| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
SPS debugfs APIs can be called concurrently which can result
in dangling pointer access. This change synchronizes access
to the SPS debugfs buffer.
Change-Id: I409b3f0618f760cb67eba47b43c81d166cdae4aa
Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
(cherry picked from commit de875dd095d3ec0906c77518d28f793e6c69a9da)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Add changes to drop assoc request and return error if RSNIE or
WPAIE parsing fail during parsing of assoc request.
CRs-Fixed: 2046578
Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
(cherry picked from commit aae237dfbaf8edcf310eeb84b887b20e7e9c0ff3)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
WEXT API was already obsoleted and should be removed.
Bug: 34199963
Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 32124445
(cherry picked from commit 9c5e11d70f209553d023ea2b79efe7b2bf85fd5e)
|
| | |
| |
| |
| |
| |
| | |
Reference: https://github.com/parrotgeek1/ParrotModFloApp/blob/master/001-fix-touchscreen-calibration.patch
suggested-by: parrotgeek1 <parrotgeek1@gmail.com>
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The cache maintenance routines in ashmem were causing
several security issues. Since they are not being used
anymore by any drivers, its well to remove them entirely.
Bug: 34126808
Bug: 34173755
Bug: 34203176
CRs-Fixed: 1107034, 2001129, 2007786
Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit e7f623aa1b8ba3b843c70eeae99aae95bddfe03d)
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use proper synchronization to ensure driver file is opened
only once.
CRs-Fixed: 2023513
Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
(cherry picked from commit 84f8c42e5d848b1d04f49d253f98296e8c2280b9)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was found during userspace fuzzing test when a large size
allocation is made from ion
[<ffffffc00008a098>] show_stack+0x10/0x1c
[<ffffffc00119c390>] dump_stack+0x74/0xc8
[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
[<ffffffc00020dbd4>] kasan_report+0x34/0x40
[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
[<ffffffc00020d228>] memset+0x20/0x44
[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
Change-Id: Idc9c19977a8cc62c7d092f689d30368704b400bc
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
(cherry picked from commit 1f8f9b566e8446c13b954220c226c58d22076f88)
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there. If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Change-Id: I9d8176f3db43bf94e2c48dfd2f4094dfc7c72e90
(cherry picked from commit 451a2886b6bf90e2fb378f7c46c655450fb96e81)
(with trivial backport from http://seclists.org/oss-sec/2015/q3/271)
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Moved some value checks to right positions to prevent
buffer flow, which may be possible before. Previously
these value checks are in an else statement which may
not be executed.
Change-Id: I02dbecd074183581a6bdae6377097bc004bd3d3c
CRs-fixed: 1102936
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make sure to check for the required interrupt-in endpoint to avoid
dereferencing a NULL-pointer should a malicious device lack such an
endpoint.
Note that a fairly recent change purported to fix this issue, but added
an insufficient test on the number of endpoints only, a test which can
now be removed.
Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Change-Id: If94c965de37c95d8dd4f111d6ab03c72822fd328
Cc: stable <stable@vger.kernel.org> # 2.6.21
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The iowarrior driver expects at least one valid endpoint. If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function. Ensure there is at least
one endpoint on the interface before using it.
The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87
Change-Id: I78dfd62f4d0a77d8145dfba5c479e6ac766374cc
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The gtco driver expects at least one valid endpoint. If given malicious
descriptors that specify 0 for the number of endpoints, it will crash in
the probe function. Ensure there is at least one endpoint on the interface
before using it.
Also let's fix a minor coding style issue.
The full correct report of this issue can be found in the public
Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1283385
Change-Id: Ie90df605d0412aa31fa57047edc0dd59bc3f136b
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The powermate driver expects at least one valid USB endpoint in its
probe function. If given malicious descriptors that specify 0 for
the number of endpoints, it will crash. Validate the number of
endpoints on the interface before using them.
The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85
Change-Id: I8c78d5e01fca172d438c3d782c75b865a116d516
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.
The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
Change-Id: Ibf24e78c84f06ab92198ebff76df8655363a45b2
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
disallowed. However, on x86, the first 1MB was always allowed for BIOS
and similar things, regardless of it actually being System RAM. It was
possible for heap to end up getting allocated in low 1MB RAM, and then
read by things like x86info or dd, which would trip hardened usercopy:
usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)
This changes the x86 exception for the low 1MB by reading back zeros for
System RAM areas instead of blindly allowing them. More work is needed to
extend this to mmap, but currently mmap doesn't go through usercopy, so
hardened usercopy won't Oops the kernel.
