diff --git a/Patches/Linux_CVEs/CVE-2013-7446/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2013-7446/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2013-7446/^4.3/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0002.patch b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0002.patch new file mode 100644 index 00000000..00f6946b --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0002.patch @@ -0,0 +1,334 @@ +From 8a292b04183e82d59721ab0893e4216010aa3db9 Mon Sep 17 00:00:00 2001 +From: Rainer Weikusat +Date: Fri, 20 Nov 2015 22:07:23 +0000 +Subject: [PATCH] BACKPORT: unix: avoid use-after-free in ep_remove_wait_queue + +Rainer Weikusat writes: +An AF_UNIX datagram socket being the client in an n:1 association with +some server socket is only allowed to send messages to the server if the +receive queue of this socket contains at most sk_max_ack_backlog +datagrams. This implies that prospective writers might be forced to go +to sleep despite none of the message presently enqueued on the server +receive queue were sent by them. In order to ensure that these will be +woken up once space becomes again available, the present unix_dgram_poll +routine does a second sock_poll_wait call with the peer_wait wait queue +of the server socket as queue argument (unix_dgram_recvmsg does a wake +up on this queue after a datagram was received). This is inherently +problematic because the server socket is only guaranteed to remain alive +for as long as the client still holds a reference to it. In case the +connection is dissolved via connect or by the dead peer detection logic +in unix_dgram_sendmsg, the server socket may be freed despite "the +polling mechanism" (in particular, epoll) still has a pointer to the +corresponding peer_wait queue. There's no way to forcibly deregister a +wait queue with epoll. + +Based on an idea by Jason Baron, the patch below changes the code such +that a wait_queue_t belonging to the client socket is enqueued on the +peer_wait queue of the server whenever the peer receive queue full +condition is detected by either a sendmsg or a poll. A wake up on the +peer queue is then relayed to the ordinary wait queue of the client +socket via wake function. The connection to the peer wait queue is again +dissolved if either a wake up is about to be relayed or the client +socket reconnects or a dead peer is detected or the client socket is +itself closed. This enables removing the second sock_poll_wait from +unix_dgram_poll, thus avoiding the use-after-free, while still ensuring +that no blocked writer sleeps forever. + +Signed-off-by: Rainer Weikusat +Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets") +Reviewed-by: Jason Baron +Signed-off-by: David S. Miller + +Bug: 29119002 +(cherry picked from commit 7d267278a9ece963d77eefec61630223fce08c6c) +Signed-off-by: Aarthi Thiruvengadam + +Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e +--- + include/net/af_unix.h | 1 + + net/unix/af_unix.c | 183 ++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 165 insertions(+), 19 deletions(-) + +diff --git a/include/net/af_unix.h b/include/net/af_unix.h +index dbdfd2b0f3b3d..9120783132e71 100644 +--- a/include/net/af_unix.h ++++ b/include/net/af_unix.h +@@ -62,6 +62,7 @@ struct unix_sock { + #define UNIX_GC_CANDIDATE 0 + #define UNIX_GC_MAYBE_CYCLE 1 + struct socket_wq peer_wq; ++ wait_queue_t peer_wake; + }; + #define unix_sk(__sk) ((struct unix_sock *)__sk) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 924108f17b9a6..5e6323792a5e0 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -314,6 +314,118 @@ static struct sock *unix_find_socket_byinode(struct inode *i) + return s; + } + ++/* Support code for asymmetrically connected dgram sockets ++ * ++ * If a datagram socket is connected to a socket not itself connected ++ * to the first socket (eg, /dev/log), clients may only enqueue more ++ * messages if the present receive queue of the server socket is not ++ * "too large". This means there's a second writeability condition ++ * poll and sendmsg need to test. The dgram recv code will do a wake ++ * up on the peer_wait wait queue of a socket upon reception of a ++ * datagram which needs to be propagated to sleeping would-be writers ++ * since these might not have sent anything so far. This can't be ++ * accomplished via poll_wait because the lifetime of the server ++ * socket might be less than that of its clients if these break their ++ * association with it or if the server socket is closed while clients ++ * are still connected to it and there's no way to inform "a polling ++ * implementation" that it should let go of a certain wait queue ++ * ++ * In order to propagate a wake up, a wait_queue_t of the client ++ * socket is enqueued on the peer_wait queue of the server socket ++ * whose wake function does a wake_up on the ordinary client socket ++ * wait queue. This connection is established whenever a write (or ++ * poll for write) hit the flow control condition and broken when the ++ * association to the server socket is dissolved or after a wake up ++ * was relayed. ++ */ ++ ++static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags, ++ void *key) ++{ ++ struct unix_sock *u; ++ wait_queue_head_t *u_sleep; ++ ++ u = container_of(q, struct unix_sock, peer_wake); ++ ++ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait, ++ q); ++ u->peer_wake.private = NULL; ++ ++ /* relaying can only happen while the wq still exists */ ++ u_sleep = sk_sleep(&u->sk); ++ if (u_sleep) ++ wake_up_interruptible_poll(u_sleep, key); ++ ++ return 0; ++} ++ ++static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ int rc; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ rc = 0; ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (!u->peer_wake.private) { ++ u->peer_wake.private = other; ++ __add_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ ++ rc = 1; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++ return rc; ++} ++ ++static void unix_dgram_peer_wake_disconnect(struct sock *sk, ++ struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (u->peer_wake.private == other) { ++ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ u->peer_wake.private = NULL; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++} ++ ++static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk, ++ struct sock *other) ++{ ++ unix_dgram_peer_wake_disconnect(sk, other); ++ wake_up_interruptible_poll(sk_sleep(sk), ++ POLLOUT | ++ POLLWRNORM | ++ POLLWRBAND); ++} ++ ++/* preconditions: ++ * - unix_peer(sk) == other ++ * - association is stable ++ */ ++static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) ++{ ++ int connected; ++ ++ connected = unix_dgram_peer_wake_connect(sk, other); ++ ++ if (unix_recvq_full(other)) ++ return 1; ++ ++ if (connected) ++ unix_dgram_peer_wake_disconnect(sk, other); ++ ++ return 0; ++} ++ + static inline int unix_writable(struct sock *sk) + { + return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; +@@ -418,6 +530,8 @@ static void unix_release_sock(struct sock *sk, int embrion) + skpair->sk_state_change(skpair); + sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); + } ++ ++ unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ + unix_peer(sk) = NULL; + } +@@ -651,6 +765,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock) + INIT_LIST_HEAD(&u->link); + mutex_init(&u->readlock); /* single task reading lock */ + init_waitqueue_head(&u->peer_wait); ++ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay); + unix_insert_socket(unix_sockets_unbound(sk), sk); + out: + if (sk == NULL) +@@ -1020,6 +1135,8 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + if (unix_peer(sk)) { + struct sock *old_peer = unix_peer(sk); + unix_peer(sk) = other; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer); ++ + unix_state_double_unlock(sk, other); + + if (other != old_peer) +@@ -1459,6 +1576,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + struct scm_cookie tmp_scm; + int max_level; + int data_len = 0; ++ int sk_locked; + + if (NULL == siocb->scm) + siocb->scm = &tmp_scm; +@@ -1535,12 +1653,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + goto out_free; + } + ++ sk_locked = 0; + unix_state_lock(other); ++restart_locked: + err = -EPERM; + if (!unix_may_send(sk, other)) + goto out_unlock; + +- if (sock_flag(other, SOCK_DEAD)) { ++ if (unlikely(sock_flag(other, SOCK_DEAD))) { + /* + * Check with 1003.1g - what should + * datagram error +@@ -1548,10 +1668,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + unix_state_unlock(other); + sock_put(other); + ++ if (!sk_locked) ++ unix_state_lock(sk); ++ + err = 0; +- unix_state_lock(sk); + if (unix_peer(sk) == other) { + unix_peer(sk) = NULL; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, other); ++ + unix_state_unlock(sk); + + unix_dgram_disconnected(sk, other); +@@ -1577,21 +1701,38 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + goto out_unlock; + } + +- if (unix_peer(other) != sk && unix_recvq_full(other)) { +- if (!timeo) { +- err = -EAGAIN; +- goto out_unlock; ++ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ if (timeo) { ++ timeo = unix_wait_for_peer(other, timeo); ++ ++ err = sock_intr_errno(timeo); ++ if (signal_pending(current)) ++ goto out_free; ++ ++ goto restart; + } + +- timeo = unix_wait_for_peer(other, timeo); ++ if (!sk_locked) { ++ unix_state_unlock(other); ++ unix_state_double_lock(sk, other); ++ } + +- err = sock_intr_errno(timeo); +- if (signal_pending(current)) +- goto out_free; ++ if (unix_peer(sk) != other || ++ unix_dgram_peer_wake_me(sk, other)) { ++ err = -EAGAIN; ++ sk_locked = 1; ++ goto out_unlock; ++ } + +- goto restart; ++ if (!sk_locked) { ++ sk_locked = 1; ++ goto restart_locked; ++ } + } + ++ if (unlikely(sk_locked)) ++ unix_state_unlock(sk); ++ + if (sock_flag(other, SOCK_RCVTSTAMP)) + __net_timestamp(skb); + maybe_add_creds(skb, sock, other); +@@ -1605,6 +1746,8 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + return len; + + out_unlock: ++ if (sk_locked) ++ unix_state_unlock(sk); + unix_state_unlock(other); + out_free: + kfree_skb(skb); +@@ -2243,14 +2386,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, + return mask; + + writable = unix_writable(sk); +- other = unix_peer_get(sk); +- if (other) { +- if (unix_peer(other) != sk) { +- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); +- if (unix_recvq_full(other)) +- writable = 0; +- } +- sock_put(other); ++ if (writable) { ++ unix_state_lock(sk); ++ ++ other = unix_peer(sk); ++ if (other && unix_peer(other) != sk && ++ unix_recvq_full(other) && ++ unix_dgram_peer_wake_me(sk, other)) ++ writable = 0; ++ ++ unix_state_unlock(sk); + } + + if (writable) diff --git a/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0003.patch b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0003.patch new file mode 100644 index 00000000..65238ba8 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2013-7446/^4.3/0003.patch @@ -0,0 +1,56 @@ +From 5bed19c9f463f9078063363779548c50aea271a0 Mon Sep 17 00:00:00 2001 +From: Rainer Weikusat +Date: Thu, 11 Feb 2016 19:37:27 +0000 +Subject: [PATCH] UPSTREAM: af_unix: Guard against other == sk in + unix_dgram_sendmsg + +(cherry picked from commit a5527dda344fff0514b7989ef7a755729769daa1) + +The unix_dgram_sendmsg routine use the following test + +if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { + +to determine if sk and other are in an n:1 association (either +established via connect or by using sendto to send messages to an +unrelated socket identified by address). This isn't correct as the +specified address could have been bound to the sending socket itself or +because this socket could have been connected to itself by the time of +the unix_peer_get but disconnected before the unix_state_lock(other). In +both cases, the if-block would be entered despite other == sk which +might either block the sender unintentionally or lead to trying to unlock +the same spin lock twice for a non-blocking send. Add a other != sk +check to guard against this. + +Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") +Reported-By: Philipp Hahn +Signed-off-by: Rainer Weikusat +Tested-by: Philipp Hahn +Signed-off-by: David S. Miller + +Fixes: Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e + ("UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue") +Change-Id: I4ebef6a390df3487903b166b837e34c653e01cb2 +Signed-off-by: Amit Pundir +Bug: 29119002 +--- + net/unix/af_unix.