Commits · 93c8c4ae98edac205f7965585951f7d026ad34f1 · Bricked / flo

13 Jun, 2016 1 commit

msm: kgsl: Defer adding the mem entry to a process · 93c8c4ae

Sunil Khatri authored 8 years ago


If we add the mem entry pointer in the process idr and rb tree
too early, other threads can do operations on the entry by
guessing the ID or GPU address before the object gets returned
by the creating operation.

Allocate an ID for the object but don't assign the pointer until
right before the creating function returns ensuring that another
operation can't access it until it is ready.

Bug: 28026365
CRs-Fixed: 1002974
Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Signed-off-by: Santhosh Punugu <spunug@codeaurora.org>

93c8c4ae

09 Jun, 2016 1 commit
- Merge branch 'android-msm-flo-3.4-mnc-mr1-security-next' into android-msm-flo-3.4-mnc-mr1 · ea1be87b
  Patrick Tjin authored 8 years ago
```
Merge security-next into mnc-mr1 @ 75dfdc8a for August 2016.1
```
  ea1be87b
08 Jun, 2016 1 commit

Don't show empty tag stats for unprivileged uids · 1fc765b1

Mohamad Ayyash authored 8 years ago


BUG: 27577101
BUG: 27532522
Change-Id: I890831a72e5ad4485fdf30e51a146712b18052ed
Signed-off-by: Mohamad Ayyash <mkayyash@google.com
Signed-off-by: Patrick Tjin <pattjin@google.com>

1fc765b1

06 Jun, 2016 2 commits

Subject: qseecom: Add checks for user space buffer pointers · 75dfdc8a

Gilad Avidov authored 8 years ago


Validate pointers send from user space and pointers
embedded within the mesasge sent from user space.

Bug: 28769920
Change-Id: I1be54924ef3d301908af6e8d4e6506f2aa7f6428
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Gilad Avidov <giladavidov@google.com>

75dfdc8a

qseecom: Add checks for API called in IOCTL · eee05092

Nick Desaulniers authored 8 years ago


Validate the caller is the right type for the IOCTL being
issued and inputs are valid.

Bug: 28747998
Change-Id: Iad71f0f5ed4d53c5d011bd55cdf74ec053d09af5
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>

eee05092

03 Jun, 2016 10 commits

qseecom: Validate inputs from user space · b0fe0cfc

Mona Hossain authored 11 years ago


Validate send_cmd, send_modfd_cmd and send_mdfd_resp
input parameters: cmd and response pointers and buffer
lengths and offsets  issued to modify data.

Bug: 28748271
Change-Id: I381836d08aaa48357486fbdc6a122eb5b42bfa0b
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>

b0fe0cfc

qseecom: Validate pointer offset in qseecom_send_modfd_cmd · 4d12c149

Zhen Kong authored 8 years ago


Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
make sure cmd buffer address to be within shared bufffer.

Bug: 28804057
Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
Signed-off-by: Zhen Kong <zkong@codeaurora.org>

4d12c149

Asoc:msm:Added Buffer overflow check · 24147c05

Mohammad Johny Shaik authored 11 years ago


The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.

Bug: 28751152
Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1
CRs-Fixed: 563086
Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>

24147c05

qseecom: Ensure incoming "app_name" does not corrupt the kernel stack · 6bcdea88

Hariprasad Dhalinarasimha authored 11 years ago


Printing a string with that does not have null terminated character,
would lead to overflow, as the print continues until it finds a null
terminated character.
Avoid this issue by explicitly assigning a string with null termination.

Bug: 28749708

Change-Id: I9528db2ba046c514d829097d08c09540588bb1a2
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>

6bcdea88

diag: Fix possible underflow/overflow issues · 518bb6e9

Mohit Aggarwal authored 8 years ago


Add check in order to fix possible integer underflow
during HDLC encoding which may lead to buffer
overflow. Also added check for packet length to
avoid buffer overflow.

