1. 17 Jun, 2016 1 commit
  2. 13 Jun, 2016 2 commits
  3. 19 Apr, 2016 1 commit
  4. 18 Apr, 2016 1 commit
    • Arif Hussain's avatar
      wlan: wlan_hdd_wext Userspace data copy fix · 2c357471
      Arif Hussain authored
      Use copy_to_user and copy_from_user for
      copying data to/from user space
      
      Change-Id: I98fb6352b654af8f78160738e7ccd902c3c70031
      CRs-Fixed: 561028
      CRs-Fixed: 605932
      Bug: 27662174
      Bug: 27777162
      2c357471
  5. 15 Apr, 2016 3 commits
    • Girish Gowli's avatar
      wlan: Deprecate all WAPI ioctls · fc976934
      Girish Gowli authored
      ALL WAPI ioctls WLAN_PRIV_SET_WAPI_MODE, WLAN_PRIV_GET_WAPI_MODE
      WLAN_PRIV_SET_WAPI_ASSOC_INFO, WLAN_PRIV_SET_WAPI_KEY,
      WLAN_PRIV_SET_WAPI_BKID, WLAN_PRIV_GET_WAPI_BKID are not being
      used, hence removing the source code related to all these ioctls
      
      Change-Id: I204cd579b4e29df7e995f30cc0aa8612bc7965ee
      CRs-Fixed: 677410
      Bug: 27776888
      fc976934
    • Arif Hussain's avatar
      Few IOCTL's SET command's uses ODD number, · a2d9b94c
      Arif Hussain authored
      so we cannot utilize kernel facility "extra".
      We need to copy the user data in kernel buffer
      using copy_from_user function.
      
      Change-Id: I550bf90fbbacb9d5ac4187ed423fca90fafccad1
      CRs-Fixed: 596898
      Bug: 27777501
      a2d9b94c
    • Jerry Lee's avatar
      net: wireless: bcmdhd: check privilege on priv cmd · 769f7f51
      Jerry Lee authored
        check net admin capability for ioctl calls
      
      BUG=26425765
      
      Change-Id: Idae75c9fc530add3ead3508d25e994bbfec9a6de
      769f7f51
  6. 14 Apr, 2016 1 commit
  7. 13 Apr, 2016 1 commit
  8. 11 Apr, 2016 1 commit
    • Arun Khandavalli's avatar
      wlan: validate essid length before processing scan req · 19676e89
      Arun Khandavalli authored
      Presently we are not validating the length of the essid received
      and directly copying the buffer without size checking.
      Perform bound checking before processing the scan req.
      
      Change-Id: I786e4feb67bf039df3d217138a412da54f51787d
      CRs-fixed: 890228
      Bug: 27773913
      19676e89
  9. 25 Mar, 2016 3 commits
  10. 24 Mar, 2016 13 commits
    • Jeff Vander Stoep's avatar
      pipe: iovec: Fix OOB read in pipe_read() · 972c638b
      Jeff Vander Stoep authored
      Previous upstream *stable* fix 14f81062 was incomplete.
      
      A local process can trigger a system crash with an OOB read on buf.
      This occurs when the state of buf gets out of sync. After an error in
      pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset
      but not buf->len. Upon retrying pipe_read() while in
      pipe_iov_copy_to_user() *remaining will be larger than the space left
      after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE,
      buf->offset = 0x300.
      
      This is fixed by not updating the state of buf->offset until after the
      full copy is completed, similar to how pipe_write() is implemented.
      
      For stable kernels < 3.16.
      
      Bug: 27721803
      Change-Id: Iefffbcc6cfd159dba69c31bcd98c6d5c1f21ff2e
      Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
      972c638b
    • Mahesh A Saptasagar's avatar
      qcacld 2.0: Address buffer overflow due to invalid length · 243408ce
      Mahesh A Saptasagar authored
      prima to qcacld-2.0 propagation
      
      Check for valid length before copying the packet filter data from
      userspace buffer to kernel space buffer to avoid buffer overflow
      issue.
      