Change-Id: I27594af6146e7643217e3babcfd088592b7dbd4b
Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Tested-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This separates the kref for ion handles into two components.
Userspace requests through the ioctl will hold at most one
reference to the internally used kref. All additional requests
will increment a separate counter, and the original reference is
only put once that counter hits 0. This protects the kernel from
a poorly behaving userspace.
Bug: 34276203
Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Git-repo: https://android.googlesource.com/kernel/msm/
Git-commit: 20abfcc16884a5af973a5e91dd013ddd789c44f4
[d-cagle@codeaurora.org: Resolve style issues]
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Arun KS <arunks@codeaurora.org>
[arunks@codeaurora.org: ported to 3.4]
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently N_HDLC line discipline uses a self-made singly linked list for
data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
an error.
The commit be10eb7589337e5defbe214dae038a53dd21add8
("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
one data buffer to tx_free_buf_list twice. That causes double free in
n_hdlc_release().
Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
in case of tx error put current data buffer after the head of tx_buf_list.
Change-Id: Ib34e9a2562765197e717492a1227aff565436e91
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The class of 4 n_hdls buf locks is the same because a single function
n_hdlc_buf_list_init is used to init all the locks. But since
flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
emits a warning:
=============================================
[ INFO: possible recursive locking detected ]
4.3.0-25.g91e30a7-default #1 Not tainted
---------------------------------------------
a.out/1248 is trying to acquire lock:
(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
but task is already holding lock:
(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&(&list->spinlock)->rlock);
lock(&(&list->spinlock)->rlock);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by a.out/1248:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
#1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
...
Call Trace:
...
[<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
[<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
[<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
[<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
...
Fix it by initializing the spin_locks separately. This removes also
reduntand memset of a freshly kzallocated space.
Change-Id: I32bc83c9e19953672857fe8182107772411d471a
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.
CRs-Fixed: 1090007
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Yang Guang <guyang@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Add mutex around qseecom_set_client_mem_param to prevent an
ioctl thread modifying and corrupting data which is being
processed by another ioctl in the other thread
Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
so stack frame size of such routine use this struct will easily
exceed 1024 bytes, the default value of stack frame size.
So use heap memory for this struct instead.
Change-Id: Ibe8a4f5189fcc9d5554f7a5d851c93be8fa8dbad
CRs-Fixed: 1050323
[GabrieleM: port from qcacld-2.0 to prima]
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.
Bug: 31495348
Change-Id: I7392c2b444794234ebd685735566e7b4fa09c409
Signed-off-by: Min Chong <mchong@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with
0's.
So that %pK will not leak kernel pointers to unprivileged users.
So change the format specifier from %p to %pK.
Debugging Note : &pK prints only Zeros as address. if you need actual
address information, pls echo 0 to kptr_restrict.
$ echo 0 > /proc/sys/kernel/kptr_restrict
Bug: 31498159
Change-Id: I0baf2be2d5a476e2e4267f20b99d0ddf5492469e
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a check to return value before calling csid config which will
otherwise lead to use after free scenario.
CRs-Fixed: 1040857
Change-Id: I4f4d9e38eeb537875e0d01de0e99913a44dd3f3f
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
An attack using missing endpoints exists.
CVE-2016-3137
Change-Id: Id6ca1e8b69abcccdc13acbedbe2189b69a8cc569
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These structs have holes and reserved struct members which aren't
cleared. I've added a memset() so we don't leak stack information.
Change-Id: Ie3c281fd75181b10650a4f7f7d791b8dd4aa1eb3
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
This reverts commit b81f2dc78a9fb0fa1bd244a2ffdf12493c618dbf.
Change-Id: I5838bf8ae4844948477ec7ceb66b071c513a067d
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In mmc_block_test, the debug_fs based read function handlers write to an
arbitrary buffer which is given by any user. We add an access_ok check
to verify that the address pointed by *buffer is not in kernel space.
Only if the buffer is valid, do we continue the read handler.