Bug: 28767796
Change-Id: Ic91b5ee629066f013022ea139b4a23ec661aa77a
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>

518bb6e9

kernel: Restrict permissions of /proc/iomem. · 9d2d7698

Biswajit Paul authored 10 years ago


The permissions of /proc/iomem currently are -r--r--r--. Everyone can
see its content. As iomem contains information about the physical memory
content of the device, restrict the information only to root.

Change-Id: If0be35c3fac5274151bea87b738a48e6ec0ae891
bug: 28814213
CRs-Fixed: 786116
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>

9d2d7698

msm:camera:isp: fix array index bound checks · 3a0f8ec9

Petar Sivenov authored 10 years ago


This change fixes several incorrect or missing array index bound checks.

Bug: 28814502
Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>

3a0f8ec9

ARM: 7735/2: Preserve the user r/w register TPIDRURW on context switch and fork · f7738390

André Hentschel authored 11 years ago

Since commit 6a1c5312

 the user writeable TLS register was zeroed to
prevent it from being used as a covert channel between two tasks.

There are more and more applications coming to Windows RT,
Wine could support them, but mostly they expect to have
the thread environment block (TEB) in TPIDRURW.

This patch preserves that register per thread instead of clearing it.
Unlike the TPIDRURO, which is already switched, the TPIDRURW
can be updated from userspace so needs careful treatment in the case that we
modify TPIDRURW and call fork(). To avoid this we must always read
TPIDRURW in copy_thread.

Change-Id: Ib1e25be7b9faa846ba5335aad2574e21a1246066
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jonathan Austin <jonathan.austin@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Git-commit: a4780adeefd042482f624f5e0d577bf9cdcbb760
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


[joonwoop@codeaurora.org: fixed merge conflict]
CRs-fixed: 561044
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Bug: 28749743

f7738390

ALSA: compress: Memset timestamp structure to zero. · e414124c

Krishnankutty Kolathappilly authored 11 years ago


snd_compr_tstamp is initialized using aggregate initialization
that does not zero out the padded bytes. Initialize timestamp
structure to zero using memset to avoid this.

Bug: 28770164
CRs-Fixed: 568717
Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>

e414124c

diag: dci: Safeguard to prevent Integer Underflow and Memory Leak · 360b13a6

Katish Paran authored 8 years ago


At certain point in diag driver there can be integer underflow
thus can lead to memory leak. Added a safeguard for that.

Bug: 28750726
Change-Id: I8cc6a8336cd2c5c88c49748c0be2df1696894f2b
Signed-off-by: Yuan Lin <yualin@google.com>

360b13a6

02 Jun, 2016 19 commits

msm: ADSPRPC: Add checks for erroneous values · bedfff66

Mitchel Humpherys authored 8 years ago


Check for invalid parameters passed in user invocation
and validate the return values using appropriate macros.

Bug: 28767593
Change-Id: I9a067f2ab151084b46e9d4d5fb945320a27bb7ba
Signed-off-by: Yuan Lin <yualin@google.com>

bedfff66

msm:camera: Fix multiple bounds check · cebda807

Jim Rasche authored 11 years ago


Added bounds check to user input num_streams at several location,
without checking a position outside array could be dereferenced

Bug: 28749629
Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96
Signed-off-by: Jim Rasche <jrasche@codeaurora.org>

cebda807

msm: camera: Update CCI WR command buffer size to 11 bytes · 7e24523b

Rajesh Bondugula authored 11 years ago


I2C command length is of 11 bytes, it includes 10 bytes of data and
1 byte of WR command. Use 11 bytes char array to create command.

