- 08 Aug, 2016 5 commits
-
-
H. Peter Anvin authored
defined(@array) is deprecated in Perl and gives off a warning. Restructure the code to remove that warning. [ hpa: it would be interesting to revert to the timeconst.bc script. It appears that the failures reported by akpm during testing of that script was due to a known broken version of make, not a problem with bc. The Makefile rules could probably be restructured to avoid the make bug, or it is probably old enough that it doesn't matter. ] Reported-by:
Andi Kleen <ak@linux.intel.com> Signed-off-by:
H. Peter Anvin <hpa@linux.intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: <stable@vger.kernel.org> Signed-off-by:
Dennis Rassmann <showp1984@gmail.com>
-
Dennis Rassmann authored
Signed-off-by: -
Dennis Rassmann authored
fix: drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c:2792:52: warning: 'staId' may be used uninitialized in this function [-Wuninitialized] Signed-off-by: -
Dennis Rassmann authored
fix: drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c:2219:13: warning: 'fwps_genie' may be used uninitialized in this function [-Wuninitialized] Signed-off-by: -
Dennis Rassmann authored
-
- 01 Jul, 2016 1 commit
-
-
Nick Desaulniers authored
Bug: 28747998 Bug: 29821509 Bug: 29872309 Change-Id: I7ac85fa7aa2904d7975a70f3b68a2288656a2aff
-
- 20 Jun, 2016 9 commits
-
-
Linus Torvalds authored
We had for some reason overlooked the AIO interface, and it didn't use the proper rw_verify_area() helper function that checks (for example) mandatory locking on the file, and that the size of the access doesn't cause us to overflow the provided offset limits etc. Instead, AIO did just the security_file_permission() thing (that rw_verify_area() also does) directly. This fixes it to do all the proper helper functions, which not only means that now mandatory file locking works with AIO too, we can actually remove lines of code. Bug: 28939037 Reported-by:
Manish Honap <manish_honap_vit@yahoo.co.in> Cc: stable@vger.kernel.org Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit a70b52ec1aaeaf60f4739edb1b422827cb6f3893) Change-Id: I2e182e973b44ba97c45c80d52d8a0b7c32a72750
-
Mekala Natarajan authored
Bug: 29119870 Change-Id: Ib9d25b69486bb34ea5749e1342453f3f7f3a2920 Signed-off-by:Mekala Natarajan <mnatarajan@google.com>
-
Jeff Vander Stoep authored
Add: CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y to android-base.cfg The kernel.perf_event_paranoid sysctl is set to 3 by default. No unprivileged use of the perf_event_open syscall will be permitted unless it is changed. Bug: 29054680 Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917
-
Jeff Vander Stoep authored
When kernel.perf_event_open is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that makes this value the default. This is based on a similar feature in grsecurity (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making the variable read-only. It also allows enabling further restriction at run-time regardless of whether the default is changed. https://lkml.org/lkml/2016/1/11/587 Signed-off-by:
Ben Hutchings <ben@decadent.org.uk> Bug: 29054680 Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
-
Ben Hutchings authored
perf_event_paranoid was only documented in source code and a perf error message. Copy the documentation from the error message to Documentation/sysctl/kernel.txt. BACKPORT notes: The error printing from upstream does not exist in the 3.4 kernel. Only backporting the documentation update from this commit. Signed-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Bug: 29054680 Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
-
Kangjie Lu authored
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 28980217 Change-Id: Iff69ca708e0022ce9301efae798798b9bfcf9e25 Signed-off-by:
Kangjie Lu <kjlu@gatech.edu> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
Siqi Lin <siqilin@google.com> (cherry picked from commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6)
-
Kangjie Lu authored
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 28980217 Change-Id: I2bef279bbaa1f20ea831d364b3a4a09a27f07025 Signed-off-by:
-
Kangjie Lu authored
The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Bug: 28980557 Change-Id: Ib66cfcc1e36025255d7f518f3df2c39a21858886 Signed-off-by:
-
Takashi Iwai authored
ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Bug: 28694392 Change-Id: I1ac52f1cba5e7408fd88c8fc1c30ca2e83967ebb Reported-by:
Dmitry Vyukov <dvyukov@google.com> Tested-by:
-
- 17 Jun, 2016 1 commit
-
-
Eric Dumazet authored
[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ] This patch addresses multiple problems : UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions while socket is not locked : Other threads can change np->opt concurrently. Dmitry posted a syzkaller (http://github.com/google/syzkaller ) program desmonstrating use-after-free. Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock() and dccp_v6_request_recv_sock() also need to use RCU protection to dereference np->opt once (before calling ipv6_dup_options()) This patch adds full RCU protection to np->opt BUG: 28746669 Change-Id: I207da29ac48bb6dd7c40d65f9e27c4e3ff508da0 Reported-by:
Eric Dumazet <edumazet@google.com> Acked-by:
Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Jiri Slaby <jslaby@suse.cz> Signed-off-by:
Pierre Imai <imaipi@google.com>
-
- 15 Jun, 2016 5 commits
-
-
Oliver Neukum authored
Bug: 28744625 In case bind() works, but a later error forces bailing in probe() in error cases work and a timer may be scheduled. They must be killed. This fixes an error case related to the double free reported in http://www.spinics.net/lists/netdev/msg367669.html and needs to go on top of Linus' fix to cdc-ncm. (cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b) Change-Id: Id1708db3833ade7f1406b941f0bc20671c9c3b3b Signed-off-by:
Oliver Neukum <ONeukum@suse.com> Signed-off-by:
-
Thierry Strudel authored
Bug: 28522518 Change-Id: I11ec8e02bdb330c10f06e923c1c3d45a145ced15 Signed-off-by:Thierry Strudel <tstrudel@google.com>
-
Al Viro authored
Bug: 28759139 Change-Id: I561a14b514d714838ef539a94275b117d7f475f4 Cc: stable@vger.kernel.org # v3.19 Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
kangjie authored
the stack object “map” has a total size of 32 bytes. Its last 4 bytes are padding generated by compiler. These padding bytes are not initialized and sent out via “nla_put” Bug: 28620102 Change-Id: I13da380c6fe8abca49e3cf9f05293c02b44d2e5e Signed-off-by:kangjie <kangjielu@gmail.com>
-
Kangjie Lu authored
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland via “copy_to_user”. Bug: 28619695 Change-Id: I170754d659d0891c075f85211b5e3970b114f097 Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 13 Jun, 2016 2 commits
-
-
Dennis Rassmann authored
-
Sunil Khatri authored
If we add the mem entry pointer in the process idr and rb tree too early, other threads can do operations on the entry by guessing the ID or GPU address before the object gets returned by the creating operation. Allocate an ID for the object but don't assign the pointer until right before the creating function returns ensuring that another operation can't access it until it is ready. Bug: 28026365 CRs-Fixed: 1002974 Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8 Signed-off-by:
Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by:
Sunil Khatri <sunilkh@codeaurora.org> Signed-off-by:
Santhosh Punugu <spunug@codeaurora.org>
-
- 09 Jun, 2016 1 commit
-
-
Patrick Tjin authored
Merge security-next into mnc-mr1 @ 75dfdc8a for August 2016.1
-
- 08 Jun, 2016 1 commit
-
-
Mohamad Ayyash authored
BUG: 27577101 BUG: 27532522 Change-Id: I890831a72e5ad4485fdf30e51a146712b18052ed Signed-off-by: Mohamad Ayyash <mkayyash@google.com Signed-off-by:Patrick Tjin <pattjin@google.com>
-
- 06 Jun, 2016 2 commits
-
-
Gilad Avidov authored
Validate pointers send from user space and pointers embedded within the mesasge sent from user space. Bug: 28769920 Change-Id: I1be54924ef3d301908af6e8d4e6506f2aa7f6428 Signed-off-by:
Mona Hossain <mhossain@codeaurora.org> Signed-off-by:
Zhen Kong <zkong@codeaurora.org> Signed-off-by:
Gilad Avidov <giladavidov@google.com>
-
Nick Desaulniers authored
Validate the caller is the right type for the IOCTL being issued and inputs are valid. Bug: 28747998 Change-Id: Iad71f0f5ed4d53c5d011bd55cdf74ec053d09af5 Signed-off-by:
Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
-
- 03 Jun, 2016 10 commits
-
-
Mona Hossain authored
Validate send_cmd, send_modfd_cmd and send_mdfd_resp input parameters: cmd and response pointers and buffer lengths and offsets issued to modify data. Bug: 28748271 Change-Id: I381836d08aaa48357486fbdc6a122eb5b42bfa0b Signed-off-by: -
Zhen Kong authored
Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and make sure cmd buffer address to be within shared bufffer. Bug: 28804057 Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97 Signed-off-by: -
Mohammad Johny Shaik authored
The overflow check is required to ensure that user space data in kernel may not go beyond buffer boundary. Bug: 28751152 Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1 CRs-Fixed: 563086 Signed-off-by:Mohammad Johny Shaik <mjshai@codeaurora.org>
-
Hariprasad Dhalinarasimha authored
Printing a string with that does not have null terminated character, would lead to overflow, as the print continues until it finds a null terminated character. Avoid this issue by explicitly assigning a string with null termination. Bug: 28749708 Change-Id: I9528db2ba046c514d829097d08c09540588bb1a2 Signed-off-by: -
Mohit Aggarwal authored
Add check in order to fix possible integer underflow during HDLC encoding which may lead to buffer overflow. Also added check for packet length to avoid buffer overflow. Bug: 28767796 Change-Id: Ic91b5ee629066f013022ea139b4a23ec661aa77a Signed-off-by:
Mohit Aggarwal <maggarwa@codeaurora.org> Signed-off-by:
Yuan Lin <yualin@google.com>
-
Biswajit Paul authored
The permissions of /proc/iomem currently are -r--r--r--. Everyone can see its content. As iomem contains information about the physical memory content of the device, restrict the information only to root. Change-Id: If0be35c3fac5274151bea87b738a48e6ec0ae891 bug: 28814213 CRs-Fixed: 786116 Signed-off-by:
Biswajit Paul <biswajitpaul@codeaurora.org> Signed-off-by:
Avijit Kanti Das <avijitnsec@codeaurora.org>
-
Petar Sivenov authored
This change fixes several incorrect or missing array index bound checks. Bug: 28814502 Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33 Signed-off-by:Petar Sivenov <psiven@codeaurora.org>
-
André Hentschel authored
Since commit 6a1c5312 the user writeable TLS register was zeroed to prevent it from being used as a covert channel between two tasks. There are more and more applications coming to Windows RT, Wine could support them, but mostly they expect to have the thread environment block (TEB) in TPIDRURW. This patch preserves that register per thread instead of clearing it. Unlike the TPIDRURO, which is already switched, the TPIDRURW can be updated from userspace so needs careful treatment in the case that we modify TPIDRURW and call fork(). To avoid this we must always read TPIDRURW in copy_thread. Change-Id: Ib1e25be7b9faa846ba5335aad2574e21a1246066 Signed-off-by:
André Hentschel <nerv@dawncrow.de> Signed-off-by:
Will Deacon <will.deacon@arm.com> Signed-off-by:
Jonathan Austin <jonathan.austin@arm.com> Signed-off-by:
Russell King <rmk+kernel@arm.linux.org.uk> Git-commit: a4780adeefd042482f624f5e0d577bf9cdcbb760 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git [joonwoop@codeaurora.org: fixed merge conflict] CRs-fixed: 561044 Signed-off-by:
Joonwoo Park <joonwoop@codeaurora.org> Bug: 28749743
-
Krishnankutty Kolathappilly authored
snd_compr_tstamp is initialized using aggregate initialization that does not zero out the padded bytes. Initialize timestamp structure to zero using memset to avoid this. Bug: 28770164 CRs-Fixed: 568717 Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d Signed-off-by:Krishnankutty Kolathappilly <kkolat@codeaurora.org>
-
Katish Paran authored
At certain point in diag driver there can be integer underflow thus can lead to memory leak. Added a safeguard for that. Bug: 28750726 Change-Id: I8cc6a8336cd2c5c88c49748c0be2df1696894f2b Signed-off-by:
-
- 02 Jun, 2016 3 commits
-
-
Mitchel Humpherys authored
Check for invalid parameters passed in user invocation and validate the return values using appropriate macros. Bug: 28767593 Change-Id: I9a067f2ab151084b46e9d4d5fb945320a27bb7ba Signed-off-by: -
Jim Rasche authored
Added bounds check to user input num_streams at several location, without checking a position outside array could be dereferenced Bug: 28749629 Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96 Signed-off-by:Jim Rasche <jrasche@codeaurora.org>
-
Rajesh Bondugula authored
I2C command length is of 11 bytes, it includes 10 bytes of data and 1 byte of WR command. Use 11 bytes char array to create command. Bug: 28770207 Signed-off-by:Rajesh Bondugula <rajeshb@codeaurora.org> Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f
-
