step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
CRs-Fixed: 1001092
Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
There are few cases where the count argument passed by the user
space is not validated, which can potentially lead to out of bounds
or overflow issues. In some cases, kernel might copy more data than
what is requested. Add necessary checks to avoid such cases.
Change-Id: Ifa42fbd475665a0ca581c907ce5432584ea0e7ed
Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2)
This fixes CVE-2016-0728.
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.
This can be tested with the following program:
#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>
int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}
for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}
return 0;
}
If, after the program has run, there something like the following line in
/proc/keys:
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Change-Id: Ic3db0461d08011e432bf3a6a784dd62b764558e3
Git-commit: ba8bb5774ca7b1acc314c98638cf678ce0beb19a
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Add check to avoid out of bound access.
Check return value of get_user api.
CRs-Fixed: 997025
Change-Id: Ibbace116ac206007fa1928555838285304737737
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
Remove the buspm module from msm_bus since it adds
no functionality to the bus bandwidth aggregation
driver. It is a loadable module used for profiling
purposes.
Change-Id: Ia0d21eb7e48d3cb2a74d4fae5ee4fb2fd449ea9f
Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
If user tries to send SMD data more than the driver
buffer can handle then fail the same and print
error message. This smd_write is exposed to userspace
through ioctl using a misc device.
Change-Id: Ie8a1c1c0799cd10cef512ad6b1e1e95001dd43b2
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
Check for the exact number of planes that we advertised to the client
rather than the worst-case checks.
Change-Id: Ibaf705367db98beb0e01bb2c3087126cf2ba73e8
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
For user memory of type KGSL_USER_MEM_TYPE_ADDR mapped to GPU driver
verify permissions and map GPU permissions same as CPU permissions.
If elevated permissions are requested return an error to prevent
privilege escalation. Without this check user could map readonly
memory into GPU driver as readwrite and gain elevated privilege.
Write permissions check is currently inverted causing readonly
user pages to be mapped as readwrite in GPU driver. Fix this
check to map readonly pages as readonly.
CRs-Fixed: 988993
Change-Id: I0e097d7e4e4c414c0849e33bcc61a26fb94291ad
Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
User input data is passed in from userspace through debugfs interface
of supply lm core to validate supply lm core functionality. Ensure
user buffer size is not greater than expected stack buffer size
to avoid out of bounds array accesses.
Change-Id: I5a93774855241b50895c5e2b3ff939e4c33a0185
Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
This patch enables hardware device features such as
NETIF_F_SG NETIF_F_GSO NETIF_F_GSO_UDP_TUNNEL
NETIF_F_GSO_UDP_TUNNEL_CSUM. This patch also ensures
to skip padding(to align length to word boundaries)
for outgoing non linear skbs.
This patch also adds a new ioctl interface
RMNET_IOCTL_GET_SG_SUPPORT to query the physical
network devices for Scatter Gather support.
Change-Id: I9788d75c249ab2dac5b598dad131c0692ed84e4d
Acked-by: Abhishek Chauhan <abchauha@qti.qualcomm.com>
Signed-off-by: Ravinder Konka <rkonka@codeaurora.org>
(cherry picked from commit commit f3bef67992e8698897b584616535803887c4a73e)
commit fa1aa143ac4a ("selinux: extended permissions for ioctls")
introduced a bug into the handling of conditional rules, skipping the
processing entirely when the caller does not provide an extended
permissions (xperms) structure. Access checks from userspace using
/sys/fs/selinux/access do not include such a structure since that
interface does not presently expose extended permission information.
As a result, conditional rules were being ignored entirely on userspace
access requests, producing denials when access was allowed by
conditional rules in the policy. Fix the bug by only skipping
computation of extended permissions in this situation, not the entire
conditional rules processing.
Change-Id: I24f39e3907d0b00a4194e15a4472e8d859508fa9
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fixed long lines in patch description]
Cc: stable@vger.kernel.org # 4.3
Signed-off-by: Paul Moore <pmoore@redhat.com>
Git-commit: bd8d3dd3ae35f283f3b76e47b9762225c9f7d46c
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
NOT intended for new Android devices - this commit is unnecessary
for a target device that does not have a previous M variant.
DO NOT upstream. Android only.
Motivation:
This commit mitigates a mismatch between selinux kernel and
selinux userspace. The selinux ioctl white-listing binary policy
format that was accepted into Android M differs slightly from what
was later accepted into the upstream kernel. This leaves Android
master branch kernels incompatible with Android M releases. This
patch restores backwards compatibility. This is important because:
1. kernels may be updated on a different cycle than the rest of the
OS e.g. security patching.
2. Android M bringup may still be ongoing for some devices. The
same kernel should work for both M and master.
Backwards compatibility is achieved by checking for an Android M
policy characteristic during initial policy read and converting to
upstream policy format. The inverse conversion is done for policy
write as required for CTS testing.
Bug: 22846070
Change-Id: I2f1ee2eee402f37cf3c9df9f9e03c1b9ddec1929
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Git-commit: ef632d47376aa04e9adb96193d9faa6628a03e72
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
(cherry picked from commit fa1aa143ac4a682c7f5fd52a3cf05f5a6fe44a0a)
Add extended permissions logic to selinux. Extended permissions
provides additional permissions in 256 bit increments. Extend the
generic ioctl permission check to use the extended permissions for
per-command filtering. Source/target/class sets including the ioctl
permission may additionally include a set of commands. Example:
allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
representing commonly granted sets of ioctl commands.
When ioctl commands are omitted only the permissions are checked.
This feature is intended to provide finer granularity for the ioctl
permission that may be too imprecise. For example, the same driver
may use ioctls to provide important and benign functionality such as
driver version or socket type as well as dangerous capabilities such
as debugging features, read/write/execute to physical memory or
access to sensitive data. Per-command filtering provides a mechanism
to reduce the attack surface of the kernel, and limit applications
to the subset of commands required.