Bug: 28770207
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f

7e24523b

msm: ultrasound: add verifications of some input parameters · 496c770c

Baruch Eruchimovitch authored 11 years ago


Some security vulnerabilities were found.
To fix them, additional verifications of some input parameters
are required.

bug: 28814690
CRs-Fixed: 554575, 554560, 555030
Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020
Signed-off-by: Baruch Eruchimovitch <baruche@codeaurora.org>

496c770c

diag: Make fixes to diag_switch_logging · 3dea6570

Ravi Aravamudhan authored 10 years ago


Diag driver holds on to the socket process task structure even
after signaling the process to exit. This patch clears the internal
handle after signaling.

bug: 28803962
Change-Id: I642fb595fc2caebc6f2f5419efed4fb560e4e4db
Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>

3dea6570

msm: camera: added zero checks for msm_isp_proc_cmd... · 895a5204
Yueyao (Nathan) Zhu authored 8 years ago
```
and bound check for msm_isp_set_src_state

Bug: 28749803
Change-Id: Ibc686f64229552160c2f65f672ba8c97ef520443
```
895a5204

msm: camera: isp: Bound check for number stats registers · 22591b12

Petar Sivenov authored 8 years ago

The index of used stats register is derived from a stream handle least
significant byte and thus can be up to 255. However the stats registers
are up to 8 depending of the target. Thus a bound check is done before
use of the received stats register index value.

Bug: 28749728
Change-Id: I23f1add81eb8e0844103a3a3f59f4e4c2af14ffd

22591b12

msm: camera: Check stats index MAX in ISP driver · 7f6fa082

Hariram Purushothaman authored 11 years ago

Add a check for the stats index MAX using
MSM_ISP_STATS_MAX before accessing stream info
using that index to avoid any invalid memory access.

Bug: 28749728
Change-Id: I29d9b62cec045598645fbc0e6e62c500eb74bb97

7f6fa082

msm: camera: Fix possible out of bound writes in csi driver · 5d8657c1

Lakshmi Narayana Kalavala authored 11 years ago


The value csi_lane_mask which is uint16_t is controllable from userspace.
The while loop can loop for 2^16 - 1, Hence extract the required
bit combination from the userspace argument, used it for further
processing.

Bug: 28749721
CRs-Fixed: 511976
Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a
Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>

5d8657c1

diag: dci: Check for request pkt length being lesser than minimum length · 2469b2ce

Ravi Aravamudhan authored 8 years ago


Added checks for DCI request packets to be greater than the minimum
packet length. We would drop the request and print an error otherwise.

CRs-Fixed: 483310

Bug: 28767589
Change-Id: Ib7a713be3d6f5a6e0ec3ac280aebd800058447c7
Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>

2469b2ce

diag: dci: Safeguard to prevent integer overflow · 09001b63

Katish Paran authored 8 years ago


At certain point in diag driver there can be integer overflow
thus can lead to memory leak. Added a safegaurd for it.

Bug: 28769912
Change-Id: Ib7070218b9ea7a1b9efca02b4c456ad9501085cd
Signed-off-by: Katish Paran <kparan@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>

09001b63

msm: camera: Bound check num_cid from userspace in csid driver · f0b6dc3d

Hariram Purushothaman authored 11 years ago


Upper and lower bound checks are enforced for num_cid
which is passed from userspace with lower as 1 and
max of 16.

Bug: 28747684
Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>

f0b6dc3d

diag: Safeguard for bound checks and integer underflow · 86a1a7a7

Katish Paran authored 8 years ago


At certain point in diag driver there can be integer underflow
and thus can lead to memory leak. Bound checks are placed to
ensure correct behavior of condition statements.

Bug: 28768146
Change-Id: I87b57a8b5f32886ada7725f1e8c97cc93de112ec
Signed-off-by: Katish Paran <kparan@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>

86a1a7a7

msm_fb: display: validate input args of mdp4_argc_process_write_req · 7c8061dd

raghavendra ambadas authored 10 years ago


A bounds check has to be done for r/g/b stages variables
to avoid undetermined behaviour.

Bug: 28398884
Change-Id: Ibdc96e79b36cf188d4b5c42d8e2d9ece8e9ace8a
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

7c8061dd

media: Init the reserved fields of struct media_link_desc · b81f2dc7

Deva Ramasubramanian authored 11 years ago


struct media_link_desc is copy_to_user'ed as the return value of
MEDIA_IOC_ENUM_LINKS. When copying, the driver is omitting to initialise
the reserved fields.  This commit fixes that by initialising the
reserved fields to 0.

