned int into an integer, integer to
unsigned int may cause buffer overflow.
Bug: 28769368
Change-Id: I54be4d4c5470616a59a772c587fe6d5f32575c32
CRs-Fixed: 539008
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
fix to prevent untrusted userspace pointer in actuator kernel
driver to lead DoS
Bug: 28768281
Change-Id: I1b64270deb494530d268539e7b420be5ec79b658
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
ioctl(TIOCGETD) retrieves the line discipline id directly from the
ldisc because the line discipline id (c_line) in termios is untrustworthy;
userspace may have set termios via ioctl(TCSETS*) without actually
changing the line discipline via ioctl(TIOCSETD).
However, directly accessing the current ldisc via tty->ldisc is
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
is changing via ioctl(TIOCSETD) or hangup.
Wait for the line discipline reference (just like read() or write())
to retrieve the "current" line discipline id.
Bug: 28409131
Change-Id: I3f7a539ab31769f0e926d5c79d56bde652fbaf75
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
During a perf_event_enable, kernel/events/core.c calls pmu->add() which
is platform implementation(arch/arm/kernel/perf_event.c). Due to the
duplicate constraints, arch/arm/mach-msm/perf_event_msm_krait_l2.c
drivers marks the event as OFF but returns TRUE to perf_event.c which
goes ahead and allocates the hw_event and enables it.
Since event is marked OFF, kernel events core will try to enable this event
again during next perf_event_enable. Which results in same event enabled
on multiple hw_events. But during the perf_release, event struct is freed
and only one hw_event is released. This results in dereferencing the
invalid pointer and hence the crash.
Fix this by returning error in case of constraint event duplicate. Hence
avoiding the same event programmed on multiple hw event counters.
Change-Id: Ia3360be027dfe87ac753191ffe7e0bc947e72455
Signed-off-by: Arun KS <arunks@codeaurora.org>
Signed-off-by: Veena Sambasivan <veenas@codeaurora.org>
Commit 8520f38099 ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue. However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so. As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated. Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.
This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running. It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alexandru Cornea <alexandru.cornea@intel.com>
Tested-by: Alexandru Cornea <alexandru.cornea@intel.com>
Fixes: 8520f38099 ("USB: change hub initialization sleeps to delayed_work")
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 28712303
Change-Id: Ie696f13c4fa28dd549d459ea607cf27b53610be6
step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
Bug: 27890772
CRs-Fixed: 1001092
Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
In the MMC card debug_fs the read and write handlers use the strlcat
and sscanf, without checking the pointer given.
Since the pointer is not checked it is possible to write
everywhere (ring 0 or 3).
In order to fix it, an access_ok function is being used to verify
the buffer's pointer supplied by user is valid.
Bug: 28769136
CRs-fixed: 545716
Change-Id: Ia710b6af5a95974fc930ca902e8ff18afa4e17ba
Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST. And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.
If we look into tty_insert_flip_string_fixed_flag, there is:
int space = __tty_buffer_request_room(port, goal, flags);
struct tty_buffer *tb = port->buf.tail;
...
memcpy(char_buf_ptr(tb, tb->used), chars, space);
...
tb->used += space;
so the race of the two can result in something like this:
A B
__tty_buffer_request_room
__tty_buffer_request_room
memcpy(buf(tb->used), ...)
tb->used += space;
memcpy(buf(tb->used), ...) ->BOOM
B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.
Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes. This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.
Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.
js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call
Bug: 28803396
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I9e235db6ec2bb950f26bd8a23f6145dab5dc0a15
Git-commit: 4291086b1f
Git-repo:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
[rsiddoji@codeaurora.org: resolve trivial merge conflicts]
Signed-off-by: Ravi Kumar S <rsiddoji@codeaurora.org>
Makesure the number of buffers count is less than
the maximum limit to avoid structure overflow errors.
Bug: 28598515
Change-Id: Ia19481c42610ecf1f395bb94138495a848b1eb28
Validate the number of buffers count variable before
using it to avoid structure overflow error.