      Bug: 26754117
      Change-Id: I8d25a9d1b6909b6dda7a1d2aa80407ef2da821aa
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      243408ce
    • Mahesh A Saptasagar's avatar
      qcacld 2.0: Validate WPA and RSN IE for valid length · 34953f9f
      Mahesh A Saptasagar authored
      prima to qcacld-2.0 propagation
      
      Return failure to applications if genie ioctl is invoked to configure
      WPS/WPA/RSN IEs with arguments of improper length.
      
      Bug: 27104184
      Change-Id: I31e288db41e14b24be0e430afed3a5e360da1370
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      34953f9f
    • Mukul Sharma's avatar
      wlan:Check priviledge permission · 973503f0
      Mukul Sharma authored
      for CLEAR_MCBC_FILTER IOCTL
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
      sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: I2332845fa6793dc63b6f397a9ebf53d37a52a7c7
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      973503f0
    • Mukul Sharma's avatar
      wlan:Check priviledge permission · aaf7476f
      Mukul Sharma authored
      for SET_POWER_PARAMS IOCTL
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
      sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: Iaab3d55c2acc75f65d6daf5998713cc9ff92a32c
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      aaf7476f
    • Mukul Sharma's avatar
      wlan:Check priviledge permission · ede034fd
      Mukul Sharma authored
      for SET_BAND_CONFIG IOCTL
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
      sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: I34e9d91f778b09eb73881aed5c6e3a10cbbd208c
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      ede034fd
    • Hanumantha Reddy Pothula's avatar
      wlan:Check priviledge permission · 4a75c965
      Hanumantha Reddy Pothula authored
      for SET_THREE_INT_GET_NONE
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
      making sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: I8661872786adfb5492da505ba3960e62064ddd7e
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      4a75c965
    • Mukul Sharma's avatar
      wlan:Check priviledge permission · 86fd66a4
      Mukul Sharma authored
      for QCSAP_IOCTL_DISASSOC_STA
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing QCSAP_IOCTL_DISASSOC_STA IOCTL,
      making sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: I7928789c0ce94a2b81495064496766b9e62d6ed8
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      86fd66a4
    • Mukul Sharma's avatar
      wlan:Check priviledge permission · 518fd809
      Mukul Sharma authored
      for QCSAP_IOCTL_SETWPSIE
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing QCSAP_IOCTL_SETWPSIE IOCTL,
      making sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: I66acff95d6151b32f1cb3c36a164e1de021e1e30
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      518fd809
    • Mukul Sharma's avatar
      wlan:Check priviledge permission · fbb8f120
      Mukul Sharma authored
      for SET_VAR_INTS_GETNONE IOCTL
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
      sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: Ia2465433aab6366160a167a62ca03e0ba720bcdb
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      fbb8f120
    • Mukul Sharma's avatar
      wlan:Check priviledge permission before processing · fd13b59e
      Mukul Sharma authored
      for SET_PACKET_FILTER IOCTL
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing SET_PACKET_FILTER IOCTL, making
      sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: I1edc65ee26c5e3e4260e0f6546434b0137493396
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      fd13b59e
    • Mukul Sharma's avatar
      wlan:Check priviledge permission before processing · e9dcd5aa
      Mukul Sharma authored
      for SET_CHAR_GET_NONE IOCTL
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing SET_CHAR_GET_NONE IOCTLs, making
      sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: Iccf25a9d1f1a7c13d3aaf2fc4bd3aebba740dbb2
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      e9dcd5aa
    • Mukul Sharma's avatar
      wlan:Check priviledge permission before processing · 1fac7333
      Mukul Sharma authored
      for SET_OEM_DATA_REQ IOCTL
      
      Kernel assumes all SET IOCTL commands are assigned with even
      numbers. But in our WLAN driver, some SET IOCTLS are assigned with
      odd numbers. This leads kernel fail to check, for some SET IOCTLs,
      whether user has the right permission to do SET operation.
      Hence, in driver, before processing SET_OEM_DATA_REQ IOCTLs, making
      sure user task has right permission to process the command.
      