Bug: 28750150
CRs-Fixed: 570757
Change-Id: I230e2666c0845cc36399518a0f2c94db664382d1
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

b81f2dc7

ARM: dma-mapping: don't allow DMA mappings to be marked executable · e961bbad

Russell King authored 11 years ago


DMA mapping permissions were being derived from pgprot_kernel directly
without using PAGE_KERNEL.  This causes them to be marked with executable
permission, which is not what we want.  Fix this.

Bug: 28803642
Change-Id: Ib40f59f3c569f82409943cf8f9a86a9869d922cc
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Git-commit: 0ea1ec713f04bdfac343c9702b21cd3a7c711826
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


[lauraa@codeaurora.org: dropped functions not in older builds]
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>

e961bbad

net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() · 4afcb836

Avijit Kanti Das authored 10 years ago


memset() the structure ethtool_wolinfo that has padded bytes
but the padded bytes have not been zeroed out.

Bug: 28803952
Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>

4afcb836

wlan: Replace snprintf with scnprintf · bb16fdd9

Panvar Vivek authored 8 years ago


The function snprintf() do not write more than size bytes (including
the terminating null byte ('\0')). If the output was truncated due
to this limit then the return value is the number of characters
(excluding the terminating null byte) which would have been written
to the final string if enough space had been available. Thus, a
return value of size or more means that the output was truncated.

Bug: 28670333
Change-Id: I2b6c7f8262361046536b55262b3d7c30cb5b282e
Signed-off-by: Yuan Lin <yualin@google.com>

bb16fdd9

Fix the buffer overflow issue observed in static code analysis. · ae489213

Kiran Kumar Lokere authored 8 years ago


Fix the possible buffer overflow in IE parsing.

Bug: 28668638
Change-Id: I61e3b20276bdf329a1ef64a3189f172b231a3d15
Signed-off-by: Yuan Lin <yualin@google.com>

ae489213

31 May, 2016 6 commits

msm: vidc: Check validity of userspace address · 87b6a3eb

Deepak Verma authored 11 years ago


Before writing to a userspace address, verification
of the validity of user space address is required.

Bug: 28769352
Change-Id: I9141e44a6c11aaf3f4d57c08bb0dd26a7b214f34
CRs-fixed: 556356
Signed-off-by: Deepak Verma <dverma@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

87b6a3eb

radio: iris: Remove FM radio driver from defconfig · 3b8eec82

Siqi Lin authored 8 years ago


FM radio is not used on flo.

Bug: 28769368
Bug: 28769546
Change-Id: Ice4c4cb66e7ea7b7e34efe125e29377f896e80f1
Signed-off-by: Siqi Lin <siqilin@google.com>

3b8eec82

radio: iris: Use kernel API to copy data from user space · d9809ae3

Ayaz Ahmad authored 11 years ago


Use copy_from_user kernel api to copy any data from user space
to kernel space.

Bug: 28769546
Change-Id: Ia3b7bb0f98180bd8792c1c18e930cb5609b8dc82
CRs-Fixed: 540320
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

d9809ae3

radio: iris: Checking if driver's buffer is large enough. · 33e340a0

Satish Kodishala authored 11 years ago


Checking if driver's buffer is large enough to copy
the data from user space.

Bug: 28769546
Change-Id: I7b4eed81cf77ce2973669ce18ccd95a5df397d82
CRs-fixed: 552329
Signed-off-by: Satish Kodishala <skodisha@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

33e340a0

radio: iris: Prevent probable overflow · caa39eb7

Ayaz Ahmad authored 11 years ago


casting a unsigned int into an integer, integer to
unsigned int may cause buffer overflow.

Bug: 28769368
Change-Id: I54be4d4c5470616a59a772c587fe6d5f32575c32
CRs-Fixed: 539008
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

caa39eb7

msm: actuator: fix to prevent untrusted pointer to lead DoS · 221a82e5

Vasko Kalanoski authored 11 years ago


fix to prevent untrusted userspace pointer in actuator kernel
driver to lead DoS

Bug: 28768281
Change-Id: I1b64270deb494530d268539e7b420be5ec79b658
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

221a82e5