Bug: 28598501
Change-Id: I61582c93e0f26ec6842e437134fb8a42bdbc36ff
CRs-fixed: 563654
Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
Check if there is no integer overflow before using req_len and
resp_len (received from user space). If an overflow is detected
then exit the operation.
Bug: 28571496
Change-Id: I0459a6992bb3b280db42be63a275c55fa6105b1c
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
fix to prevent kernel heap buffer overflow allows user
controlled data to be written to the heap via the
msm_camera actuator IOCTLs
Bug: 28557260
Change-Id: I4458831e28e0081fb2f5ae55506be866100e1b4f
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
An enum value cci_i2c_master is not checked to be greater than 0.
Add the check.
Bug: 28441831
Change-Id: Ibe75ab7155def45d81b8127c5eda3fa2ed570bce
Signed-off-by: Xu Han <hanxu@codeaurora.org>
Remove some unused ioctl exposed, Also add
some bound checks for ioctl user params.
Bug: 28441831
Change-Id: Ifdd441fdb25fd20b005c4e4e1ebe4e203f1216ac
CRs-Fixed: 511382
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
Signed-off-by: Shuzhen Wang <shuzhenw@codeaurora.org>
Bound check and validate userspace parameters direction,
number of steps and direction sign. Also fix possible
memory leak in certain error cases.
Bug: 28431531
CRs-Fixed: 511349
Change-Id: Icaa324468574494fb40f2de78e522090806744cb
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
As per ANSI C Standard document, integer overflow is an undefined
behavior. So update the code to detect integer overflow before it happens.
Bug: 28430703
CRs-Fixed: 491629
Change-Id: Ifd90c05266477c7734710bb94b9021f8bb9ab761
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
__copy_from_user does not do address check, so use
copy_from_user instead.
Bug: 28469042
Change-Id: I575c0f3c44b55a521c0d42828988c518c0640a29
CRs-Fixed: 545747
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
In _kgsl_sharedmem_page_alloc():
- Make len of type size_t to be in line with size.
- Check for boundary limits of requested alloc size before honoring.
- Make sure sglen is greater than zero before marking it as end
of sg list.
Bug: 27475454
Change-Id: I5389bcef3478f2ccf2be5f719049867496235f28
Signed-off-by: Yuan Lin <yualin@google.com>
Use copy_to_user and copy_from_user for
copying data to/from user space
Change-Id: I98fb6352b654af8f78160738e7ccd902c3c70031
CRs-Fixed: 561028
CRs-Fixed: 605932
Bug: 27662174
Bug: 27777162
ALL WAPI ioctls WLAN_PRIV_SET_WAPI_MODE, WLAN_PRIV_GET_WAPI_MODE
WLAN_PRIV_SET_WAPI_ASSOC_INFO, WLAN_PRIV_SET_WAPI_KEY,
WLAN_PRIV_SET_WAPI_BKID, WLAN_PRIV_GET_WAPI_BKID are not being
used, hence removing the source code related to all these ioctls
Change-Id: I204cd579b4e29df7e995f30cc0aa8612bc7965ee
CRs-Fixed: 677410
Bug: 27776888
so we cannot utilize kernel facility "extra".
We need to copy the user data in kernel buffer
using copy_from_user function.
Change-Id: I550bf90fbbacb9d5ac4187ed423fca90fafccad1
CRs-Fixed: 596898
Bug: 27777501
Userspace supplies the actual number of used VFEs in session to ISPIF.
Validate the userspace input value and if found to be invalid, return
error.
BUG=27600832
Change-Id: I91944434e9a83d34af765c40bf8ad297a09ce2f5
prima to qcacld-2.0 propagation
Return failure to applications if ioctl is invoked with arguments
of improper length.
Bug: 27104184
Change-Id: I4459c5f39ca9c7a852772913578bd2122cb73879
Presently we are not validating the length of the essid received
and directly copying the buffer without size checking.
Perform bound checking before processing the scan req.