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 5e6323792a5e0..204bee47aa10c 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1701,7 +1701,12 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + goto out_unlock; + } + +- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ /* other == sk && unix_peer(other) != sk if ++ * - unix_peer(sk) == NULL, destination address bound to sk ++ * - unix_peer(sk) == sk by time of get but disconnected before lock ++ */ ++ if (other != sk && ++ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { + if (timeo) { + timeo = unix_wait_for_peer(other, timeo); + diff --git a/Patches/Linux_CVEs/CVE-2014-9922/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2014-9922/3.10/0002.patch new file mode 100644 index 00000000..d8ba31bc --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2014-9922/3.10/0002.patch @@ -0,0 +1,72 @@ +From 48a6c91c1d967cc8375621509676a9eabfac5777 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 24 Oct 2014 00:14:39 +0200 +Subject: [PATCH] BACKPORT: fs: limit filesystem stacking depth + +Add a simple read-only counter to super_block that indicates how deep this +is in the stack of filesystems. Previously ecryptfs was the only stackable +filesystem and it explicitly disallowed multiple layers of itself. + +Overlayfs, however, can be stacked recursively and also may be stacked +on top of ecryptfs or vice versa. + +To limit the kernel stack usage we must limit the depth of the +filesystem stack. Initially the limit is set to 2. + +Signed-off-by: Miklos Szeredi + +(cherry picked from commit 69c433ed2ecd2d3264efd7afec4439524b319121) + +Bug: 32761463 +Change-Id: I69b2fba2112db2ece09a1bf61a44f8fc4db00820 +--- + fs/ecryptfs/main.c | 7 +++++++ + include/linux/fs.h | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c +index 329a9cc2b2ebe..8a041bb0753fa 100644 +--- a/fs/ecryptfs/main.c ++++ b/fs/ecryptfs/main.c +@@ -577,6 +577,13 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags + s->s_maxbytes = path.dentry->d_sb->s_maxbytes; + s->s_blocksize = path.dentry->d_sb->s_blocksize; + s->s_magic = ECRYPTFS_SUPER_MAGIC; ++ s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1; ++ ++ rc = -EINVAL; ++ if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { ++ pr_err("eCryptfs: maximum fs stacking depth exceeded\n"); ++ goto out_free; ++ } + + inode = ecryptfs_get_inode(path.dentry->d_inode, s); + rc = PTR_ERR(inode); +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 1bbd26958874f..0d1e1680f3657 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -244,6 +244,12 @@ struct iattr { + */ + #include + ++/* ++ * Maximum number of layers of fs stack. Needs to be limited to ++ * prevent kernel stack overflow ++ */ ++#define FILESYSTEM_MAX_STACK_DEPTH 2 ++ + /** + * enum positive_aop_returns - aop return codes with specific semantics + * +@@ -1331,6 +1337,10 @@ struct super_block { + + /* AIO completions deferred from interrupt context */ + struct workqueue_struct *s_dio_done_wq; ++ /* ++ * Indicates how deep in a filesystem stack this SB is ++ */ ++ int s_stack_depth; + }; + + /* superblock cache pruning functions */ diff --git a/Patches/Linux_CVEs/CVE-2014-9922/3.10/0003.patch b/Patches/Linux_CVEs/CVE-2014-9922/3.10/0003.patch new file mode 100644 index 00000000..b745bbd2 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2014-9922/3.10/0003.patch @@ -0,0 +1,32 @@ +From 57bc19ec472ab303209b2d96a59a619c5221594d Mon Sep 17 00:00:00 2001 +From: Andrew Chant +Date: Wed, 8 Feb 2017 15:33:48 -0800 +Subject: [PATCH] sdcardfs: limit stacking depth + +Limit filesystem stacking to prevent stack overflow. + +Bug: 32761463 +Change-Id: I8b1462b9c0d6c7f00cf110724ffb17e7f307c51e +Signed-off-by: Andrew Chant +--- + fs/sdcardfs/main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/sdcardfs/main.c b/fs/sdcardfs/main.c +index a6522286d7314..8b51a124298f4 100755 +--- a/fs/sdcardfs/main.c ++++ b/fs/sdcardfs/main.c +@@ -223,6 +223,13 @@ static int sdcardfs_read_super(struct super_block *sb, const char *dev_name, + atomic_inc(&lower_sb->s_active); + sdcardfs_set_lower_super(sb, lower_sb); + ++ sb->s_stack_depth = lower_sb->s_stack_depth + 1; ++ if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { ++ pr_err("sdcardfs: maximum fs stacking depth exceeded\n"); ++ err = -EINVAL; ++ goto out_sput; ++ } ++ + /* inherit maxbytes from lower file system */ + sb->s_maxbytes = lower_sb->s_maxbytes; + diff --git a/Patches/Linux_CVEs/CVE-2016-7097/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-7097/3.10/0002.patch new file mode 100644 index 00000000..8beb5150 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2016-7097/3.10/0002.patch @@ -0,0 +1,425 @@ +From 6b0c893dc08060d6999b07136391d8a298678dae Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 19 Sep 2016 17:39:09 +0200 +Subject: [PATCH] BACKPORT: posix_acl: Clear SGID bit when setting file + permissions + +(cherry pick from commit 073931017b49d9458aa351605b43a7e34598caef) + +When file permissions are modified via chmod(2) and the user is not in +the owning group or capable of CAP_FSETID, the setgid bit is cleared in +inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file +permissions as well as the new ACL, but doesn't clear the setgid bit in +a similar way; this allows to bypass the check in chmod(2). Fix that. + +NB: conflicts resolution included extending the change to all visible + users of the near deprecated function posix_acl_equiv_mode + replaced with posix_acl_update_mode. We did not resolve the ACL + leak in this CL, require additional upstream fixes. + +References: CVE-2016-7097 +Reviewed-by: Christoph Hellwig +Reviewed-by: Jeff Layton +Signed-off-by: Jan Kara +Signed-off-by: Andreas Gruenbacher +Bug: 32458736 +Change-Id: I19591ad452cc825ac282b3cfd2daaa72aa9a1ac1 +--- + fs/9p/acl.c | 40 +++++++++++++++++----------------------- + fs/btrfs/acl.c | 6 ++---- + fs/ext2/acl.c | 12 ++++-------- + fs/ext3/acl.c | 12 ++++-------- + fs/ext4/acl.c | 12 ++++-------- + fs/f2fs/acl.c | 6 ++---- + fs/generic_acl.c | 8 ++------ + fs/gfs2/acl.c | 11 +++-------- + fs/jffs2/acl.c | 9 ++++----- + fs/jfs/xattr.c | 6 +++--- + fs/ocfs2/acl.c | 18 ++++++------------ + fs/posix_acl.c | 31 +++++++++++++++++++++++++++++++ + fs/reiserfs/xattr_acl.c | 8 ++------ + fs/xfs/xfs_acl.c | 13 +++---------- + include/linux/posix_acl.h | 1 + + 15 files changed, 88 insertions(+), 105 deletions(-) + +diff --git a/fs/9p/acl.c b/fs/9p/acl.c +index 7af425f53beef..9686c1f17653f 100644 +--- a/fs/9p/acl.c ++++ b/fs/9p/acl.c +@@ -320,32 +320,26 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name, + case ACL_TYPE_ACCESS: + name = POSIX_ACL_XATTR_ACCESS; + if (acl) { +- umode_t mode = inode->i_mode; +- retval = posix_acl_equiv_mode(acl, &mode); +- if (retval < 0) ++ struct iattr iattr; ++ ++ retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl); ++ if (retval) + goto err_out; +- else { +- struct iattr iattr; +- if (retval == 0) { +- /* +- * ACL can be represented +- * by the mode bits. So don't +- * update ACL. +- */ +- acl = NULL; +- value = NULL; +- size = 0; +- } +- /* Updte the mode bits */ +- iattr.ia_mode = ((mode & S_IALLUGO) | +- (inode->i_mode & ~S_IALLUGO)); +- iattr.ia_valid = ATTR_MODE; +- /* FIXME should we update ctime ? +- * What is the following setxattr update the +- * mode ? ++ if (!acl) { ++ /* ++ * ACL can be represented ++ * by the mode bits. So don't ++ * update ACL. + */ +- v9fs_vfs_setattr_dotl(dentry, &iattr); ++ value = NULL; ++ size = 0; + } ++ iattr.ia_valid = ATTR_MODE; ++ /* FIXME should we update ctime ? ++ * What is the following setxattr update the ++ * mode ? ++ */ ++ v9fs_vfs_setattr_dotl(dentry, &iattr); + } + break; + case ACL_TYPE_DEFAULT: +diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c +index 0890c83643e94..d6d53e5e7945d 100644 +--- a/fs/btrfs/acl.c ++++ b/fs/btrfs/acl.c +@@ -118,11 +118,9 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans, + case ACL_TYPE_ACCESS: + name = POSIX_ACL_XATTR_ACCESS; + if (acl) { +- ret = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (ret < 0) ++ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (ret) + return ret; +- if (ret == 0) +- acl = NULL; + } + ret = 0; + break; +diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c +index 110b6b371a4ed..48c3c2d7d2619 100644 +--- a/fs/ext2/acl.c ++++ b/fs/ext2/acl.c +@@ -206,15 +206,11 @@ ext2_set_acl(struct inode *inode, int type, struct posix_acl *acl) + case ACL_TYPE_ACCESS: + name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS; + if (acl) { +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) + return error; +- else { +- inode->i_ctime = CURRENT_TIME_SEC; +- mark_inode_dirty(inode); +- if (error == 0) +- acl = NULL; +- } ++ inode->i_ctime = CURRENT_TIME_SEC; ++ mark_inode_dirty(inode); + } + break; + +diff --git a/fs/ext3/acl.c b/fs/ext3/acl.c +index dbb5ad59a7fc3..bb2f60a62d82a 100644 +--- a/fs/ext3/acl.c ++++ b/fs/ext3/acl.c +@@ -205,15 +205,11 @@ ext3_set_acl(handle_t *handle, struct inode *inode, int type, + case ACL_TYPE_ACCESS: + name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS; + if (acl) { +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) + return error; +- else { +- inode->i_ctime = CURRENT_TIME_SEC; +- ext3_mark_inode_dirty(handle, inode); +- if (error == 0) +- acl = NULL; +- } ++ inode->i_ctime = CURRENT_TIME_SEC; ++ ext3_mark_inode_dirty(handle, inode); + } + break; + +diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c +index d40c8dbbb0d66..87d9bbf6a53f3 100644 +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -201,15 +201,11 @@ __ext4_set_acl(handle_t *handle, struct inode *inode, int type, + case ACL_TYPE_ACCESS: + name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS; + if (acl) { +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) + return error; +- else { +- inode->i_ctime = ext4_current_time(inode); +- ext4_mark_inode_dirty(handle, inode); +- if (error == 0) +- acl = NULL; +- } ++ inode->i_ctime = ext4_current_time(inode); ++ ext4_mark_inode_dirty(handle, inode); + } + break; + +diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c +index 44abc2f286e00..9c4f3c732bce4 100644 +--- a/fs/f2fs/acl.c ++++ b/fs/f2fs/acl.c +@@ -223,12 +223,10 @@ static int f2fs_set_acl(struct inode *inode, int type, struct posix_acl *acl) + case ACL_TYPE_ACCESS: + name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS; + if (acl) { +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) + return error; + set_acl_inode(fi, inode->i_mode); +- if (error == 0) +- acl = NULL; + } + break; + +diff --git a/fs/generic_acl.c b/fs/generic_acl.c +index b3f3676796d31..21408084c3b34 100644 +--- a/fs/generic_acl.c ++++ b/fs/generic_acl.c +@@ -87,14 +87,10 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value, + goto failed; + switch (type) { + case ACL_TYPE_ACCESS: +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) + goto failed; + inode->i_ctime = CURRENT_TIME; +- if (error == 0) { +- posix_acl_release(acl); +- acl = NULL; +- } + break; + case ACL_TYPE_DEFAULT: + if (!S_ISDIR(inode->i_mode)) { +diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c +index f69ac0af5496c..e7b330ef4dfda 100644 +--- a/fs/gfs2/acl.c ++++ b/fs/gfs2/acl.c +@@ -268,15 +268,10 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name, + + if (type == ACL_TYPE_ACCESS) { + umode_t mode = inode->i_mode; +- error = posix_acl_equiv_mode(acl, &mode); ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + +- if (error <= 0) { +- posix_acl_release(acl); +- acl = NULL; +- +- if (error < 0) +- return error; +- } ++ if (error) ++ goto out_release; + + error = gfs2_set_mode(inode, mode); + if (error) +diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c +index 223283c301116..9335b8d3cf521 100644 +--- a/fs/jffs2/acl.c ++++ b/fs/jffs2/acl.c +@@ -243,9 +243,10 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl) + case ACL_TYPE_ACCESS: + xprefix = JFFS2_XPREFIX_ACL_ACCESS; + if (acl) { +- umode_t mode = inode->i_mode; +- rc = posix_acl_equiv_mode(acl, &mode); +- if (rc < 0) ++ umode_t mode; ++ ++ rc = posix_acl_update_mode(inode, &mode, &acl); ++ if (rc) + return rc; + if (inode->i_mode != mode) { + struct iattr attr; +@@ -257,8 +258,6 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl) + if (rc < 0) + return rc; + } +- if (rc == 0) +- acl = NULL; + } + break; + case ACL_TYPE_DEFAULT: +diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c +index 42d67f9757bf6..c79b1d7a53e24 100644 +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -693,11 +693,11 @@ static int can_set_system_xattr(struct inode *inode, const char *name, + return rc; + } + if (acl) { +- rc = posix_acl_equiv_mode(acl, &inode->i_mode); ++ rc = posix_acl_update_mode(inode, &inode->i_mode, &acl); + posix_acl_release(acl); +- if (rc < 0) { ++ if (rc) { + printk(KERN_ERR +- "posix_acl_equiv_mode returned %d\n", ++ "posix_acl_update_mode returned %d\n", + rc); + return rc; + } +diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c +index 8a404576fb265..2fe643160cf73 100644 +--- a/fs/ocfs2/acl.c ++++ b/fs/ocfs2/acl.c +@@ -275,19 +275,13 @@ static int ocfs2_set_acl(handle_t *handle, + name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS; + if (acl) { + umode_t mode = inode->i_mode; +- ret = posix_acl_equiv_mode(acl, &mode); +- if (ret < 0) ++ ret = posix_acl_update_mode(inode, &mode, &acl); ++ if (ret) ++ return ret; ++ ret = ocfs2_acl_set_mode(inode, di_bh, ++ handle, mode); ++ if (ret) + return ret; +- else { +- if (ret == 0) +- acl = NULL; +- +- ret = ocfs2_acl_set_mode(inode, di_bh, +- handle, mode); +- if (ret) +- return ret; +- +- } + } + break; + case ACL_TYPE_DEFAULT: +diff --git a/fs/posix_acl.c b/fs/posix_acl.c +index 3542f1f814e2a..35cc1f40b82df 100644 +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -341,6 +341,37 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) + return not_equiv; + } + ++/** ++ * posix_acl_update_mode - update mode in set_acl ++ * ++ * Update the file mode when setting an ACL: compute the new file permission ++ * bits based on the ACL. In addition, if the ACL is equivalent to the new ++ * file mode, set *acl to NULL to indicate that no ACL should be set. ++ * ++ * As with chmod, clear the setgit bit if the caller is not in the owning group ++ * or capable of CAP_FSETID (see inode_change_ok). ++ * ++ * Called from set_acl inode operations. ++ */ ++int posix_acl_update_mode(struct inode *inode, umode_t *mode_p, ++ struct posix_acl **acl) ++{ ++ umode_t mode = inode->i_mode; ++ int error; ++ ++ error = posix_acl_equiv_mode(*acl, &mode); ++ if (error < 0) ++ return error; ++ if (error == 0) ++ *acl = NULL; ++ if (!in_group_p(inode->i_gid) && ++ !capable_wrt_inode_uidgid(inode, CAP_FSETID)) ++ mode &= ~S_ISGID; ++ *mode_p = mode; ++ return 0; ++} ++EXPORT_SYMBOL(posix_acl_update_mode); ++ + /* + * Modify the ACL for the chmod syscall. + */ +diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c +index 6c8767fdfc6a2..2d73589f37d64 100644 +--- a/fs/reiserfs/xattr_acl.c ++++ b/fs/reiserfs/xattr_acl.c +@@ -286,13 +286,9 @@ reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode, + case ACL_TYPE_ACCESS: + name = POSIX_ACL_XATTR_ACCESS; + if (acl) { +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) + return error; +- else { +- if (error == 0) +- acl = NULL; +- } + } + break; + case ACL_TYPE_DEFAULT: +diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c +index 306d883d89bc7..4f8e4770229cf 100644 +--- a/fs/xfs/xfs_acl.c ++++ b/fs/xfs/xfs_acl.c +@@ -389,16 +389,9 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name, + + if (type == ACL_TYPE_ACCESS) { + umode_t mode = inode->i_mode; +- error = posix_acl_equiv_mode(acl, &mode); +- +- if (error <= 0) { +- posix_acl_release(acl); +- acl = NULL; +- +- if (error < 0) +- return error; +- } +- ++ error = posix_acl_update_mode(inode, &mode, &acl); ++ if (error) ++ goto out_release; + error = xfs_set_mode(inode, mode); + if (error) + goto out_release; +diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h +index 7931efe711755..2ae0bba45f124 100644 +--- a/include/linux/posix_acl.h ++++ b/include/linux/posix_acl.h +@@ -90,6 +90,7 @@ extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t); + extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *); + extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *); + extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t); ++extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **); + + extern struct posix_acl *get_posix_acl(struct inode *, int); + extern int set_posix_acl(struct inode *, int, struct posix_acl *); diff --git a/Patches/Linux_CVEs/CVE-2016-7097/3.10/0003.patch b/Patches/Linux_CVEs/CVE-2016-7097/3.10/0003.patch new file mode 100644 index 00000000..3afc1919 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2016-7097/3.10/0003.patch @@ -0,0 +1,45 @@ +From aedf77d56472d1fddf050c61c1017d4f51149fb1 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Tue, 13 Dec 2016 10:33:34 -0800 +Subject: [PATCH] FROMLIST: 9p: fix a potential acl leak + +(https://lkml.org/lkml/2016/12/13/579) + +posix_acl_update_mode() could possibly clear 'acl', if so +we leak the memory pointed by 'acl'. Save this pointer +before calling posix_acl_update_mode() and release the memory +if 'acl' really gets cleared. + +Reported-by: Mark Salyzyn +Reviewed-by: Jan Kara +Reviewed-by: Greg Kurz +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Signed-off-by: Cong Wang +Bug: 32458736 +Change-Id: Ia78da401e6fd1bfd569653bd2cd0ebd3f9c737a0 +--- + fs/9p/acl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/9p/acl.c b/fs/9p/acl.c +index 9686c1f17653f..c19a66472d2eb 100644 +--- a/fs/9p/acl.c ++++ b/fs/9p/acl.c +@@ -321,6 +321,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name, + name = POSIX_ACL_XATTR_ACCESS; + if (acl) { + struct iattr iattr; ++ struct posix_acl *old_acl = acl; + + retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl); + if (retval) +@@ -331,6 +332,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name, + * by the mode bits. So don't + * update ACL. + */ ++ posix_acl_release(old_acl); + value = NULL; + size = 0; + } diff --git a/Patches/Linux_CVEs/CVE-2016-7097/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7097/^4.8/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2016-7097/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2016-7097/^4.8/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2016-7117/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2016-7117/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2016-7117/^4.5/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0002.patch b/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0002.patch new file mode 100644 index 00000000..d4abc30f --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2016-7117/^4.5/0002.patch @@ -0,0 +1,49 @@ +From 0b5240c45e2029986526b1405ab24906c708f770 Mon Sep 17 00:00:00 2001 +From: Maxime Jayat +Date: Tue, 21 Feb 2017 18:35:51 +0100 +Subject: net: socket: fix recvmmsg not returning error from sock_error + +commit e623a9e9dec29ae811d11f83d0074ba254aba374 upstream. + +Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"), +changed the exit path of recvmmsg to always return the datagrams +variable and modified the error paths to set the variable to the error +code returned by recvmsg if necessary. + +However in the case sock_error returned an error, the error code was +then ignored, and recvmmsg returned 0. + +Change the error path of recvmmsg to correctly return the error code +of sock_error. + +The bug was triggered by using recvmmsg on a CAN interface which was +not up. Linux 4.6 and later return 0 in this case while earlier +releases returned -ENETDOWN. + +Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path") +Signed-off-by: Maxime Jayat +Signed-off-by: David S. Miller +Signed-off-by: Willy Tarreau +--- + net/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/socket.c b/net/socket.c +index e91e8ed..773ba3a 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -2326,8 +2326,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + return err; + + err = sock_error(sock->sk); +- if (err) ++ if (err) { ++ datagrams = err; + goto out_put; ++ } + + entry = mmsg; + compat_entry = (struct compat_mmsghdr __user *)mmsg; +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-0630/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0630/3.10/0001.patch new file mode 100644 index 00000000..58230690 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0630/3.10/0001.patch @@ -0,0 +1,80 @@ +From 28fb06421ab3d9256d32611138306470996cc4c1 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 22 Mar 2016 17:30:58 -0400 +Subject: [PATCH] UPSTREAM: tracing: Fix trace_printk() to print when not using + bprintk() + +The trace_printk() code will allocate extra buffers if the compile detects +that a trace_printk() is used. To do this, the format of the trace_printk() +is saved to the __trace_printk_fmt section, and if that section is bigger +than zero, the buffers are allocated (along with a message that this has +happened). + +If trace_printk() uses a format that is not a constant, and thus something +not guaranteed to be around when the print happens, the compiler optimizes +the fmt out, as it is not used, and the __trace_printk_fmt section is not +filled. This means the kernel will not allocate the special buffers needed +for the trace_printk() and the trace_printk() will not write anything to the +tracing buffer. + +Adding a "__used" to the variable in the __trace_printk_fmt section will +keep it around, even though it is set to NULL. This will keep the string +from being printed in the debugfs/tracing/printk_formats section as it is +not needed. + +Reported-by: Vlastimil Babka +Fixes: 07d777fe8c398 "tracing: Add percpu buffers for trace_printk()" +Cc: stable@vger.kernel.org # v3.5+ +Bug: 34277115 +Signed-off-by: Steven Rostedt +Change-Id: I10ce56caa41c7644d9d290d9ed272a6d156c938c +--- + include/linux/kernel.h | 6 +++--- + kernel/trace/trace_printk.c | 3 +++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index 44d0a02224897..0d1fa1b442209 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -554,7 +554,7 @@ do { \ + + #define do_trace_printk(fmt, args...) \ + do { \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(fmt) ? fmt : NULL; \ + \ +@@ -601,7 +601,7 @@ extern int __trace_puts(unsigned long ip, const char *str, int size); + */ + + #define trace_puts(str) ({ \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(str) ? str : NULL; \ + \ +@@ -621,7 +621,7 @@ extern void trace_dump_stack(int skip); + #define ftrace_vprintk(fmt, vargs) \ + do { \ + if (__builtin_constant_p(fmt)) { \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(fmt) ? fmt : NULL; \ + \ +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index a9077c1b4ad3f..fdb23e84b011b 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -272,6 +272,9 @@ static int t_show(struct seq_file *m, void *v) + const char *str = *fmt; + int i; + ++ if (!*fmt) ++ return 0; ++ + seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt); + + /* diff --git a/Patches/Linux_CVEs/CVE-2017-0630/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-0630/3.10/0002.patch new file mode 100644 index 00000000..3dc82545 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0630/3.10/0002.patch @@ -0,0 +1,27 @@ +From 45e5a5e1b85f23843b90f3cddcfc26fa862ff80c Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Fri, 3 Mar 2017 15:40:12 -0800 +Subject: [PATCH] tracing: do not leak kernel addresses + +This likely breaks tracing tools like trace-cmd. It logs in the same +format but now addresses are all 0x0. + +Bug: 34277115 +Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9 +--- + kernel/trace/trace_printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index fdb23e84b011b..f423e8d551c0a 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -275,7 +275,7 @@ static int t_show(struct seq_file *m, void *v) + if (!*fmt) + return 0; + +- seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt); ++ seq_printf(m, "0x%lx : \"", 0L); + + /* + * Tabs and new lines need to be converted. diff --git a/Patches/Linux_CVEs/CVE-2017-0861/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0861/3.10/0001.patch new file mode 100644 index 00000000..7d72b4b9 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0861/3.10/0001.patch @@ -0,0 +1,32 @@ +From 93533f313a1bf465ff8c33032e91b88315dcf9bf Mon Sep 17 00:00:00 2001 +From: Robb Glasser +Date: Fri, 11 Aug 2017 11:33:31 -0700 +Subject: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info + +When the device descriptor is closed, the `substream->runtime` pointer +is freed. But another thread may be in the ioctl handler, case +SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which +calls snd_pcm_info() which accesses the now freed `substream->runtime`. + +Bug: 36006981 +Signed-off-by: Robb Glasser +Signed-off-by: Nick Desaulniers +Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a +--- + sound/core/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index 0ad1231c15372..6548b3af383fa 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card, + err = -ENXIO; + goto _error; + } ++ mutex_lock(&pcm->open_mutex); + err = snd_pcm_info_user(substream, info); ++ mutex_unlock(&pcm->open_mutex); + _error: + mutex_unlock(®ister_mutex); + return err; diff --git a/Patches/Linux_CVEs/CVE-2017-0862/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0862/3.10/0001.patch new file mode 100644 index 00000000..31c53866 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0862/3.10/0001.patch @@ -0,0 +1,28 @@ +From 19384322b5b51987bd6037f7a6b18a62a5d4d654 Mon Sep 17 00:00:00 2001 +From: Jianqiang Zhao +Date: Mon, 6 Mar 2017 16:33:42 +0800 +Subject: [PATCH] ANDROID: input: keychord: fix race condition bug + +Change-Id: I9c7c759c99e21cad9a7f9a09128122bf6ae11302 +Signed-off-by: Jianqiang Zhao +Bug: 36006779 +--- + drivers/input/misc/keychord.