Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-09-21 03:43:03 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net
History
Mathieu Desnoyers 1a4fb51a8b kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 
I found the following pattern that leads in to interesting findings:

  grep -r "ret.*|=.*__put_user" *
  grep -r "ret.*|=.*__get_user" *
  grep -r "ret.*|=.*__copy" *

The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat,
since those appear in compat code, we could probably expect the kernel
addresses not to be reachable in the lower 32-bit range, so I think they
might not be exploitable.

For the "__get_user" cases, I don't think those are exploitable: the worse
that can happen is that the kernel will copy kernel memory into in-kernel
buffers, and will fail immediately afterward.

The alpha csum_partial_copy_from_user() seems to be missing the
access_ok() check entirely.  The fix is inspired from x86.  This could
lead to information leak on alpha.  I also noticed that many architectures
map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I
wonder if the latter is performing the access checks on every
architectures.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-27 22:10:26 +02:00
..
9p
802
8021q
appletalk
atm
ax25
batman-adv
bluetooth Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer 2019-07-27 22:08:55 +02:00
bridge bridge: netfilter: orphan skb before invoking ip netfilter hooks 2019-07-27 22:07:48 +02:00
caif
can
ceph
core treewide: Fix typo in Documentation/DocBook 2019-07-27 22:10:20 +02:00
dcb
dccp net/dccp: fix use after free in tw_timer_handler() 2019-07-27 22:08:37 +02:00
decnet
dns_resolver dns_resolver: Do not accept domain names longer than 255 chars 2019-07-27 22:07:53 +02:00
dsa
ethernet
ieee802154
ipc_router net: ipc_router: Initialize the sockaddr in recvmsg() handler 2019-07-27 22:08:44 +02:00
ipv4 netlabel: fix out-of-bounds memory accesses 2019-07-27 22:10:24 +02:00
ipv6 inet: update the IP ID generation algorithm to higher standards. 2019-07-27 22:10:09 +02:00
ipx
irda
iucv
key net: af_key: fix sleeping under rcu 2019-07-27 22:08:21 +02:00
l2tp l2tp: fix reading optional fields of L2TPv3 2019-07-27 22:05:58 +02:00
lapb
llc llc: do not use sk_eat_skb() 2019-07-27 22:08:34 +02:00
mac80211
mac802154
netfilter netfilter: xt_IDLETIMER: add sysfs filename checking routine 2019-07-27 22:08:35 +02:00
netlabel
netlink net: Fix permission check in netlink_connect() 2019-07-27 22:08:32 +02:00
netrom
nfc NFC: llcp: Limit size of SDP URI 2019-07-27 21:51:24 +02:00
openvswitch
packet packets: Always register packet sk in the same order 2019-07-27 22:09:00 +02:00
phonet
rds
rfkill
rmnet_data net: rmnet_data: Change the log level for unknown IOCTL's 2019-07-27 21:51:01 +02:00
rose
rxrpc
sched net: Prevent invalid access to skb->prev in __qdisc_drop_all 2019-07-27 21:53:24 +02:00
sctp
sunrpc kernel: make groups_sort calling a responsibility group_info allocators 2019-07-27 21:46:18 +02:00
tipc
unix
vmw_vsock
wimax
wireless cfg80211: size various nl80211 messages correctly 2019-07-27 22:08:58 +02:00
x25
xfrm xfrm: Fix bucket count reported to userspace 2019-07-27 22:08:35 +02:00
activity_stats.c
compat.c net: support compat 64-bit time in {s,g}etsockopt 2019-07-27 21:49:09 +02:00
Kconfig
Makefile
nonet.c
socket.c kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 2019-07-27 22:10:26 +02:00
sysctl_net.c