currently only NULL pointer check is used to validate the return
value from clk_get, this change to handle all the failures.
This snapshot is taken from msm-4.9
Ported it from 4.9 to 3.18
Change-Id: Icd8b7e33d0f235a7c5dde2307972a594908e6a60
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
[haggertk: Backport to 3.4/msm8974. Note that this includes patching
the non-standard camera_ll implementation as well on this kernel.]
CVE-2019-10524
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ]
dvb_usb_device_exit() frees and uses the device name in that order.
Fix by storing the name in a buffer before freeing it.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
CVE-2019-15213
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: Ia218933795b4847765450522202d1b67e326c3cd
commit 0c4df39e504bf925ab666132ac3c98d6cbbe380b upstream.
Ensure we do not access the buffer beyond the end if no 0xff byte
is encountered.
Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: technisat_usb2_get_ir() still uses a stack
buffer, which is not worth fixing on this branch]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
CVE-2019-15505
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I9561df3437dec3d0bd2770c1f831d68bb26a9a6e
TX and RX FIFOs of Microcontroller are used to exchange commands
and messages between Micro FW and CPP driver. TX FIFO depth is
16 32-bit words, incase of errors there is a chance of overflow.
To prevent possible out of bound access, TX FIFO depth or
level is checked for MAX depth before accessing the FIFO.
Change-Id: I5adf39b46ff10e358c4a2c03a2de07d44b99cedb
Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
[haggertk: Backport to 3.4/msm8974. Note that this includes patching
the non-standard camera_ll implementation as well on this kernel.]
CVE-2018-11986
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
https://github.com/LineageOS/android_kernel_motorola_msm8226 @ cm-14.1
This is needed because the stock driver which comes from OSRC requires
firmware loading. Using stock blobs for firmware loading however does
not work, so simply swich to this driver which does not require firmware
loading and just work with the aosp libfmjni
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Reported-by: syzbot <syzkaller@googlegroups.com>
Bug: 111760968
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ieaad998693c4fcd0ea5f9902f50ad3b979e967d8
CVE-2019-2101
[haggertk: Backport to 3.4/msm8974 (path change)]
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.
Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.
CRs-Fixed: 2111672
Change-Id: Ib9dcb182356e2df8078c131edfd0791fa95a35e0
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
[haggertk: Backport to 3.4/msm8974. Note that this includes patching
the non-standard camera_ll implementation as well on this kernel.]
CVE-2017-15857
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
When set_buffers fails, binfo is freed and again accessed
while freeing smem memory.
CRs-Fixed: 2118860
Change-Id: Ifdd683f907862665e34d6d39d5a8634984804c01
Signed-off-by: Chinmay Sawarkar <chinmays@codeaurora.org>
CVE-2018-5844
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
userptr may or may not be a null-value. Checking for this field
to qualify a plane as extradata has no merit. Ignore that check
Bug: 28747768
Change-Id: I08d85ef462f09003aaa17f6ebc5d27de7083796f
Signed-off-by: Praveen Chavan <pchavan@codeaurora.org>
Signed-off-by: Praneeth Paladugu <ppaladug@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Compare ion handles in driver instead of matching fds
to check if a buffer is already mapped or not.
Bug: 28747768
Change-Id: Ifd18d8689351c4a6a22c988d359fb413be19e142
Signed-off-by: Ashray Kulkarni <ashrayk@codeaurora.org>
Signed-off-by: Praveen Chavan <pchavan@codeaurora.org>
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Signed-off-by: Arun Menon <avmenon@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Add same fd ref only for static buffer mode.
Driver is configured for dynamic buffer mode by
default on Venus 3xx targets. If client uses the
same fd for all output buffers, then the first
buffer can remain mapped without reference, which
is incompatible with the curently logic which
assumes buffers to have a reference if they are
already mapped
CRs-Fixed: 773605
Change-Id: I025fe373532e185660d43bae28457cbf06f20e7a
Signed-off-by: Surajit Podder <spodder@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
dest_step_position is sent from userspace and is used in
kernel to calculate the final DAC value.
dest_step_position must be validated against total steps.
Actuator will have an unexpected behavior if lens value is
programed to actuator based on invalid dest_step_position.