Backport reference:
* Ignore changes from following upstream functions:
- bkops_test_read
- long_sequential_read_test_read,
- long_sequential_write_test_read
- new_req_notification_test_read
Change-Id: I1413f71be13509a3b4e56b919cfbcbd9fcc9d2bd
Signed-off-by: Lee Susman <lsusman@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Adrian DC <radian.dc@gmail.com>
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
HLOS Crypto driver needs to set CLR_CNTXT bit for operations with
legacy software key registers
CAF-Change-Id: Iff482f726d106e99a4006f7077a171da3c7ca9c3
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
CVE-2017-0626
Change-Id: Ieddc84f2ff36bc23a88c06a5752a68868c7e38bf
(cherry picked from commit 64551bccab9b5b933757f6256b58f9ca0544f004)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
CAF-Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
CVE-2017-0614
Change-Id: Ib5ee6fed48f742e5bd71d3af0a119441c59d2a52
(cherry picked from commit fc2ae27eb9721a0ce050c2062734fec545cda604)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make sure that `len` is not larger than `count` before copying data
to userspace `buf` in _debug_stats_read().
CAF-Change-Id: Iafb7cfa3828653f8c28183c812797c3d9a183da1
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
CVE-2016-10289
Change-Id: If20a597019e9666df999c2f56e9bb10f14a7e26a
(cherry picked from commit a604e6f3889ccc343857532b63dea27603381816)
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes to address possible integer overflow and incorrect
array indexing conditions.
CAF-Change-Id: Ib134320cd6f7b34d7a10572ec347ec12127049a9
Signed-off-by: Trilokesh Rangam <tranga@codeaurora.org>
CVE-2016-10233
Change-Id: I7bc2a8791bb37dc6cff5f5e36555b7a7b5e99938
(cherry picked from commit d793c6d91ecba2a1fd206ad47a4fd408d290addf)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes CVE-2014-1739.
Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Change-Id: Ie7914a3f97650dd933d7ff4c836ff7fc850bae4a
(cherry picked from commit e6a623460e5fc960ac3ee9f946d3106233fd28d8)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
is user-controllable and never validates which uses as the length
for a memory copy. This enables user-space applications to corrupt
heap memory and potentially crash the kernel.
Fix is to validate the WPARSNIes length to its max before use as the
length for a memory copy.
CAF-Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
CRs-Fixed: 1102648
CVE-2017-6424
Change-Id: Ia3ac5038e51d1548627afe6685c82cf0fd850f08
(cherry picked from commit 5cc2ac840e36a3342c5194c20b314f0bb95ef7e1)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A STA entry is created for each peer joining
the network to take care of the peer specific
capabilities.
The VDEV need not be reconfigured for IBSS peer
with different channel width joining the network.
CAF-Change-Id: Iec6ec5d2b510b84538f4e5300b3f1c5cc63b334d
CRs-Fixed: 1046409
CVE-2016-10235
Change-Id: I227f5496f0cc24142c117c11a3ea4a1cdacd9f71
(cherry picked from commit 5bb0059243515ecdac138cfdb4cee7259bbd0bbc)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adding user passed parameters without check might
lead to Integer overflow and unpredictable system
behaviour.
CAF-Change-Id: Iaf8259e3c4a157e1790f1447b1b62a646988b7c4
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
CVE-2016-10230
Change-Id: I07a2c7d571b0eaa7abe085eeb0887c2d10ef3a40
(cherry picked from commit bd9a8fc6d7f6bd1a0b936994630006de450df657)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
freed the entry for new TA, but didn't removed it from
qseecom_registered_app_list. Make change to remove it.
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
(cherry picked from commit 0ed0f061bcd71940ed65de2ba46e37e709e31471)
Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which evaluates whether
kptr_restrict is set.
Change-Id: I0778e43e0a03852ca2944377256a7b401586a747
Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
Signed-off-by: Sudeep Yedalapure <sudeepy@codeaurora.org>
(cherry picked from commit aff982f224d45a7faf7ad4e74633d1a8510a1c04)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Integer overflow check is invalid when ULONG_MAX is used,
as ULONG_MAX has typeof 'unsigned long', while areq->assoclen,
q_req->crytlen, and qreq.ivsize are 'unsigned int'. Make change
to use UINT_MAX instead of ULONG_MAX.
Change-Id: If2bb1900c07af1ea162da362c913d4880b0bc755
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
(cherry picked from commit 8f8066581a8e575a7d57d27f36c4db63f91ca48f)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.
Bug: 31802656
Change-Id: I74e83192e0379586469edba3c7579a1cd75cf3c0
Signed-off-by: Min Chong <mchong@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Verify that unsigned int value will not become negative before cast to
signed int.
Bug: 31651010
Change-Id: I548a200f678762042617f11100b6966a405a3920
|