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/misc/keychord.c b/drivers/input/misc/keychord.c +index a5ea27ad0e16c..f580edf1c87ce 100644 +--- a/drivers/input/misc/keychord.c ++++ b/drivers/input/misc/keychord.c +@@ -300,8 +300,10 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer, + + ret = input_register_handler(&kdev->input_handler); + if (ret) { +- kfree(keychords); ++ spin_lock_irqsave(&kdev->lock, flags); ++ kfree(kdev->keychords); + kdev->keychords = 0; ++ spin_unlock_irqrestore(&kdev->lock, flags); + return ret; + } + kdev->registered = 1; diff --git a/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch new file mode 100644 index 00000000..51711f30 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch @@ -0,0 +1,25 @@ +diff --git a/drivers/gpu/drm/nouveau/nouveau_usif.c b/drivers/gpu/drm/nouveau/nouveau_usif.c +index cb1182d..8d4fcc1 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_usif.c ++++ b/drivers/gpu/drm/nouveau/nouveau_usif.c +@@ -316,6 +316,12 @@ + } else + goto done; + ++ object = (void *)(unsigned long)argv->v0.token; ++ if (!access_ok(VERIFY_READ, object, sizeof(struct usif_object))) { ++ ret = -EINVAL; ++ goto done; ++ } ++ + mutex_lock(&cli->mutex); + switch (argv->v0.type) { + case NVIF_IOCTL_V0_NEW: +@@ -340,7 +346,6 @@ + break; + } + if (argv->v0.route == NVDRM_OBJECT_USIF) { +- object = (void *)(unsigned long)argv->v0.token; + argv->v0.route = object->route; + argv->v0.token = object->token; + if (ret == 0 && argv->v0.type == NVIF_IOCTL_V0_DEL) { diff --git a/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch.base64 new file mode 100644 index 00000000..3cc718d5 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L25vdXZlYXVfdXNpZi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKaW5kZXggY2IxMTgyZC4uOGQ0ZmNjMSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKQEAgLTMxNiw2ICszMTYsMTIgQEAKIAl9IGVsc2UKIAkJZ290byBkb25lOwogCisJb2JqZWN0ID0gKHZvaWQgKikodW5zaWduZWQgbG9uZylhcmd2LT52MC50b2tlbjsKKwlpZiAoIWFjY2Vzc19vayhWRVJJRllfUkVBRCwgb2JqZWN0LCBzaXplb2Yoc3RydWN0IHVzaWZfb2JqZWN0KSkpIHsKKwkJcmV0ID0gLUVJTlZBTDsKKwkJZ290byBkb25lOworCX0KKwogCW11dGV4X2xvY2soJmNsaS0+bXV0ZXgpOwogCXN3aXRjaCAoYXJndi0+djAudHlwZSkgewogCWNhc2UgTlZJRl9JT0NUTF9WMF9ORVc6CkBAIC0zNDAsNyArMzQ2LDYgQEAKIAkJYnJlYWs7CiAJfQogCWlmIChhcmd2LT52MC5yb3V0ZSA9PSBOVkRSTV9PQkpFQ1RfVVNJRikgewotCQlvYmplY3QgPSAodm9pZCAqKSh1bnNpZ25lZCBsb25nKWFyZ3YtPnYwLnRva2VuOwogCQlhcmd2LT52MC5yb3V0ZSA9IG9iamVjdC0+cm91dGU7CiAJCWFyZ3YtPnYwLnRva2VuID0gb2JqZWN0LT50b2tlbjsKIAkJaWYgKHJldCA9PSAwICYmIGFyZ3YtPnYwLnR5cGUgPT0gTlZJRl9JT0NUTF9WMF9ERUwpIHsK \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch new file mode 100644 index 00000000..4ae65834 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch @@ -0,0 +1,63 @@ +diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h +index 111c093..10f1872 100644 +--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h ++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h +@@ -24,7 +24,6 @@ + * under proprietary terms before Copyright ownership was assigned + * to the Linux Foundation. + */ +- + #ifndef DOT11F_H + #define DOT11F_H + /** +@@ -37,7 +36,7 @@ + * + * + * This file was automatically generated by 'framesc' +- * Tue Sep 29 17:32:33 2015 from the following file(s): ++ * Tue Jul 4 11:07:27 2017 from the following file(s): + * + * dot11f.frms + * +@@ -91,8 +90,8 @@ + #define DOT11F_BUFFER_OVERFLOW ( 0x10000005 ) + #define DOT11F_MANDATORY_TLV_MISSING ( 0x00001000 ) + #define DOT11F_FAILED(code) ( (code) & 0x10000000 ) +-#define DOT11F_WARNED(code) ( ( ( 0 == (code) ) & 0x10000000 ) && code) + #define DOT11F_SUCCEEDED(code) ( (code) == 0 ) ++#define DOT11F_WARNED(code) (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code)) + + /********************************************************************* + * Fixed Fields * +diff --git a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c +index 0f542d0..c19e9c0 100644 +--- a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c ++++ b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c +@@ -35,7 +35,7 @@ + * + * + * This file was automatically generated by 'framesc' +- * Tue Sep 29 17:32:33 2015 from the following file(s): ++ * Tue Jul 4 11:07:27 2017 from the following file(s): + * + * dot11f.frms + * +@@ -18778,6 +18778,10 @@ + } + + countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset))); ++ if (0 != pIe->arraybound && countOffset >= pIe->arraybound) { ++ status |= DOT11F_DUPLICATE_IE; ++ goto skip_dup_ie; ++ } + switch (pIe->sig) + { + case SigIeCondensedCountryStr: +@@ -19215,6 +19219,7 @@ + status |= DOT11F_UNKNOWN_IES; + } + ++skip_dup_ie: + pBufRemaining += len; + + if (len > nBufRemaining) diff --git a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch.base64 new file mode 100644 index 00000000..83d01d6b --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvTUFDL3NyYy9pbmNsdWRlL2RvdDExZi5oIGIvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKaW5kZXggMTExYzA5My4uMTBmMTg3MiAxMDA2NDQKLS0tIGEvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKKysrIGIvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKQEAgLTI0LDcgKzI0LDYgQEAKICAqIHVuZGVyIHByb3ByaWV0YXJ5IHRlcm1zIGJlZm9yZSBDb3B5cmlnaHQgb3duZXJzaGlwIHdhcyBhc3NpZ25lZAogICogdG8gdGhlIExpbnV4IEZvdW5kYXRpb24uCiAgKi8KLQogI2lmbmRlZiBET1QxMUZfSAogI2RlZmluZSBET1QxMUZfSAogLyoqCkBAIC0zNyw3ICszNiw3IEBACiAgICoKICAgKgogICAqIFRoaXMgZmlsZSB3YXMgYXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgJ2ZyYW1lc2MnCi0gICogVHVlIFNlcCAyOSAxNzozMjozMyAyMDE1IGZyb20gdGhlIGZvbGxvd2luZyBmaWxlKHMpOgorICAqIFR1ZSBKdWwgIDQgMTE6MDc6MjcgMjAxNyBmcm9tIHRoZSBmb2xsb3dpbmcgZmlsZShzKToKICAgKgogICAqIGRvdDExZi5mcm1zCiAgICoKQEAgLTkxLDggKzkwLDggQEAKICNkZWZpbmUgRE9UMTFGX0JVRkZFUl9PVkVSRkxPVyAgICAgICAoIDB4MTAwMDAwMDUgKQogI2RlZmluZSBET1QxMUZfTUFOREFUT1JZX1RMVl9NSVNTSU5HICggMHgwMDAwMTAwMCApCiAjZGVmaW5lIERPVDExRl9GQUlMRUQoY29kZSkgICAgICAgICAgKCAoY29kZSkgJiAweDEwMDAwMDAwICkKLSNkZWZpbmUgRE9UMTFGX1dBUk5FRChjb2RlKSAgICAgICAgICAoICggKCAwID09IChjb2RlKSApICYgMHgxMDAwMDAwMCApICYmIGNvZGUpCiAjZGVmaW5lIERPVDExRl9TVUNDRUVERUQoY29kZSkgICAgICAgKCAoY29kZSkgPT0gMCApCisjZGVmaW5lIERPVDExRl9XQVJORUQoY29kZSkgICAgICAgICAgKCFET1QxMUZfU1VDQ0VFREVEKGNvZGUpICYmICFET1QxMUZfRkFJTEVEKGNvZGUpKQogCiAvKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCiAgKiBGaXhlZCBGaWVsZHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqCmRpZmYgLS1naXQgYS9kcml2ZXJzL3N0YWdpbmcvcWNhY2xkLTIuMC9DT1JFL1NZUy9sZWdhY3kvc3JjL3V0aWxzL3NyYy9kb3QxMWYuYyBiL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCmluZGV4IDBmNTQyZDAuLmMxOWU5YzAgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCisrKyBiL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCkBAIC0zNSw3ICszNSw3IEBACiAgICoKICAgKgogICAqIFRoaXMgZmlsZSB3YXMgYXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgJ2ZyYW1lc2MnCi0gICogVHVlIFNlcCAyOSAxNzozMjozMyAyMDE1IGZyb20gdGhlIGZvbGxvd2luZyBmaWxlKHMpOgorICAqIFR1ZSBKdWwgIDQgMTE6MDc6MjcgMjAxNyBmcm9tIHRoZSBmb2xsb3dpbmcgZmlsZShzKToKICAgKgogICAqIGRvdDExZi5mcm1zCiAgICoKQEAgLTE4Nzc4LDYgKzE4Nzc4LDEwIEBACiAgICAgICAgICAgICAgICAgfQogCiAgICAgICAgIGNvdW50T2Zmc2V0ID0gKCAoMCAhPSBwSWUtPmFycmF5Ym91bmQpICogKCAqKHRBTklfVTE2KiApKHBGcm0gKyBwSWUtPmNvdW50T2Zmc2V0KSkpOworICAgICAgICBpZiAoMCAhPSBwSWUtPmFycmF5Ym91bmQgJiYgY291bnRPZmZzZXQgPj0gcEllLT5hcnJheWJvdW5kKSB7CisgICAgICAgICAgICBzdGF0dXMgfD0gRE9UMTFGX0RVUExJQ0FURV9JRTsKKyAgICAgICAgICAgIGdvdG8gc2tpcF9kdXBfaWU7CisgICAgICAgIH0KICAgICAgICAgICAgICAgICBzd2l0Y2ggKHBJZS0+c2lnKQogICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBjYXNlIFNpZ0llQ29uZGVuc2VkQ291bnRyeVN0cjoKQEAgLTE5MjE1LDYgKzE5MjE5LDcgQEAKICAgICAgICAgICAgIHN0YXR1cyB8PSBET1QxMUZfVU5LTk9XTl9JRVM7CiAgICAgICAgIH0KIAorc2tpcF9kdXBfaWU6CiAgICAgICAgIHBCdWZSZW1haW5pbmcgKz0gbGVuOwogCiAgICAgICAgICBpZiAobGVuID4gbkJ1ZlJlbWFpbmluZykK \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-11013/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11013/qcacld-3.0/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11013/qcacld-3.0/0002.patch rename to Patches/Linux_CVEs/CVE-2017-11013/qcacld-3.0/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch new file mode 100644 index 00000000..8dab716a --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch @@ -0,0 +1,49 @@ +From adb96af5b080dfe4ee29961a17ed3f04c87d5519 Mon Sep 17 00:00:00 2001 +From: Srinivas Girigowda +Date: Mon, 21 Aug 2017 16:56:01 -0700 +Subject: [PATCH] qcacld-2.0: Add bound check before writing to channel list + +qcacld-3.0 to qcacld-2.0 propagation + +In function rrm_process_beacon_report_req, add bound check before +writing to channel list which is of fixed size. + +Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf +CRs-Fixed: 2060138 +Bug: 64438727 +Signed-off-by: Srinivas Girigowda +--- + drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c +index 3fb65c45c2925..ddf22cd957db2 100644 +--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c ++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c +@@ -628,14 +628,21 @@ rrmProcessBeaconReportReq( tpAniSirGlobal pMac, + pSmeBcnReportReq->channelList.numChannels = num_channels; + if( pBeaconReq->measurement_request.Beacon.num_APChannelReport ) + { +- tANI_U8 *pChanList = pSmeBcnReportReq->channelList.channelNumber; ++ tANI_U8 *ch_lst = pSmeBcnReportReq->channelList.channelNumber; ++ uint8_t len; ++ uint16_t ch_ctr = 0; + for( num_APChanReport = 0 ; num_APChanReport < pBeaconReq->measurement_request.Beacon.num_APChannelReport ; num_APChanReport++ ) + { +- vos_mem_copy(pChanList, +- pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].channelList, +- pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList); ++ len = pBeaconReq->measurement_request.Beacon. ++ APChannelReport[num_APChanReport].num_channelList; ++ if(ch_ctr + len > sizeof(pSmeBcnReportReq->channelList.channelNumber)) ++ break; ++ ++ vos_mem_copy(&ch_lst[ch_ctr], ++ pBeaconReq->measurement_request.Beacon. ++ APChannelReport[num_APChanReport].channelList, len); + +- pChanList += pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList; ++ ch_ctr += len; + } + } + diff --git a/Patches/Linux_CVEs/CVE-2017-11014/qcacld-3.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11014/qcacld-3.0/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11014/qcacld-3.0/0001.patch rename to Patches/Linux_CVEs/CVE-2017-11014/qcacld-3.0/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0003.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0003.patch new file mode 100644 index 00000000..f881cb1d --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0003.patch @@ -0,0 +1,54 @@ +From d7285900f6fa28b0be51f5d18c52bd06385f8aee Mon Sep 17 00:00:00 2001 +From: Srinivas Girigowda +Date: Mon, 21 Aug 2017 18:23:29 -0700 +Subject: [PATCH] qcacld-2.0: Update limComputeCrc32 to pass uint16_t + +qcacld-3.0 to qcacld-2.0 propagation + +Update limComputeCrc32() to pass uint16_t as a length type. +Currently uint8_t is being passed as length and there will be type +mismatch when authentication frame to be encrypted will be larger +than 255 bytes. + +Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba +CRs-Fixed: 2072937 +Bug: 64438728 +Signed-off-by: Srinivas Girigowda +--- + drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c | 2 +- + drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c +index 0241dc010adce..049c86aa55f78 100644 +--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c ++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c +@@ -647,7 +647,7 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 * + */ + + void +-limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U8 len) ++limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U16 len) + { + tANI_U32 crc; + int i; +diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h +index 4ede5005b556f..9139ce20f3b4c 100644 +--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h ++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved. ++ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved. + * + * Previously licensed under the ISC license by Qualcomm Atheros, Inc. + * +@@ -59,7 +59,7 @@ tANI_U8 limDeleteOpenAuthPreAuthNode(tpAniSirGlobal pMac); + + // Encryption/Decryption related functions + tCfgWepKeyEntry *limLookUpKeyMappings(tSirMacAddr); +-void limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U8); ++void limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U16); + void limRC4(tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16); + void limEncryptAuthFrame(tpAniSirGlobal, tANI_U8, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32); + tANI_U8 limDecryptAuthFrame(tpAniSirGlobal, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16); diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0004.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0004.patch new file mode 100644 index 00000000..18aee47d --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0004.patch @@ -0,0 +1,35 @@ +From a50ca3ce494ab6bb6b2e37cdd0428aa6d6260bef Mon Sep 17 00:00:00 2001 +From: Srinivas Girigowda +Date: Mon, 21 Aug 2017 21:25:55 -0700 +Subject: [PATCH] qcacld-2.