1. 08 Jun, 2016 1 commit
  2. 05 Jun, 2016 2 commits
  3. 22 Mar, 2016 1 commit
  4. 17 Mar, 2016 2 commits
    • Ben Hutchings's avatar
      pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic · c1220552
      Ben Hutchings authored
      pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
      the first time atomically and the second time not.  The second attempt
      needs to continue from the iovec position, pipe buffer offset and
      remaining length where the first attempt failed, but currently the
      pipe buffer offset and remaining length are reset.  This will corrupt
      the piped data (possibly also leading to an information leak between
      processes) and may also corrupt kernel memory.
      
      This was fixed upstream by commits f0d1bec9d58d ("new helper:
      copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
      copy_page_to_iter()"), but those aren't suitable for stable.  This fix
      for older kernel versions was made by Seth Jennings for RHEL and I
      have extracted it from their update.
      
      CVE-2015-1805
      
      (cherry picked from commit f7ebfe91b806501808413c8473a300dff58ddbb5)
      
      Bug: 27275324
      
      Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4
      References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1220552
    • Patrick Tjin's avatar
      Keep history after reset to baedb014 · b3623962
      Patrick Tjin authored
      b3623962
  5. 24 Feb, 2016 1 commit
  6. 19 Feb, 2016 4 commits
  7. 12 Feb, 2016 1 commit
  8. 16 Jan, 2016 1 commit
    • Wish Wu's avatar
      msm: null pointer dereferencing · baedb014
      Wish Wu authored
      Prevent unintended kernel NULL pointer dereferencing.
      
      Orignal code:
        hlist_del_rcu(&event->hlist_entry);
      
      Fix: Adding pointer check:
        if(!hlist_unhashed(&p_event->hlist_entry))
          hlist_del_rcu(&p_event->hlist_entry);
      
      Bug: 25364034
      Change-Id: Ieda6d8f4bb567827fa6c7709e9e729905c6c3882
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      baedb014
  9. 13 Jan, 2016 1 commit
  10. 08 Jan, 2016 1 commit
    • Vasily Kulikov's avatar
      include/linux/poison.h: fix LIST_POISON{1,2} offset · ceb75e5c
      Vasily Kulikov authored
      Poison pointer values should be small enough to find a room in
      non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
      is located starting from 0x0.  Given unprivileged users cannot mmap
      anything below mmap_min_addr, it should be safe to use poison pointers
      lower than mmap_min_addr.
      
      The current poison pointer values of LIST_POISON{1,2} might be too big for
      mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
      uses only 0x10000).  There is little point to use such a big value given
      the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
      to a smaller value solves the problem for small mmap_min_addr setups.
      
      The values are suggested by Solar Designer:
      http://www.openwall.com/lists/oss-security/2015/05/02/6
      
      Bug: 26186802
      Change-Id: I2663f4e4d8725547c90ea14e082f10ae0cf80679
      Signed-off-by: default avatarYuan Lin <yualin@google.com>
      ceb75e5c
  11. 10 Dec, 2015 1 commit
  12. 09 Dec, 2015 1 commit
  13. 04 Dec, 2015 1 commit
  14. 01 Dec, 2015 1 commit
    • dataanddreams's avatar
      bcmdhd: Add checks for stack buffer overflows · 453d319e
      dataanddreams authored
      These two checks prevent exploitable buffer overflows in two scenarios.
      1. Long WPS_ID_DEVICE_NAME in WPS info elements
      2. Invalid SSID determined in certain scan results
      
      Bug: 25661991
      Change-Id: Ie2f99897df2e4ce9fabcc03bb6091796777f95fa
      453d319e
  15. 04 Nov, 2015 1 commit
  16. 03 Nov, 2015 1 commit
  17. 31 Oct, 2015 1 commit
  18. 30 Oct, 2015 2 commits
  19. 22 Oct, 2015 1 commit
  20. 15 Oct, 2015 1 commit
    • Patrick Tjin's avatar
      arm/configs: hammerhead: remove SysV IPC from kernel · 234ec1ce
      Patrick Tjin authored
      System V IPCs are not compliant with Android's application lifecycle
      because allocated resources are not freeable by the low memory killer.
      This lead to global kernel resource leakage.
      
      For example, there is no way to automatically release a SysV
      semaphore allocated in the kernel when:
      - a buggy or malicious process exits
      - a non-buggy and non-malicious process crashes or is explicitly
        killed.
      
      Killing processes automatically to make room for new ones is an
      important part of Android's application lifecycle implementation.
      This means that, even assuming only non-buggy and non-malicious
      code, it is very likely that over time, the kernel global tables
      used to implement SysV IPCs will fill up.
      
      Bug: 24551430
      Bug: 22300191
      Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Signed-off-by: default avatarPatrick Tjin <pattjin@google.com>
      Change-Id: Ibaaad7c3d99c509ec360b715323807ebe0027ab0
      234ec1ce
  21. 13 Oct, 2015 1 commit
  22. 08 Oct, 2015 1 commit
  23. 15 Sep, 2015 3 commits
  24. 10 Sep, 2015 1 commit
    • Devin Kim's avatar
      mmc: workaround for read ahead issue · 532cc442
      Devin Kim authored
      When the sequential read is interrupted by a special operation (RPMB access,
      Secure Erase and Secure Trim) the read ahead feature does not function as
      intended. In that case, data from special operation is not removed from the
      internal buffer. So when we read the next address, the reading data from the
      previous operation instead of the address.
      
      To avoid the issue, add dummy read and ignore the data in that case.
      
      Change-Id: I6c1a3285034c9e057879de601e1f80a4bed07edb
      Signed-off-by: default avatarDevin Kim <dojip.kim@lge.com>
      532cc442
  25. 20 Aug, 2015 5 commits
  26. 07 Aug, 2015 2 commits
  27. 01 Aug, 2015 1 commit