The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
change.
The extended permissions logic is deliberately generic to allow
components to be reused e.g. netlink filters
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I7c6bdc0362657b47aa1388936c5a1300bc5c0b42
Git-commit: 05b7da58527ef14001fe2b6e8de6b01d895d4429
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
(cherry pick from commit 83d4a806ae46397f606de7376b831524bd3a21e5)
Commit f01e1af445 ("selinux: don't pass in NULL avd to avc_has_perm_noaudit")
made this pointer reassignment unnecessary. Avd should continue to reference
the stack-based copy.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I8fcba45a5acc4de862bd5b3f07bf4980f67133c4
Git-commit: b1b3844449d596e5f25f591d89611c7e57d32610
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
This reverts commit ba733f9857b966459316d0cd33b8da2e22f62d7d.
Change-Id: Ie4d3e904160195dafd93a59a25d56b1449e8fc86
Signed-off-by: Aravind Asam <aasam@codeaurora.org>
This reverts commit e623b152f30f6f1204919315df37244d69e5d55e.
Change-Id: I8e8903786da86cbe4206c18f817fbb54db229472
Signed-off-by: Aravind Asam <aasam@codeaurora.org>
Use the ATTR_FILE attribute to distinguish between truncate()
and ftruncate() system calls. The two other cases where
do_truncate is called with a filp (and therefore ATTR_FILE is set)
are for coredump files and for open(O_TRUNC). In both of those cases
the open permission has already been checked during file open and
therefore does not need to be repeated.
Commit 95dbf73931 ("SELinux: check OPEN on truncate calls")
fixed a major issue where domains were allowed to truncate files
without the open permission. However, it introduced a new bug where
a domain with the write permission can no longer ftruncate files
without the open permission, even when they receive an already open
file.
(cherry picked from commit b21800f304392ee5d20f411c37470183cc779f11)
Bug: 22567870
Change-Id: I2525a0e244c8d635b2d0c1f966071edbb365a43a
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Git-commit: e9e500827b871459306974c32a0b6398375ce7d5
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
Signed-off-by: Aravind Asam <aasam@codeaurora.org>
a malicious app can open a perf event with constraint_duplicate
bit set, disable the event, and close the fd. On closing the fd,
the perf_release() modification causes the kernel to clean up
the event as if it still were enabled, leading to the event
being removed from a list twice.
CRs-Fixed: 977563
Change-Id: I5fbec3722407d2f3d0ff0d9f7097c5889e31fd62
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Offlock is only used to synchronize esd status check and
ctl stop (intfs and cmd stop), and hence not required
during fps update.
Change-Id: I8354baa422290280acd8d3c75a5387df97700e20
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
Ovlock should be acquired before acquiring offlock
and mutex in ESD thread such that ESD thread and
off sequence are synchronized.
Change-Id: I62bbc897946592ce900c01fe4e0d389990be1ff7
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
The frequency precision for few clocks usb/jpeg needs to be updated
to match the fmax corner voting, which otherwise could lead to higher CX
voting.
Change-Id: I10dccbb733941d6f5bf89d5eb055ea0cba110fae
Signed-off-by: Taniya Das <tdas@codeaurora.org>
The cluster id flag is passed in from the userspace through ioctl
interface. Ensure correctness of cluster id to avoid out of bounds array
accesses.
CRS-fixed: 977508
Change-Id: I778b962d347b90488b983a15087b13e90ad06688
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>
Use proper size for dma memory free call API while saving lmh sensors
list in lmh hardware driver otherwise it leads to memory leak or
unexpected crash if scm_call error path is executed.
CRs-Fixed: 982320
Change-Id: I31ac79585c8899b44ece745676d9af79fe8bca78
Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
Current wakelock ref_count is shared with all
the clients. There is a possibility that each
client could increase wakelock ref_count by
accident. Change the wakelock ref_count to bitmap
so each client can only update its own bit once.
Change-Id: I87f47cf54dc34a76dc2c4a537108f9be7b6bdba8
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
This patch checks for Null Pointer dereference before destroying the
diag mempools.
CRs-Fixed: 980428
Change-Id: I0e8fc8aa82ad26263bd9d47cbdd22de212efe489
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Check the power supply variable if it is NULL or not, in flash led
driver while enabling the flash led.
This change is added to avoid crash in flash led driver.
CRs-Fixed: 944997
Change-Id: Ide1a9151d2a7c9a6686268a53ec9e38a4b087808
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
Interchange decoder max load frequency with encoder max load
frequency on msm8956/76 to have max frequency at the beginning
of the clock frequency table to select max venus clock rate
when session load is beyond the max load value.
Change-Id: I6c0cc941b49b5b3b364ff2255b0ddeac96501911
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
Userspace supplies the actual number of used VFEs in session to ISPIF.
Validate the userspace input value and if found to be invalid, return
error.
CRs-Fixed: 898074
Change-Id: I3288ddb6404e817a705a92281b4c54666f372c56
Signed-off-by: Venu Yeshala <vyeshala@codeaurora.org>
For the targets not using boost and boost pin is kept
floating there will be high change that VDD_A53 will be
grounded and MSM will not be responsive
After discussing with PMIC systems team SBL team came up
with the work around to configure the boost register to some
pre defined values so that the issue is not reproduced.
As part of the codec init sequence the codec driver will
reset the analog part of the codec and as part of this sequence
the cofiguration done by the SBL will be defaulted.
This change will restore the 0x1C6 register if it has been configured
by SBL
Change-Id: I1a58b665b01e70bbb21b06665a8fb422d77a5ee7
Signed-off-by: Santosh Mardi <gsantosh@codeaurora.org>