      Bug: 27104184
      Change-Id: I651656fe11d4235232b76c972b5460b57e608449
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      1fac7333
  11. 22 Mar, 2016 1 commit
  12. 17 Mar, 2016 2 commits
    • Ben Hutchings's avatar
      pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic · eca06b45
      Ben Hutchings authored
      pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
      the first time atomically and the second time not.  The second attempt
      needs to continue from the iovec position, pipe buffer offset and
      remaining length where the first attempt failed, but currently the
      pipe buffer offset and remaining length are reset.  This will corrupt
      the piped data (possibly also leading to an information leak between
      processes) and may also corrupt kernel memory.
      
      This was fixed upstream by commits f0d1bec9d58d ("new helper:
      copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
      copy_page_to_iter()"), but those aren't suitable for stable.  This fix
      for older kernel versions was made by Seth Jennings for RHEL and I
      have extracted it from their update.
      
      CVE-2015-1805
      
      Bug: 27275324
      
      Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4
      References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      (cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
      eca06b45
    • Patrick Tjin's avatar
      Keep history after reset to 094b859d · c97b5c0d
      Patrick Tjin authored
      c97b5c0d
  13. 24 Feb, 2016 1 commit
  14. 21 Jan, 2016 1 commit
    • Wish Wu's avatar
      msm: null pointer dereferencing · 094b859d
      Wish Wu authored
      Prevent unintended kernel NULL pointer dereferencing.
      
      Orignal code:
        hlist_del_rcu(&event->hlist_entry);
      
      Fix: Adding pointer check:
        if(!hlist_unhashed(&p_event->hlist_entry))
          hlist_del_rcu(&p_event->hlist_entry);
      
      Bug: 25364034
      Change-Id: Ieda6d8f4bb567827fa6c7709e9e729905c6c3882
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      094b859d
  15. 12 Jan, 2016 1 commit
  16. 08 Jan, 2016 1 commit
    • Vasily Kulikov's avatar
      include/linux/poison.h: fix LIST_POISON{1,2} offset · d965aca9
      Vasily Kulikov authored
      Poison pointer values should be small enough to find a room in
      non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
      is located starting from 0x0.  Given unprivileged users cannot mmap
      anything below mmap_min_addr, it should be safe to use poison pointers
      lower than mmap_min_addr.
      
      The current poison pointer values of LIST_POISON{1,2} might be too big for
      mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
      uses only 0x10000).  There is little point to use such a big value given
      the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
      to a smaller value solves the problem for small mmap_min_addr setups.
      
      The values are suggested by Solar Designer:
      http://www.openwall.com/lists/oss-security/2015/05/02/6
      
      Bug: 26186802
      Change-Id: Ie2121a417b6a43ee6d119c996b5ec2ad6d01a0a7
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      d965aca9
  17. 31 Oct, 2015 2 commits
  18. 23 Oct, 2015 1 commit
  19. 22 Oct, 2015 1 commit
  20. 14 Oct, 2015 2 commits
    • Patrick Tjin's avatar
      msm: ipc_socket: fix leak of kernel memory to userspace · 4b3d11e7
      Patrick Tjin authored
      Limit the size of copy to the minimum of what was asked
      for or the number of results returned to prevent leaking of
      uninitialized kernel memory to userspace.
      
      Bug: 24157888
      Signed-off-by: default avatarPatrick Tjin <pattjin@google.com>
      Change-Id: I7433135ea3345905c053a81d0d759619b46c1430
      4b3d11e7
    • Patrick Tjin's avatar
      arm/configs: flo: Remove SysV IPC from kernel · bd8d871a
      Patrick Tjin authored
      System V IPCs are not compliant with Android's application lifecycle
      because allocated resources are not freeable by the low memory killer.
      This lead to global kernel resource leakage.
      
      For example, there is no way to automatically release a SysV
      semaphore allocated in the kernel when:
      - a buggy or malicious process exits
      - a non-buggy and non-malicious process crashes or is explicitly
        killed.
      
      Killing processes automatically to make room for new ones is an
      important part of Android's application lifecycle implementation.
      This means that, even assuming only non-buggy and non-malicious
      code, it is very likely that over time, the kernel global tables
      used to implement SysV IPCs will fill up.
      
      Bug: 24551430
      Bug: 22300191
      Signed-off-by: default avatarPatrick Tjin <pattjin@google.com>
      Change-Id: I98d592819974acbd5fb47d526ed1ce3700ae1bd5
      bd8d871a