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE + spec + +qcacld-3.0 to qcacld-2.0 propagation + +Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec. +Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128. +This may result in potential buffer overflow since frame parser +allows challenge text of length upto 253 but driver can not handle +challenge text longer than 128 bytes. + +Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e +CRs-Fixed: 2072937 +Bug: 64438728 +Signed-off-by: Srinivas Girigowda +--- + drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h +index bb43167c255cc..c5d8ad5dbcbc0 100644 +--- a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h ++++ b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h +@@ -584,7 +584,7 @@ + #define SIR_MAC_MAX_NUMBER_OF_RATES 12 + #define SIR_MAC_MAX_NUM_OF_DEFAULT_KEYS 4 + #define SIR_MAC_KEY_LENGTH 13 // WEP Maximum key length size +-#define SIR_MAC_AUTH_CHALLENGE_LENGTH 128 ++#define SIR_MAC_AUTH_CHALLENGE_LENGTH 253 + #define SIR_MAC_WEP_IV_LENGTH 4 + #define SIR_MAC_WEP_ICV_LENGTH 4 + diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0003.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0005.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0003.patch rename to Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0005.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0004.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0006.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0004.patch rename to Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0006.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11023/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11023/3.18/0001.patch new file mode 100644 index 00000000..dea3e339 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11023/3.18/0001.patch @@ -0,0 +1,178 @@ +From 17ef83c708be034454df7914ef5484c36515eece Mon Sep 17 00:00:00 2001 +From: Jonathan Solnit +Date: Fri, 1 Sep 2017 15:19:29 -0700 +Subject: [PATCH] diag: Add protection while processing non-hdlc packets + +Currently, there is possibility of out-of-bound accesses during +handling of data in non-hdlc path. The patch adds proper protection +when processing non-hdlc packet information to fix the issue. + +Bug: 64434485 +CRs-Fixed: 2029216 +Change-Id: I07c466f85bd8ac08226948fea86b1d8567e68431 +Signed-off-by: Hardik Arya +Signed-off-by: Mishra Mahima +Signed-off-by: Jonathan Solnit +--- + drivers/char/diag/diagchar.h | 1 + + drivers/char/diag/diagchar_core.c | 1 + + drivers/char/diag/diagfwd.c | 44 ++++++++++++++++++++++++++++++--------- + 3 files changed, 36 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h +index de3e160762e9f..c1749d3435732 100644 +--- a/drivers/char/diag/diagchar.h ++++ b/drivers/char/diag/diagchar.h +@@ -537,6 +537,7 @@ struct diagchar_dev { + unsigned char *buf_feature_mask_update; + uint8_t hdlc_disabled; + struct mutex hdlc_disable_mutex; ++ struct mutex hdlc_recovery_mutex; + struct timer_list hdlc_reset_timer; + struct mutex diag_hdlc_mutex; + unsigned char *hdlc_buf; +diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c +index 590f53c36e511..048e1fd60b805 100644 +--- a/drivers/char/diag/diagchar_core.c ++++ b/drivers/char/diag/diagchar_core.c +@@ -3392,6 +3392,7 @@ static int __init diagchar_init(void) + mutex_init(&apps_data_mutex); + mutex_init(&driver->msg_mask_lock); + mutex_init(&driver->diagfwd_channel_mutex); ++ mutex_init(&driver->hdlc_recovery_mutex); + init_waitqueue_head(&driver->wait_q); + INIT_WORK(&(driver->diag_drain_work), diag_drain_work_fn); + INIT_WORK(&(driver->update_user_clients), +diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c +index 65bbe7cdd8347..60d126acae99a 100644 +--- a/drivers/char/diag/diagfwd.c ++++ b/drivers/char/diag/diagfwd.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -1348,7 +1348,9 @@ static void diag_hdlc_start_recovery(unsigned char *buf, int len, + + if (start_ptr) { + /* Discard any partial packet reads */ ++ mutex_lock(&driver->hdlc_recovery_mutex); + driver->incoming_pkt.processing = 0; ++ mutex_unlock(&driver->hdlc_recovery_mutex); + diag_process_non_hdlc_pkt(start_ptr, len - i, info); + } + } +@@ -1362,18 +1364,24 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, + const uint32_t header_len = sizeof(struct diag_pkt_frame_t); + struct diag_pkt_frame_t *actual_pkt = NULL; + unsigned char *data_ptr = NULL; +- struct diag_partial_pkt_t *partial_pkt = &driver->incoming_pkt; ++ struct diag_partial_pkt_t *partial_pkt = NULL; + +- if (!buf || len <= 0) ++ mutex_lock(&driver->hdlc_recovery_mutex); ++ if (!buf || len <= 0) { ++ mutex_unlock(&driver->hdlc_recovery_mutex); + return; +- +- if (!partial_pkt->processing) ++ } ++ partial_pkt = &driver->incoming_pkt; ++ if (!partial_pkt->processing) { ++ mutex_unlock(&driver->hdlc_recovery_mutex); + goto start; ++ } + + if (partial_pkt->remaining > len) { + if ((partial_pkt->read_len + len) > partial_pkt->capacity) { + pr_err("diag: Invalid length %d, %d received in %s\n", + partial_pkt->read_len, len, __func__); ++ mutex_unlock(&driver->hdlc_recovery_mutex); + goto end; + } + memcpy(partial_pkt->data + partial_pkt->read_len, buf, len); +@@ -1387,6 +1395,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, + pr_err("diag: Invalid length during partial read %d, %d received in %s\n", + partial_pkt->read_len, + partial_pkt->remaining, __func__); ++ mutex_unlock(&driver->hdlc_recovery_mutex); + goto end; + } + memcpy(partial_pkt->data + partial_pkt->read_len, buf, +@@ -1400,20 +1409,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, + if (partial_pkt->remaining == 0) { + actual_pkt = (struct diag_pkt_frame_t *)(partial_pkt->data); + data_ptr = partial_pkt->data + header_len; +- if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR) ++ if (*(uint8_t *)(data_ptr + actual_pkt->length) != ++ CONTROL_CHAR) { ++ mutex_unlock(&driver->hdlc_recovery_mutex); + diag_hdlc_start_recovery(buf, len, info); ++ mutex_lock(&driver->hdlc_recovery_mutex); ++ } + err = diag_process_apps_pkt(data_ptr, + actual_pkt->length, info); + if (err) { + pr_err("diag: In %s, unable to process incoming data packet, err: %d\n", + __func__, err); ++ mutex_unlock(&driver->hdlc_recovery_mutex); + goto end; + } + partial_pkt->read_len = 0; + partial_pkt->total_len = 0; + partial_pkt->processing = 0; ++ mutex_unlock(&driver->hdlc_recovery_mutex); + goto start; + } ++ mutex_unlock(&driver->hdlc_recovery_mutex); + goto end; + + start: +@@ -1426,14 +1442,14 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, + diag_send_error_rsp(buf, len); + goto end; + } +- ++ mutex_lock(&driver->hdlc_recovery_mutex); + if (pkt_len + header_len > partial_pkt->capacity) { + pr_err("diag: In %s, incoming data is too large for the request buffer %d\n", + __func__, pkt_len); ++ mutex_unlock(&driver->hdlc_recovery_mutex); + diag_hdlc_start_recovery(buf, len, info); + break; + } +- + if ((pkt_len + header_len) > (len - read_bytes)) { + partial_pkt->read_len = len - read_bytes; + partial_pkt->total_len = pkt_len + header_len; +@@ -1441,19 +1457,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, + partial_pkt->read_len; + partial_pkt->processing = 1; + memcpy(partial_pkt->data, buf, partial_pkt->read_len); ++ mutex_unlock(&driver->hdlc_recovery_mutex); + break; + } + data_ptr = buf + header_len; +- if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR) ++ if (*(uint8_t *)(data_ptr + actual_pkt->length) != ++ CONTROL_CHAR) { ++ mutex_unlock(&driver->hdlc_recovery_mutex); + diag_hdlc_start_recovery(buf, len, info); ++ mutex_lock(&driver->hdlc_recovery_mutex); ++ } + else + hdlc_reset = 0; + err = diag_process_apps_pkt(data_ptr, + actual_pkt->length, info); +- if (err) ++ if (err) { ++ mutex_unlock(&driver->hdlc_recovery_mutex); + break; ++ } + read_bytes += header_len + pkt_len + 1; + buf += header_len + pkt_len + 1; /* advance to next pkt */ ++ mutex_unlock(&driver->hdlc_recovery_mutex); + } + end: + return; diff --git a/Patches/Linux_CVEs/CVE-2017-11023/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11023/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11023/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-11023/4.4/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11028/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11028/3.18/0001.patch new file mode 100644 index 00000000..56ff10b7 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11028/3.18/0001.patch @@ -0,0 +1,42 @@ +From a96e06fac09e182b5211f20dd6311f93a5d056af Mon Sep 17 00:00:00 2001 +From: Senthil Kumar Rajagopal +Date: Mon, 10 Apr 2017 16:53:33 +0530 +Subject: [PATCH] msm: camera: isp: Initialize stream info + +Initialize the Stream info before passing as an +argument to msm_isp_request_frame and add bound check to the +stream index +CRs-fixed: 2008683 + +Bug: 64453533 +Change-Id: I0039a5d01f4f376060c8b0ba3baf4ce55acc9446 +Signed-off-by: Senthil Kumar Rajagopal +--- + drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c +index 5e0b685aec801..54ab560f09137 100644 +--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c ++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -3488,6 +3488,14 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) + case UPDATE_STREAM_REQUEST_FRAMES_VER2: { + struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm = + &update_cmd->req_frm_ver2; ++ if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) { ++ pr_err("%s: Invalid stream handle \n", __func__); ++ rc = -EINVAL; ++ break; ++ } ++ stream_info = &axi_data->stream_info[HANDLE_TO_IDX( ++ req_frm->stream_handle)]; ++ + rc = msm_isp_request_frame(vfe_dev, stream_info, + req_frm->user_stream_id, + req_frm->frame_id, diff --git a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch deleted file mode 100644 index e6d4075c..00000000 --- a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch +++ /dev/null @@ -1,57 +0,0 @@ -From fd70b655d901e626403f132b65fc03d993f0a09b Mon Sep 17 00:00:00 2001 -From: Senthil Kumar Rajagopal -Date: Mon, 10 Apr 2017 15:11:14 +0530 -Subject: msm: camera: isp: add bound check to handle array out of access - -The pointer req_frm comes from userspace, -req_frm->stream_handle is passed as an argument to -the function msm_isp_get_stream_common_data, -stream_idx can overflow common_data->streams[] and -the code ends up copying an out of bound -kernel address into stream_info. Adding bound check to -handle the same. - -CRs-fixed: 2008683 -Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e -Signed-off-by: Senthil Kumar Rajagopal ---- - drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 ++++++ - drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 +++++ - 2 files changed, 11 insertions(+) - -diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c -index dce474e..8ab2e85 100644 ---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c -+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c -@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) - &update_cmd->req_frm_ver2; - stream_info = msm_isp_get_stream_common_data(vfe_dev, - HANDLE_TO_IDX(req_frm->stream_handle)); -+ if (stream_info == NULL) { -+ pr_err_ratelimited("%s: stream_info is NULL\n", -+ __func__); -+ rc = -EINVAL; -+ break; -+ } - rc = msm_isp_request_frame(vfe_dev, stream_info, - req_frm->user_stream_id, - req_frm->frame_id, -diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h -index 65009cb..a8d4cfb 100644 ---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h -+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h -@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data( - struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data; - struct msm_vfe_axi_stream *stream_info; - -+ if (stream_idx >= VFE_AXI_SRC_MAX) { -+ pr_err("invalid stream_idx %d\n", stream_idx); -+ return NULL; -+ } -+ - if (vfe_dev->is_split && stream_idx < RDI_INTF_0) - stream_info = &common_data->streams[stream_idx]; - else --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch index d3e560cc..e6d4075c 100644 --- a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch +++ b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch @@ -1,36 +1,57 @@ -From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001 -From: Sriraj Hebbar -Date: Fri, 30 Jun 2017 13:14:28 +0530 -Subject: msm: camera: isp: Handle array out of bound access +From fd70b655d901e626403f132b65fc03d993f0a09b Mon Sep 17 00:00:00 2001 +From: Senthil Kumar Rajagopal +Date: Mon, 10 Apr 2017 15:11:14 +0530 +Subject: msm: camera: isp: add bound check to handle array out of access -The pointer req_frm is coming from userspace, it may overflow stream_info. -Adding a bound check to prevent the same. +The pointer req_frm comes from userspace, +req_frm->stream_handle is passed as an argument to +the function msm_isp_get_stream_common_data, +stream_idx can overflow common_data->streams[] and +the code ends up copying an out of bound +kernel address into stream_info. Adding bound check to +handle the same. CRs-fixed: 2008683 -Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4 +Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e Signed-off-by: Senthil Kumar Rajagopal -Signed-off-by: Andy Sun --- - drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++ - 1 file changed, 6 insertions(+) + drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 ++++++ + drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 +++++ + 2 files changed, 11 insertions(+) -diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c -index 373a963..a85ee30 100644 ---- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c -+++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c -@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) - case UPDATE_STREAM_REQUEST_FRAMES_VER2: { - struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm = +diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c +index dce474e..8ab2e85 100644 +--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c ++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c +@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) &update_cmd->req_frm_ver2; -+ if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) { -+ pr_err("%s: Invalid stream handle\n", __func__); + stream_info = msm_isp_get_stream_common_data(vfe_dev, + HANDLE_TO_IDX(req_frm->stream_handle)); ++ if (stream_info == NULL) { ++ pr_err_ratelimited("%s: stream_info is NULL\n", ++ __func__); + rc = -EINVAL; + break; + } -+ - stream_info = &axi_data->stream_info[HANDLE_TO_IDX( - req_frm->stream_handle)]; rc = msm_isp_request_frame(vfe_dev, stream_info, + req_frm->user_stream_id, + req_frm->frame_id, +diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h +index 65009cb..a8d4cfb 100644 +--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h ++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h +@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data( + struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data; + struct msm_vfe_axi_stream *stream_info; + ++ if (stream_idx >= VFE_AXI_SRC_MAX) { ++ pr_err("invalid stream_idx %d\n", stream_idx); ++ return NULL; ++ } ++ + if (vfe_dev->is_split && stream_idx < RDI_INTF_0) + stream_info = &common_data->streams[stream_idx]; + else -- cgit v1.1 diff --git a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0003.patch new file mode 100644 index 00000000..d3e560cc --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0003.patch @@ -0,0 +1,36 @@ +From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001 +From: Sriraj Hebbar +Date: Fri, 30 Jun 2017 13:14:28 +0530 +Subject: msm: camera: isp: Handle array out of bound access + +The pointer req_frm is coming from userspace, it may overflow stream_info. +Adding a bound check to prevent the same. + +CRs-fixed: 2008683 +Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4 +Signed-off-by: Senthil Kumar Rajagopal +Signed-off-by: Andy Sun +--- + drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c +index 373a963..a85ee30 100644 +--- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c ++++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c +@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) + case UPDATE_STREAM_REQUEST_FRAMES_VER2: { + struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm = + &update_cmd->req_frm_ver2; ++ if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) { ++ pr_err("%s: Invalid stream handle\n", __func__); ++ rc = -EINVAL; ++ break; ++ } ++ + stream_info = &axi_data->stream_info[HANDLE_TO_IDX( + req_frm->stream_handle)]; + rc = msm_isp_request_frame(vfe_dev, stream_info, +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-11029/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11029/3.10/0001.patch new file mode 100644 index 00000000..1964e92c --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11029/3.10/0001.patch @@ -0,0 +1,108 @@ +From e13a16c079cf8f5c758f5c31fbd72edca2656e54 Mon Sep 17 00:00:00 2001 +From: Jonathan Solnit +Date: Fri, 1 Sep 2017 17:21:05 -0700 +Subject: [PATCH] msm: camera2: cpp: Fix iommu_attach/detach compat_ioctl issue + +When the Camera application exercises the V4L2 ioctl operations, CPP +driver would attempt to the copy user space buffer contents into the +internal kernel buffer. If an invalid length of the user space buffer +is passed onto the driver, it could trigger buffer overflow condition. + +Thus, fix this by copying user space buffer contents into kernel space +buffer of the driver for further processing, only after checking for +proper length of user space buffer. + +Bug: 64433362 +CRs-fixed: 2025367 +Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c +Signed-off-by: Ravi kumar Koyyana +Signed-off-by: Paresh Purabhiya +Signed-off-by: Jonathan Solnit +--- + .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 23 ++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +index 1dfe7f6abc312..9d7e51c37f486 100644 +--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c ++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +@@ -2288,11 +2288,13 @@ static void msm_cpp_fw_version(struct cpp_device *cpp_dev) + msm_cpp_poll(cpp_dev->base, MSM_CPP_MSG_ID_TRAILER); + } + +-static int msm_cpp_validate_input(unsigned int cmd, void *arg, ++static int msm_cpp_validate_ioctl_input(unsigned int cmd, void *arg, + struct msm_camera_v4l2_ioctl_t **ioctl_ptr) + { + switch (cmd) { + case MSM_SD_SHUTDOWN: ++ case VIDIOC_MSM_CPP_IOMMU_ATTACH: ++ case VIDIOC_MSM_CPP_IOMMU_DETACH: + break; + default: { + if (ioctl_ptr == NULL) { +@@ -2301,8 +2303,9 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg, + } + + *ioctl_ptr = arg; +- if ((*ioctl_ptr == NULL) || +- (*ioctl_ptr)->ioctl_ptr == NULL) { ++ if (((*ioctl_ptr) == NULL) || ++ ((*ioctl_ptr)->ioctl_ptr == NULL) || ++ ((*ioctl_ptr)->len == 0)) { + pr_err("Error invalid ioctl argument cmd %u", cmd); + return -EINVAL; + } +@@ -2334,7 +2337,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd, + return -EINVAL; + } + +- rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr); ++ rc = msm_cpp_validate_ioctl_input(cmd, arg, &ioctl_ptr); + if (rc != 0) { + pr_err("input validation failed\n"); + return rc; +@@ -2799,6 +2802,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd, + pr_err("%s:%dError iommu_attach_device failed\n", + __func__, __LINE__); + rc = -EINVAL; ++ break; + } + cpp_dev->iommu_state = CPP_IOMMU_STATE_ATTACHED; + } else { +@@ -2813,10 +2817,17 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd, + (cpp_dev->stream_cnt == 0)) { + iommu_detach_device(cpp_dev->domain, + cpp_dev->iommu_ctx); ++ if (rc < 0) { ++ pr_err("%s:%dError iommu detach failed\n", ++ __func__, __LINE__); ++ rc = -EINVAL; ++ break; ++ } + cpp_dev->iommu_state = CPP_IOMMU_STATE_DETACHED; + } else { + pr_err("%s:%d IOMMMU attach triggered in invalid state\n", + __func__, __LINE__); ++ rc = -EINVAL; + } + break; + } +@@ -3422,7 +3433,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file, + default: + pr_err_ratelimited("%s: unsupported compat type :%x LOAD %lu\n", + __func__, cmd, VIDIOC_MSM_CPP_LOAD_FIRMWARE); +- break; ++ return -EINVAL; + } + + switch (cmd) { +@@ -3448,7 +3459,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file, + default: + pr_err_ratelimited("%s: unsupported compat type :%d\n", + __func__, cmd); +- break; ++ return -EINVAL; + } + + up32_ioctl.id = kp_ioctl.id; diff --git a/Patches/Linux_CVEs/CVE-2017-11029/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11029/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11029/3.18/0001.patch rename to Patches/Linux_CVEs/CVE-2017-11029/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11029/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-11029/4.4/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11029/4.4/0002.patch rename to Patches/Linux_CVEs/CVE-2017-11029/4.4/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11035/qcacld-2.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11035/qcacld-2.0/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11035/qcacld-2.0/0002.patch rename to Patches/Linux_CVEs/CVE-2017-11035/qcacld-2.0/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11035/qcacld-3.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11035/qcacld-3.0/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11035/qcacld-3.0/0001.patch rename to Patches/Linux_CVEs/CVE-2017-11035/qcacld-3.0/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11073/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11073/3.10/0001.patch new file mode 100644 index 00000000..685a041e --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11073/3.10/0001.patch @@ -0,0 +1,143 @@ +From 120d28bad9890eca3a6451a83a7c71cb650dfef7 Mon Sep 17 00:00:00 2001 +From: "Poddar, Siddarth" +Date: Wed, 5 Jul 2017 12:31:03 +0530 +Subject: [PATCH] qcacld-2.0: Remove code related to mmap functionality for + pktlog + +Remove the code related to mmap functionality for pktlog +as it is no longer used/required. + +Bug: 62084791 +Change-Id: I06767f108c0ff6462a9e20e7b50d08bf4ac9555f +CRs-Fixed: 2064767 +Signed-off-by: Ahmed ElArabawy +--- + .../qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c | 102 --------------------- + 1 file changed, 102 deletions(-) + +diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c +index 173ed4e8eec1a..ec61b77e827cf 100644 +--- a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c ++++ b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c +@@ -82,14 +82,12 @@ static int pktlog_attach(struct ol_softc *sc); + static void pktlog_detach(struct ol_softc *sc); + static int pktlog_open(struct inode *i, struct file *f); + static int pktlog_release(struct inode *i, struct file *f); +-static int pktlog_mmap(struct file *f, struct vm_area_struct *vma); + static ssize_t pktlog_read(struct file *file, char *buf, size_t nbytes, + loff_t * ppos); + + static struct file_operations pktlog_fops = { + open:pktlog_open, + release:pktlog_release, +- mmap:pktlog_mmap, + read:pktlog_read, + }; + +@@ -921,106 +919,6 @@ static volatile void *pktlog_virt_to_logical(volatile void *addr) + } + #endif + +-/* vma operations for mapping vmalloced area to user space */ +-static void pktlog_vopen(struct vm_area_struct *vma) +-{ +- PKTLOG_MOD_INC_USE_COUNT; +-} +- +-static void pktlog_vclose(struct vm_area_struct *vma) +-{ +- PKTLOG_MOD_DEC_USE_COUNT; +-} +- +-#if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25) +-int pktlog_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +-{ +- unsigned long address = (unsigned long)vmf->virtual_address; +- +- if (address == 0UL) +- return VM_FAULT_NOPAGE; +- +- if (vmf->pgoff > vma->vm_end) +- return VM_FAULT_SIGBUS; +- +- get_page(virt_to_page((void *)address)); +- vmf->page = virt_to_page((void *)address); +- return VM_FAULT_MINOR; +-} +-#else +-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) +-struct page *pktlog_vmmap(struct vm_area_struct *vma, unsigned long addr, +- int *type) +-#else +-struct page *pktlog_vmmap(struct vm_area_struct *vma, unsigned long addr, +- int write_access) +-#endif +-{ +- unsigned long offset, vaddr; +- struct proc_dir_entry *proc_entry; +- struct ath_pktlog_info *pl_info = +- +- proc_entry = PDE(vma->vm_file->f_dentry->d_inode); +- pl_info = (struct ath_pktlog_info *)proc_entry->data; +- +- offset = addr - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT); +- vaddr = (unsigned long) pktlog_virt_to_logical( +- (void *)(pl_info->buf) + offset); +- +- if (vaddr == 0UL) { +- printk(PKTLOG_TAG "%s: page fault out of range\n", __func__); +- return ((struct page *) 0UL); +- } +- +- /* increment the usage count of the page */ +- get_page(virt_to_page((void*)vaddr)); +- +-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) +- if (type) +- *type = VM_FAULT_MINOR; +-#endif +- +- return virt_to_page((void *)vaddr); +-} +-#endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25) */ +- +-static struct vm_operations_struct pktlog_vmops = { +- open:pktlog_vopen, +- close:pktlog_vclose, +-#if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25) +- fault:pktlog_fault, +-#else +- nopage:pktlog_vmmap, +-#endif +-}; +- +-static int pktlog_mmap(struct file *file, struct vm_area_struct *vma) +-{ +-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,10,0) +- struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *) +- PDE_DATA(file->f_path.dentry->d_inode); +-#else +- struct proc_dir_entry *proc_entry = PDE(file->f_dentry->d_inode); +- struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *) +- proc_entry->data; +-#endif +- +- if (vma->vm_pgoff != 0) { +- /* Entire buffer should be mapped */ +- return -EINVAL; +- } +- +- if (!pl_info->buf) { +- printk(PKTLOG_TAG "%s: Log buffer unavailable\n", __func__); +- return -ENOMEM; +- } +- +- vma->vm_flags |= VM_LOCKED; +- vma->vm_ops = &pktlog_vmops; +- pktlog_vopen(vma); +- return 0; +-} +- + int pktlogmod_init(void *context) + { + int ret; diff --git a/Patches/Linux_CVEs/CVE-2017-11085/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11085/3.10/0001.patch