CRs-Fixed: 1102580
Change-Id: Idcd97043d3bd583d8577233d446a99d1829a4ee6
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
https://source.codeaurora.org/quic/la/kernel/msm-3.10
commit b7b99e55bc7770187913ed092990852ea52d7892;
updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
CVE-2017-0627
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I20cf8a2b443dad1f9f93dae3cae3cf17b76af99d
Use dynamically allocated memory for constructing strings in
core_info_read & inst_info_read. This ensures that there is no
contention for a shared memory & hence avoids the requirement of
a lock. Allocate on demand, as the calls implement a debugfs
facility and hence rarely invoked. Statically allocated memory
otherwise remain idle.
Change-Id: I3ae04e0a51801a2fc901591e41e28ff6b7d198b4
Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
CVE-2017-9718
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The 32-bit compat v4l2 ioctl is implemented based on its 64-bit
equivalent. It converts 32-bit data structures into its 64-bit
equivalents and needs to provide the data to the 64-bit ioctl in user
space memory which is commonly allocated using
compat_alloc_user_space(). However, due to how that function is
implemented, it can only be called a single time for every syscall
invocation. Supposedly to avoid this limitation, the existing code uses
a mix of memory from the kernel stack and memory allocated through
compat_alloc_user_space(). Under normal circumstances, this would not
work, because the 64-bit ioctl expects all pointers to point to user
space memory. As a workaround, set_fs(KERNEL_DS) is called to
temporarily disable this extra safety check and allow kernel pointers.
However, this might introduce a security vulnerability: The
result of the 32-bit to 64-bit conversion is writeable by user space
because the output buffer has been allocated via
compat_alloc_user_space(). A malicious user space process could then
manipulate pointers inside this output buffer, and due to the previous
set_fs(KERNEL_DS) call, functions like get_user() or put_user() no longer
prevent kernel memory access.
The new approach is to pre-calculate the total amount of user space
memory that is needed, allocate it using compat_alloc_user_space() and
then divide up the allocated memory to accommodate all data structures
that need to be converted.
An alternative approach would have been to retain the union type karg
that they allocated on the kernel stack in do_video_ioctl(), copy all
data from user space into karg and then back to user space. However,
we decided against this approach because it does not align with other
compat syscall implementations. Instead, we tried to replicate the
get_user/put_user pairs as found in other places in the kernel:
if (get_user(clipcount, &up->clipcount) ||
put_user(clipcount, &kp->clipcount)) return -EFAULT;
BUG: 34624167
Change-Id: Ica92695d8ddf60c0a067ea2f833f22a71710932e
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Reported-by: C0RE Team
CVE-2017-13166
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
There is no bound check in stream_cfg_cmd->num_streams and it's used in
several places as a maximum index into the stream_cfg_cmd->stream_handle
array which has a size of 15. Current code didn't check the maximum
index to make sure it didn't exceed the array size.
Bug: 62379525
Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0
Signed-off-by: Maggie White <maggiewhite@google.com>
CVE-2017-8251
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q,
it will pass the check, leading to off-by-one overflow
(exceed the length of array by one element).
CRs-Fixed: 2031677
Bug: 36136563
Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
CVE-2017-11000
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Userspace can call some ioctls with 0 value for bufq_handle which is
currently can bypass checks in msm_isp_get_bufq and will result in
using uninitialized bufq structure, even though 0 is not a legitimate
value for bufq_handle. This change adds a check to prevent this
behaviour and to return error in case it happens.
Change-Id: I6422ec82671080cfa62fc43026b6cc33261cf11c
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This reports an error to the caller after adding the bound checks,
otherwise potentially undefined/unexpected behaviour may result.
Change-Id: Id2897aa5ce4587762b5eda89f7481788d689d0a8
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Regulator enable and disable of CSIPHY depends on the CSID module.
Make the enable and disable of clk regulator independent of CSIPHY.
Bug: 33299365
CRs-Fixed: 1107702
Change-Id: Iabb5eb28d63b34a4c3201c53be17054a1907f4fe
Signed-off-by: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit b1bb44c9cca61e48ec6158abad6e7969a8e58abf)
CVE-2017-8264
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In msm_ispif_is_intf_valid(),
we convert a enum variable msm_ispif_vfe_intf,
to uint8_t type for validating.
This could cause potential issue,
if the value is crafted in such a way that lower 8bits pass the validation.
Don't use uint8_t as input parm to avoid such vulnerability.