Change-Id: I786e4feb67bf039df3d217138a412da54f51787d
CRs-fixed: 890228
Bug: 27773913
Change the config from DEBUG_FS to MDP_DEBUG_FS to dump and
write the MDP, MDDI and HDMI debug registers. By default
CONFIG_MDP_DEBUG_FS should be disabled and can be enabled
through defconfig file.
Change-Id: I2ed8dcc30b19a80912734ec13f24a67351c38315
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Signed-off-by: Naseer Ahmed <naseer@codeaurora.org>
BUG=26404525
Validate the input arguments of MDP, MDDI and HDMI offset
values in the respective write functions.
Change-Id: Ida1b7ec292c365701fe17446019f625fdaff38d2
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Signed-off-by: Naseer Ahmed <naseer@codeaurora.org>
BUG=26404525
Previous upstream *stable* fix 14f81062 was incomplete.
A local process can trigger a system crash with an OOB read on buf.
This occurs when the state of buf gets out of sync. After an error in
pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset
but not buf->len. Upon retrying pipe_read() while in
pipe_iov_copy_to_user() *remaining will be larger than the space left
after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE,
buf->offset = 0x300.
This is fixed by not updating the state of buf->offset until after the
full copy is completed, similar to how pipe_write() is implemented.
For stable kernels < 3.16.
Bug: 27721803
Change-Id: Iefffbcc6cfd159dba69c31bcd98c6d5c1f21ff2e
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
prima to qcacld-2.0 propagation
Check for valid length before copying the packet filter data from
userspace buffer to kernel space buffer to avoid buffer overflow
issue.
Bug: 26754117
Change-Id: I8d25a9d1b6909b6dda7a1d2aa80407ef2da821aa
Signed-off-by: Yuan Lin <yualin@google.com>
prima to qcacld-2.0 propagation
Return failure to applications if genie ioctl is invoked to configure
WPS/WPA/RSN IEs with arguments of improper length.
Bug: 27104184
Change-Id: I31e288db41e14b24be0e430afed3a5e360da1370
Signed-off-by: Yuan Lin <yualin@google.com>
for CLEAR_MCBC_FILTER IOCTL
Kernel assumes all SET IOCTL commands are assigned with even
numbers. But in our WLAN driver, some SET IOCTLS are assigned with
odd numbers. This leads kernel fail to check, for some SET IOCTLs,
whether user has the right permission to do SET operation.
Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
sure user task has right permission to process the command.
Bug: 27104184
Change-Id: I2332845fa6793dc63b6f397a9ebf53d37a52a7c7
Signed-off-by: Yuan Lin <yualin@google.com>
for SET_POWER_PARAMS IOCTL
Kernel assumes all SET IOCTL commands are assigned with even
numbers. But in our WLAN driver, some SET IOCTLS are assigned with
odd numbers. This leads kernel fail to check, for some SET IOCTLs,
whether user has the right permission to do SET operation.
Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
sure user task has right permission to process the command.
Bug: 27104184
Change-Id: Iaab3d55c2acc75f65d6daf5998713cc9ff92a32c
Signed-off-by: Yuan Lin <yualin@google.com>
for SET_BAND_CONFIG IOCTL
Kernel assumes all SET IOCTL commands are assigned with even
numbers. But in our WLAN driver, some SET IOCTLS are assigned with
odd numbers. This leads kernel fail to check, for some SET IOCTLs,
whether user has the right permission to do SET operation.
Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
sure user task has right permission to process the command.
Bug: 27104184
Change-Id: I34e9d91f778b09eb73881aed5c6e3a10cbbd208c
Signed-off-by: Yuan Lin <yualin@google.com>
for SET_THREE_INT_GET_NONE
Kernel assumes all SET IOCTL commands are assigned with even
numbers. But in our WLAN driver, some SET IOCTLS are assigned with
odd numbers. This leads kernel fail to check, for some SET IOCTLs,
whether user has the right permission to do SET operation.
Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
making sure user task has right permission to process the command.
Bug: 27104184
Change-Id: I8661872786adfb5492da505ba3960e62064ddd7e
Signed-off-by: Yuan Lin <yualin@google.com>