new file mode 100644 index 00000000..a55a439d --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11085/3.10/0001.patch @@ -0,0 +1,274 @@ +From dc8f7a19762df2c84678482b60f6b807b919eb44 Mon Sep 17 00:00:00 2001 +From: Weiyin Jiang +Date: Fri, 28 Jul 2017 11:01:40 +0800 +Subject: [PATCH] SoC: msm: audio-effects: return directly to avoid integer + overflow + +Return error code directly to avoid further integer overflow leading +to buffer overflow. + +Bug: 62952032 +Change-Id: I8b74efda227726494724f4387c45b5b6fa04637b +CRs-Fixed: 2077909 +Signed-off-by: Weiyin Jiang +Signed-off-by: Paresh Purabhiya +--- + sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 56 ++++++++++++------------- + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c +index 2bcd339f1ff59..95c382ddb77b9 100644 +--- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c ++++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c +@@ -175,7 +175,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "VIRT ENABLE", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_VIRTUALIZER; + *updt_params++ = +@@ -203,7 +203,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "VIRT STRENGTH", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_VIRTUALIZER; + *updt_params++ = +@@ -231,7 +231,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "VIRT OUT_TYPE", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_VIRTUALIZER; + *updt_params++ = +@@ -259,7 +259,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "VIRT GAIN_ADJUST", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_VIRTUALIZER; + *updt_params++ = +@@ -338,7 +338,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_ENABLE", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -366,7 +366,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_MODE", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -394,7 +394,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_PRESET", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -422,7 +422,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_WET_MIX", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -450,7 +450,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_GAIN_ADJUST", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -478,7 +478,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_ROOM_LEVEL", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -506,7 +506,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_ROOM_HF_LEVEL", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -534,7 +534,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_DECAY_TIME", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -562,7 +562,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_DECAY_HF_RATIO", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -590,7 +590,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_REFLECTIONS_LEVEL", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -618,7 +618,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_REFLECTIONS_DELAY", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -646,7 +646,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_LEVEL", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -674,7 +674,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_DELAY", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -702,7 +702,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_DIFFUSION", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -730,7 +730,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "REVERB_DENSITY", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_REVERB; + *updt_params++ = +@@ -810,7 +810,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "BASS_BOOST_ENABLE", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_BASS_BOOST; + *updt_params++ = +@@ -838,7 +838,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "BASS_BOOST_MODE", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_BASS_BOOST; + *updt_params++ = +@@ -866,7 +866,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "BASS_BOOST_STRENGTH", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_BASS_BOOST; + *updt_params++ = +@@ -947,7 +947,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "EQ_ENABLE", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_POPLESS_EQUALIZER; + *updt_params++ = +@@ -1015,7 +1015,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "EQ_CONFIG", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_POPLESS_EQUALIZER; + *updt_params++ = +@@ -1066,7 +1066,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "EQ_BAND_INDEX", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_POPLESS_EQUALIZER; + *updt_params++ = +@@ -1098,7 +1098,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac, + MAX_INBAND_PARAM_SZ, + "EQ_SINGLE_BAND_FREQ", rc); + if (rc != 0) +- break; ++ goto invalid_config; + *updt_params++ = + AUDPROC_MODULE_ID_POPLESS_EQUALIZER; + *updt_params++ = +@@ -1188,7 +1188,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac, + "VOLUME/VOLUME2_GAIN_2CH", + rc); + if (rc != 0) +- break; ++ goto invalid_config; + if (instance == SOFT_VOLUME_INSTANCE_2) + *updt_params++ = + ASM_MODULE_ID_VOL_CTRL2; +@@ -1237,7 +1237,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac, + "VOLUME/VOLUME2_GAIN_MASTER", + rc); + if (rc != 0) +- break; ++ goto invalid_config; + if (instance == SOFT_VOLUME_INSTANCE_2) + *updt_params++ = + ASM_MODULE_ID_VOL_CTRL2; diff --git a/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch new file mode 100644 index 00000000..7dca8216 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch @@ -0,0 +1,12 @@ +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 78b6f74..f927434 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -365,6 +365,7 @@ + [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, + [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, + [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, ++ [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, + [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, + [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, + [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 }, diff --git a/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch.base64 new file mode 100644 index 00000000..f8a6d711 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMgYi9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jCmluZGV4IDc4YjZmNzQuLmY5Mjc0MzQgMTAwNjQ0Ci0tLSBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMKKysrIGIvbmV0L3dpcmVsZXNzL25sODAyMTEuYwpAQCAtMzY1LDYgKzM2NSw3IEBACiAJW05MODAyMTFfQVRUUl9TQ0FOX0ZMQUdTXSA9IHsgLnR5cGUgPSBOTEFfVTMyIH0sCiAJW05MODAyMTFfQVRUUl9QMlBfQ1RXSU5ET1ddID0geyAudHlwZSA9IE5MQV9VOCB9LAogCVtOTDgwMjExX0FUVFJfUDJQX09QUFBTXSA9IHsgLnR5cGUgPSBOTEFfVTggfSwKKwlbTkw4MDIxMV9BVFRSX0xPQ0FMX01FU0hfUE9XRVJfTU9ERV0gPSB7LiB0eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfQUNMX1BPTElDWV0gPSB7LiB0eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfTUFDX0FERFJTXSA9IHsgLnR5cGUgPSBOTEFfTkVTVEVEIH0sCiAJW05MODAyMTFfQVRUUl9TVEFfQ0FQQUJJTElUWV0gPSB7IC50eXBlID0gTkxBX1UxNiB9LAo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch new file mode 100644 index 00000000..e3116765 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch @@ -0,0 +1,14 @@ +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 5112673..78b6f74 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -310,8 +310,7 @@ + [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 }, + [NL80211_ATTR_PID] = { .type = NLA_U32 }, + [NL80211_ATTR_4ADDR] = { .type = NLA_U8 }, +- [NL80211_ATTR_PMKID] = { .type = NLA_BINARY, +- .len = WLAN_PMKID_LEN }, ++ [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN }, + [NL80211_ATTR_DURATION] = { .type = NLA_U32 }, + [NL80211_ATTR_COOKIE] = { .type = NLA_U64 }, + [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED }, diff --git a/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch.base64 new file mode 100644 index 00000000..b1a4f493 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMgYi9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jCmluZGV4IDUxMTI2NzMuLjc4YjZmNzQgMTAwNjQ0Ci0tLSBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMKKysrIGIvbmV0L3dpcmVsZXNzL25sODAyMTEuYwpAQCAtMzEwLDggKzMxMCw3IEBACiAJW05MODAyMTFfQVRUUl9XUEFfVkVSU0lPTlNdID0geyAudHlwZSA9IE5MQV9VMzIgfSwKIAlbTkw4MDIxMV9BVFRSX1BJRF0gPSB7IC50eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfNEFERFJdID0geyAudHlwZSA9IE5MQV9VOCB9LAotCVtOTDgwMjExX0FUVFJfUE1LSURdID0geyAudHlwZSA9IE5MQV9CSU5BUlksCi0JCQkJIC5sZW4gPSBXTEFOX1BNS0lEX0xFTiB9LAorCVtOTDgwMjExX0FUVFJfUE1LSURdID0geyAubGVuID0gV0xBTl9QTUtJRF9MRU4gfSwKIAlbTkw4MDIxMV9BVFRSX0RVUkFUSU9OXSA9IHsgLnR5cGUgPSBOTEFfVTMyIH0sCiAJW05MODAyMTFfQVRUUl9DT09LSUVdID0geyAudHlwZSA9IE5MQV9VNjQgfSwKIAlbTkw4MDIxMV9BVFRSX1RYX1JBVEVTXSA9IHsgLnR5cGUgPSBOTEFfTkVTVEVEIH0sCg== \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-11091/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11091/3.18/0001.patch new file mode 100644 index 00000000..cdd5771c --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11091/3.18/0001.patch @@ -0,0 +1,61 @@ +From 10b0cb47e92abe52c5372ded0fe80a5a5f18586f Mon Sep 17 00:00:00 2001 +From: Harsh Sahu +Date: Thu, 29 Jun 2017 18:50:20 -0700 +Subject: [PATCH] msm: mdss: fix the use after free problem in rotator ioctl + +Currently the fence fd is installed too early. This can cause a +use after free problem if the fence fd is closed in some other thread. +This change will install the fence fd where it is required and +eliminates the problem. + +Bug: 37478866 +Change-Id: I5cf585ea87ef75fccae06da6cb5a6c16fc74eff3 +Signed-off-by: Harsh Sahu +--- + drivers/video/msm/mdss/mdss_rotator.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/msm/mdss/mdss_rotator.c b/drivers/video/msm/mdss/mdss_rotator.c +index 95ca5b74e2369..5910a69bc844b 100644 +--- a/drivers/video/msm/mdss/mdss_rotator.c ++++ b/drivers/video/msm/mdss/mdss_rotator.c +@@ -375,6 +375,15 @@ static bool mdss_rotator_is_work_pending(struct mdss_rot_mgr *mgr, + return false; + } + ++static void mdss_rotator_install_fence_fd(struct mdss_rot_entry_container *req) ++{ ++ int i = 0; ++ ++ for (i = 0; i < req->count; i++) ++ sync_fence_install(req->entries[i].output_fence, ++ req->entries[i].output_fence_fd); ++} ++ + static int mdss_rotator_create_fence(struct mdss_rot_entry *entry) + { + int ret = 0, fd; +@@ -413,7 +422,6 @@ static int mdss_rotator_create_fence(struct mdss_rot_entry *entry) + goto get_fd_err; + } + +- sync_fence_install(fence, fd); + rot_timeline->next_value++; + mutex_unlock(&rot_timeline->lock); + +@@ -2248,6 +2256,7 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr, + goto handle_request_err1; + } + ++ mdss_rotator_install_fence_fd(req); + mdss_rotator_queue_request(mgr, private, req); + + mutex_unlock(&mgr->lock); +@@ -2408,6 +2417,7 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr, + goto handle_request32_err1; + } + ++ mdss_rotator_install_fence_fd(req); + mdss_rotator_queue_request(mgr, private, req); + + mutex_unlock(&mgr->lock); diff --git a/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch new file mode 100644 index 00000000..14ae6c00 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch @@ -0,0 +1,164 @@ +diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c +index 350ad08..44f981c 100644 +--- a/drivers/gpu/msm/kgsl.c ++++ b/drivers/gpu/msm/kgsl.c +@@ -1609,6 +1609,7 @@ + struct kgsl_device *device; + struct kgsl_cmdbatch *cmdbatch = (struct kgsl_cmdbatch *) data; + struct kgsl_cmdbatch_sync_event *event; ++ unsigned long flags; + + if (cmdbatch == NULL || cmdbatch->context == NULL) + return; +@@ -1623,14 +1624,14 @@ + kgsl_context_dump(cmdbatch->context); + clear_bit(CMDBATCH_FLAG_FENCE_LOG, &cmdbatch->priv); + +- spin_lock(&cmdbatch->lock); ++ spin_lock_irqsave(&cmdbatch->lock, flags); + /* Print all the fences */ + list_for_each_entry(event, &cmdbatch->synclist, node) { + if (KGSL_CMD_SYNCPOINT_TYPE_FENCE == event->type && + event->handle && event->handle->fence) + kgsl_sync_fence_log(event->handle->fence); + } +- spin_unlock(&cmdbatch->lock); ++ spin_unlock_irqrestore(&cmdbatch->lock, flags); + dev_err(device->dev, "--gpu syncpoint deadlock print end--\n"); + } + /** +@@ -1685,15 +1686,16 @@ + struct kgsl_cmdbatch_sync_event *event) + { + struct kgsl_cmdbatch_sync_event *e, *tmp; ++ unsigned long flags; + int sched = 0; + int removed = 0; + + /* +- * We may have cmdbatch timer running, which also uses same lock, +- * take a lock with software interrupt disabled (bh) to avoid +- * spin lock recursion. ++ * cmdbatch timer or event callback might run at ++ * this time in interrupt context and uses same lock. ++ * So use irq-save version of spin lock. + */ +- spin_lock_bh(&event->cmdbatch->lock); ++ spin_lock_irqsave(&event->cmdbatch->lock, flags); + + /* + * sync events that are contained by a cmdbatch which has been +@@ -1708,8 +1710,9 @@ + } + } + ++ event->handle = NULL; + sched = list_empty(&event->cmdbatch->synclist) ? 