CRs-Fixed: 2008469
Change-Id: I4ee400ac0edd830decfbe5712966d968976a268a
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
CVE-2017-8260
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Serialize core_info_read with lock so that multiple concurrent
threads do not cause the write to overflow. Also have the bound
check to avoid overflow in write_str function.
CRs-Fixed: 2013361
CAF-Change-Id: Ia18a4b94cafd69af1d367861f2499fc202f18e9f
Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
CVE-2017-8244
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I8d21d662534f1679594042f3a5b6bcfb4884e11f
Verifying the i2c table index value before accessing
the i2c table to avoid memory corruption issues.
CRs-Fixed: 1065916
Change-Id: I165ba6cb6493d923439430d7b055675f95f20a8b
Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
[haggertk]: Partial, most of original commit was already incorporated
by Samsung
CVE-2016-6755
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Use dynamic array allocation instead of static array to
prevent stack overflow.
User-supplied number of bytes may result in integer overflow.
To fix this we check that the num_byte isn't above 8K size.
CRs-Fixed: 1060554
Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
[haggertk]: Partial, most of original commit was already incorporated
by Samsung
CVE-2016-6741
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Use copy_from_user kernel api to copy any data from user space
to kernel space.
Change-Id: Ia3b7bb0f98180bd8792c1c18e930cb5609b8dc82
CRs-Fixed: 540320
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
CVE-2014-9882
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Added bounds check to user input num_streams at several location,
without checking a position outside array could be dereferenced
Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96
Signed-off-by: Jim Rasche <jrasche@codeaurora.org>
CVE-2014-9867
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
fix to prevent kernel heap buffer overflow allows user
controlled data to be written to the heap via the
msm_camera actuator IOCTLs
Change-Id: I4458831e28e0081fb2f5ae55506be866100e1b4f
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
CVE-2014-9786
[haggertk]: Partial only, as half the original change was removed by
Samsung source commit.
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Remove some unused ioctl exposed, Also add
some bound checks for ioctl user params.
Change-Id: Ifdd441fdb25fd20b005c4e4e1ebe4e203f1216ac
CRs-Fixed: 511382
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
CVE-2014-9783
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Mutex usage is added into the ispif ioctl path to ensure
these paths are thread safe.
CRs-Fixed: 1074310
Change-Id: Id718f83484bc4acf98ade0205328aad6ee306270
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Add a check to validate the user input data is not
greater than expected stack buffer size to avoid out
of bounds array accesses
CRs-Fixed: 1056307
Change-Id: I8b31006772367a120828269243b1971d33a4d7d3
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
_IOC_NONE, then the user-supplied argument arg is not checked
and an information disclosure is possible.
CRs-Fixed: 1042068
Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Use dynamic array allocation instead of static array to
prevent stack overflow.
User-supplied number of bytes may result in integer overflow.
To fix this we check that the num_byte isn't above 8K size.
CRs-Fixed: 1060554
Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Hide kernel pointers from unprivileged ussers by using %pK format-
specifier instead of %p. This respects the kptr_restrict sysctl
setting which is by default on. So by default %pK will print zeroes
as address. echo 1 to kptr_restrict to print proper kernel addresses.
CRs-Fixed: 987018
Change-Id: I4772257a557c6730ecc0624cbc8e5614e893e9fd
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
CRs-Fixed: 1001092
Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Userspace supplies the actual number of used VFEs in session to ISPIF.
Validate the userspace input value and if found to be invalid, return
error.
CRs-Fixed: 898074
Change-Id: I3288ddb6404e817a705a92281b4c54666f372c56
Signed-off-by: Venu Yeshala <vyeshala@codeaurora.org>
Signed-off-by: Vijaya Kumar T M <vtmuni@codeaurora.org>
Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset.
IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without
performing bounds check for following cmd_type.
VFE_READ_DMI_16BIT
VFE_READ_DMI_32BIT
VFE_READ_DMI_64BIT
Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Right now dynamic buffers are managed with both sync_lock and
registeredbufs.lock. sync_lock is meant only for state
transition. Hence remove sync_lock and achieve the same purpose
with registeredbufs.lock.
Change-Id: I3b0eb62019e7e992f63c159bf65d8c21cf2f52c8
Signed-off-by: Praneeth Paladugu <ppaladug@codeaurora.org>
Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>