1 : 0; +- spin_unlock_bh(&event->cmdbatch->lock); ++ spin_unlock_irqrestore(&event->cmdbatch->lock, flags); + + /* If the list is empty delete the canary timer */ + if (sched) +@@ -1771,16 +1774,20 @@ + struct kgsl_cmdbatch_sync_event *event, *tmpsync; + LIST_HEAD(cancel_synclist); + int sched = 0; ++ unsigned long flags; + + /* Zap the canary timer */ + del_timer_sync(&cmdbatch->timer); + +- /* non-bh because we just destroyed timer */ +- spin_lock(&cmdbatch->lock); ++ /* ++ * callback might run in interrupt context ++ * so need to use irqsave version of spinlocks. ++ */ ++ spin_lock_irqsave(&cmdbatch->lock, flags); + + /* Empty the synclist before canceling events */ + list_splice_init(&cmdbatch->synclist, &cancel_synclist); +- spin_unlock(&cmdbatch->lock); ++ spin_unlock_irqrestore(&cmdbatch->lock, flags); + + /* + * Finish canceling events outside the cmdbatch spinlock and +@@ -1802,8 +1809,15 @@ + kgsl_cmdbatch_sync_func, event); + } else if (event->type == KGSL_CMD_SYNCPOINT_TYPE_FENCE) { + /* Put events that are successfully canceled */ +- if (kgsl_sync_fence_async_cancel(event->handle)) ++ spin_lock_irqsave(&cmdbatch->lock, flags); ++ ++ if (kgsl_sync_fence_async_cancel(event->handle)) { ++ event->handle = NULL; ++ spin_unlock_irqrestore(&cmdbatch->lock, flags); + kgsl_cmdbatch_sync_event_put(event); ++ } else { ++ spin_unlock_irqrestore(&cmdbatch->lock, flags); ++ } + } + + /* Put events that have been removed from the synclist */ +@@ -1864,6 +1878,7 @@ + { + struct kgsl_cmd_syncpoint_fence *sync = priv; + struct kgsl_cmdbatch_sync_event *event; ++ unsigned long flags; + + event = kzalloc(sizeof(*event), GFP_KERNEL); + +@@ -1892,11 +1907,6 @@ + + kref_get(&event->refcount); + +- /* non-bh because, we haven't started cmdbatch timer yet */ +- spin_lock(&cmdbatch->lock); +- list_add(&event->node, &cmdbatch->synclist); +- spin_unlock(&cmdbatch->lock); +- + /* + * Increment the reference count for the async callback. + * Decrement when the callback is successfully canceled, when +@@ -1904,6 +1914,10 @@ + */ + + kref_get(&event->refcount); ++ ++ spin_lock_irqsave(&cmdbatch->lock, flags); ++ list_add(&event->node, &cmdbatch->synclist); ++ + event->handle = kgsl_sync_fence_async_wait(sync->fd, + kgsl_cmdbatch_sync_fence_func, event); + +@@ -1911,17 +1925,14 @@ + int ret = PTR_ERR(event->handle); + + event->handle = NULL; +- +- /* Failed to add the event to the async callback */ +- kgsl_cmdbatch_sync_event_put(event); +- + /* Remove event from the synclist */ +- spin_lock(&cmdbatch->lock); + list_del(&event->node); +- spin_unlock(&cmdbatch->lock); ++ spin_unlock_irqrestore(&cmdbatch->lock, flags); ++ /* Put for event removal from the synclist */ + kgsl_cmdbatch_sync_event_put(event); +- +- /* Event no longer needed by this function */ ++ /* Unable to add event to the async callback so a put */ ++ kgsl_cmdbatch_sync_event_put(event); ++ /* Put since event no longer needed by this function */ + kgsl_cmdbatch_sync_event_put(event); + + /* +@@ -1935,6 +1946,7 @@ + } + + trace_syncpoint_fence(cmdbatch, event->handle->name); ++ spin_unlock_irqrestore(&cmdbatch->lock, flags); + + /* + * Event was successfully added to the synclist, the async diff --git a/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch.base64 new file mode 100644 index 00000000..33270417 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMgYi9kcml2ZXJzL2dwdS9tc20va2dzbC5jCmluZGV4IDM1MGFkMDguLjQ0Zjk4MWMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMKKysrIGIvZHJpdmVycy9ncHUvbXNtL2tnc2wuYwpAQCAtMTYwOSw2ICsxNjA5LDcgQEAKIAlzdHJ1Y3Qga2dzbF9kZXZpY2UgKmRldmljZTsKIAlzdHJ1Y3Qga2dzbF9jbWRiYXRjaCAqY21kYmF0Y2ggPSAoc3RydWN0IGtnc2xfY21kYmF0Y2ggKikgZGF0YTsKIAlzdHJ1Y3Qga2dzbF9jbWRiYXRjaF9zeW5jX2V2ZW50ICpldmVudDsKKwl1bnNpZ25lZCBsb25nIGZsYWdzOwogCiAJaWYgKGNtZGJhdGNoID09IE5VTEwgfHwgY21kYmF0Y2gtPmNvbnRleHQgPT0gTlVMTCkKIAkJcmV0dXJuOwpAQCAtMTYyMywxNCArMTYyNCwxNCBAQAogCWtnc2xfY29udGV4dF9kdW1wKGNtZGJhdGNoLT5jb250ZXh0KTsKIAljbGVhcl9iaXQoQ01EQkFUQ0hfRkxBR19GRU5DRV9MT0csICZjbWRiYXRjaC0+cHJpdik7CiAKLQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKKwlzcGluX2xvY2tfaXJxc2F2ZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAkvKiBQcmludCBhbGwgdGhlIGZlbmNlcyAqLwogCWxpc3RfZm9yX2VhY2hfZW50cnkoZXZlbnQsICZjbWRiYXRjaC0+c3luY2xpc3QsIG5vZGUpIHsKIAkJaWYgKEtHU0xfQ01EX1NZTkNQT0lOVF9UWVBFX0ZFTkNFID09IGV2ZW50LT50eXBlICYmCiAJCQlldmVudC0+aGFuZGxlICYmIGV2ZW50LT5oYW5kbGUtPmZlbmNlKQogCQkJa2dzbF9zeW5jX2ZlbmNlX2xvZyhldmVudC0+aGFuZGxlLT5mZW5jZSk7CiAJfQotCXNwaW5fdW5sb2NrKCZjbWRiYXRjaC0+bG9jayk7CisJc3Bpbl91bmxvY2tfaXJxcmVzdG9yZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAlkZXZfZXJyKGRldmljZS0+ZGV2LCAiLS1ncHUgc3luY3BvaW50IGRlYWRsb2NrIHByaW50IGVuZC0tXG4iKTsKIH0KIC8qKgpAQCAtMTY4NSwxNSArMTY4NiwxNiBAQAogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmV2ZW50KQogewogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmUsICp0bXA7CisJdW5zaWduZWQgbG9uZyBmbGFnczsKIAlpbnQgc2NoZWQgPSAwOwogCWludCByZW1vdmVkID0gMDsKIAogCS8qCi0JICogV2UgbWF5IGhhdmUgY21kYmF0Y2ggdGltZXIgcnVubmluZywgd2hpY2ggYWxzbyB1c2VzIHNhbWUgbG9jaywKLQkgKiB0YWtlIGEgbG9jayB3aXRoIHNvZnR3YXJlIGludGVycnVwdCBkaXNhYmxlZCAoYmgpIHRvIGF2b2lkCi0JICogc3BpbiBsb2NrIHJlY3Vyc2lvbi4KKwkgKiBjbWRiYXRjaCB0aW1lciBvciBldmVudCBjYWxsYmFjayBtaWdodCBydW4gYXQKKwkgKiB0aGlzIHRpbWUgaW4gaW50ZXJydXB0IGNvbnRleHQgYW5kIHVzZXMgc2FtZSBsb2NrLgorCSAqIFNvIHVzZSBpcnEtc2F2ZSB2ZXJzaW9uIG9mIHNwaW4gbG9jay4KIAkgKi8KLQlzcGluX2xvY2tfYmgoJmV2ZW50LT5jbWRiYXRjaC0+bG9jayk7CisJc3Bpbl9sb2NrX2lycXNhdmUoJmV2ZW50LT5jbWRiYXRjaC0+bG9jaywgZmxhZ3MpOwogCiAJLyoKIAkgKiBzeW5jIGV2ZW50cyB0aGF0IGFyZSBjb250YWluZWQgYnkgYSBjbWRiYXRjaCB3aGljaCBoYXMgYmVlbgpAQCAtMTcwOCw4ICsxNzEwLDkgQEAKIAkJfQogCX0KIAorCWV2ZW50LT5oYW5kbGUgPSBOVUxMOwogCXNjaGVkID0gbGlzdF9lbXB0eSgmZXZlbnQtPmNtZGJhdGNoLT5zeW5jbGlzdCkgPyAxIDogMDsKLQlzcGluX3VubG9ja19iaCgmZXZlbnQtPmNtZGJhdGNoLT5sb2NrKTsKKwlzcGluX3VubG9ja19pcnFyZXN0b3JlKCZldmVudC0+Y21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAogCS8qIElmIHRoZSBsaXN0IGlzIGVtcHR5IGRlbGV0ZSB0aGUgY2FuYXJ5IHRpbWVyICovCiAJaWYgKHNjaGVkKQpAQCAtMTc3MSwxNiArMTc3NCwyMCBAQAogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmV2ZW50LCAqdG1wc3luYzsKIAlMSVNUX0hFQUQoY2FuY2VsX3N5bmNsaXN0KTsKIAlpbnQgc2NoZWQgPSAwOworCXVuc2lnbmVkIGxvbmcgZmxhZ3M7CiAKIAkvKiBaYXAgdGhlIGNhbmFyeSB0aW1lciAqLwogCWRlbF90aW1lcl9zeW5jKCZjbWRiYXRjaC0+dGltZXIpOwogCi0JLyogbm9uLWJoIGJlY2F1c2Ugd2UganVzdCBkZXN0cm95ZWQgdGltZXIgKi8KLQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKKwkvKgorCSAqIGNhbGxiYWNrIG1pZ2h0IHJ1biBpbiBpbnRlcnJ1cHQgY29udGV4dAorCSAqIHNvIG5lZWQgdG8gdXNlIGlycXNhdmUgdmVyc2lvbiBvZiBzcGlubG9ja3MuCisJICovCisJc3Bpbl9sb2NrX2lycXNhdmUoJmNtZGJhdGNoLT5sb2NrLCBmbGFncyk7CiAKIAkvKiBFbXB0eSB0aGUgc3luY2xpc3QgYmVmb3JlIGNhbmNlbGluZyBldmVudHMgKi8KIAlsaXN0X3NwbGljZV9pbml0KCZjbWRiYXRjaC0+c3luY2xpc3QsICZjYW5jZWxfc3luY2xpc3QpOwotCXNwaW5fdW5sb2NrKCZjbWRiYXRjaC0+bG9jayk7CisJc3Bpbl91bmxvY2tfaXJxcmVzdG9yZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKIAogCS8qCiAJICogRmluaXNoIGNhbmNlbGluZyBldmVudHMgb3V0c2lkZSB0aGUgY21kYmF0Y2ggc3BpbmxvY2sgYW5kCkBAIC0xODAyLDggKzE4MDksMTUgQEAKIAkJCQlrZ3NsX2NtZGJhdGNoX3N5bmNfZnVuYywgZXZlbnQpOwogCQl9IGVsc2UgaWYgKGV2ZW50LT50eXBlID09IEtHU0xfQ01EX1NZTkNQT0lOVF9UWVBFX0ZFTkNFKSB7CiAJCQkvKiBQdXQgZXZlbnRzIHRoYXQgYXJlIHN1Y2Nlc3NmdWxseSBjYW5jZWxlZCAqLwotCQkJaWYgKGtnc2xfc3luY19mZW5jZV9hc3luY19jYW5jZWwoZXZlbnQtPmhhbmRsZSkpCisJCQlzcGluX2xvY2tfaXJxc2F2ZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKKworCQkJaWYgKGtnc2xfc3luY19mZW5jZV9hc3luY19jYW5jZWwoZXZlbnQtPmhhbmRsZSkpIHsKKwkJCQlldmVudC0+aGFuZGxlID0gTlVMTDsKKwkJCQlzcGluX3VubG9ja19pcnFyZXN0b3JlKCZjbWRiYXRjaC0+bG9jaywgZmxhZ3MpOwogCQkJCWtnc2xfY21kYmF0Y2hfc3luY19ldmVudF9wdXQoZXZlbnQpOworCQkJfSBlbHNlIHsKKwkJCQlzcGluX3VubG9ja19pcnFyZXN0b3JlKCZjbWRiYXRjaC0+bG9jaywgZmxhZ3MpOworCQkJfQogCQl9CiAKIAkJLyogUHV0IGV2ZW50cyB0aGF0IGhhdmUgYmVlbiByZW1vdmVkIGZyb20gdGhlIHN5bmNsaXN0ICovCkBAIC0xODY0LDYgKzE4NzgsNyBAQAogewogCXN0cnVjdCBrZ3NsX2NtZF9zeW5jcG9pbnRfZmVuY2UgKnN5bmMgPSBwcml2OwogCXN0cnVjdCBrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnQgKmV2ZW50OworCXVuc2lnbmVkIGxvbmcgZmxhZ3M7CiAKIAlldmVudCA9IGt6YWxsb2Moc2l6ZW9mKCpldmVudCksIEdGUF9LRVJORUwpOwogCkBAIC0xODkyLDExICsxOTA3LDYgQEAKIAogCWtyZWZfZ2V0KCZldmVudC0+cmVmY291bnQpOwogCi0JLyogbm9uLWJoIGJlY2F1c2UsIHdlIGhhdmVuJ3Qgc3RhcnRlZCBjbWRiYXRjaCB0aW1lciB5ZXQgKi8KLQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKLQlsaXN0X2FkZCgmZXZlbnQtPm5vZGUsICZjbWRiYXRjaC0+c3luY2xpc3QpOwotCXNwaW5fdW5sb2NrKCZjbWRiYXRjaC0+bG9jayk7Ci0KIAkvKgogCSAqIEluY3JlbWVudCB0aGUgcmVmZXJlbmNlIGNvdW50IGZvciB0aGUgYXN5bmMgY2FsbGJhY2suCiAJICogRGVjcmVtZW50IHdoZW4gdGhlIGNhbGxiYWNrIGlzIHN1Y2Nlc3NmdWxseSBjYW5jZWxlZCwgd2hlbgpAQCAtMTkwNCw2ICsxOTE0LDEwIEBACiAJICovCiAKIAlrcmVmX2dldCgmZXZlbnQtPnJlZmNvdW50KTsKKworCXNwaW5fbG9ja19pcnFzYXZlKCZjbWRiYXRjaC0+bG9jaywgZmxhZ3MpOworCWxpc3RfYWRkKCZldmVudC0+bm9kZSwgJmNtZGJhdGNoLT5zeW5jbGlzdCk7CisKIAlldmVudC0+aGFuZGxlID0ga2dzbF9zeW5jX2ZlbmNlX2FzeW5jX3dhaXQoc3luYy0+ZmQsCiAJCWtnc2xfY21kYmF0Y2hfc3luY19mZW5jZV9mdW5jLCBldmVudCk7CiAKQEAgLTE5MTEsMTcgKzE5MjUsMTQgQEAKIAkJaW50IHJldCA9IFBUUl9FUlIoZXZlbnQtPmhhbmRsZSk7CiAKIAkJZXZlbnQtPmhhbmRsZSA9IE5VTEw7Ci0KLQkJLyogRmFpbGVkIHRvIGFkZCB0aGUgZXZlbnQgdG8gdGhlIGFzeW5jIGNhbGxiYWNrICovCi0JCWtnc2xfY21kYmF0Y2hfc3luY19ldmVudF9wdXQoZXZlbnQpOwotCiAJCS8qIFJlbW92ZSBldmVudCBmcm9tIHRoZSBzeW5jbGlzdCAqLwotCQlzcGluX2xvY2soJmNtZGJhdGNoLT5sb2NrKTsKIAkJbGlzdF9kZWwoJmV2ZW50LT5ub2RlKTsKLQkJc3Bpbl91bmxvY2soJmNtZGJhdGNoLT5sb2NrKTsKKwkJc3Bpbl91bmxvY2tfaXJxcmVzdG9yZSgmY21kYmF0Y2gtPmxvY2ssIGZsYWdzKTsKKwkJLyogUHV0IGZvciBldmVudCByZW1vdmFsIGZyb20gdGhlIHN5bmNsaXN0ICovCiAJCWtnc2xfY21kYmF0Y2hfc3luY19ldmVudF9wdXQoZXZlbnQpOwotCi0JCS8qIEV2ZW50IG5vIGxvbmdlciBuZWVkZWQgYnkgdGhpcyBmdW5jdGlvbiAqLworCQkvKiBVbmFibGUgdG8gYWRkIGV2ZW50IHRvIHRoZSBhc3luYyBjYWxsYmFjayBzbyBhIHB1dCAqLworCQlrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnRfcHV0KGV2ZW50KTsKKwkJLyogUHV0IHNpbmNlIGV2ZW50IG5vIGxvbmdlciBuZWVkZWQgYnkgdGhpcyBmdW5jdGlvbiAqLwogCQlrZ3NsX2NtZGJhdGNoX3N5bmNfZXZlbnRfcHV0KGV2ZW50KTsKIAogCQkvKgpAQCAtMTkzNSw2ICsxOTQ2LDcgQEAKIAl9CiAKIAl0cmFjZV9zeW5jcG9pbnRfZmVuY2UoY21kYmF0Y2gsIGV2ZW50LT5oYW5kbGUtPm5hbWUpOworCXNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJmNtZGJhdGNoLT5sb2NrLCBmbGFncyk7CiAKIAkvKgogCSAqIEV2ZW50IHdhcyBzdWNjZXNzZnVsbHkgYWRkZWQgdG8gdGhlIHN5bmNsaXN0LCB0aGUgYXN5bmMK \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-11093/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-11093/3.18/0001.patch new file mode 100644 index 00000000..c9a4bd42 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11093/3.18/0001.patch @@ -0,0 +1,35 @@ +From 072d53b2ca00ac57ca4e0ebe2315b431256cf786 Mon Sep 17 00:00:00 2001 +From: Narender Ankam +Date: Wed, 23 Aug 2017 15:55:50 +0530 +Subject: [PATCH] msm: mdss: hdmi: validate HDMI EDID's max number of CEA + blocks + +No upper-bound validation is performed when reading number of +extended CEA blocks from the untrusted source (EDID). Add a check +to limit the number of CEA extension blocks. + +Bug: 37625232 +Change-Id: I69f09ed0ad28a4c267cf3e8f7a12efe46f75e244 +Signed-off-by: Narender Ankam +--- + drivers/video/msm/mdss/mdss_hdmi_edid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/video/msm/mdss/mdss_hdmi_edid.c b/drivers/video/msm/mdss/mdss_hdmi_edid.c +index 36c24302658d8..5c8f52c42302c 100644 +--- a/drivers/video/msm/mdss/mdss_hdmi_edid.c ++++ b/drivers/video/msm/mdss/mdss_hdmi_edid.c +@@ -2180,6 +2180,13 @@ int hdmi_edid_parser(void *input) + goto bail; + } + ++ /* Find out if CEA extension blocks exceeding max limit */ ++ if (num_of_cea_blocks >= MAX_EDID_BLOCKS) { ++ DEV_WARN("%s: HDMI EDID exceeded max CEA blocks limit\n", ++ __func__); ++ num_of_cea_blocks = MAX_EDID_BLOCKS - 1; ++ } ++ + /* check for valid CEA block */ + if (edid_buf[EDID_BLOCK_SIZE] != 2) { + DEV_ERR("%s: Invalid CEA block\n", __func__); diff --git a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch index 61187e6f..900cfb11 100644 --- a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch +++ b/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch @@ -1,44 +1,67 @@ -From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001 -From: Vladis Dronov -Date: Wed, 2 Aug 2017 19:50:14 +0200 -Subject: xfrm: policy: check policy direction value +From 0af5440977299a17a0f226ce00d872572a426c14 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Tue, 15 Aug 2017 15:12:24 -0700 +Subject: [PATCH] ANDROID: check dir value of xfrm_userpolicy_id -The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used -as an array index. This can lead to an out-of-bound access, kernel lockup and -DoS. Add a check for the 'dir' value. +Check user provided dir value to prevent out-of-bound access +which may occur if dir is not less than XFRM_POLICY_MAX. -This fixes CVE-2017-11600. +(url: http://seclists.org/bugtraq/2017/Jul/30) -References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 -Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") -Cc: # v2.6.21-rc1 -Reported-by: "bo Zhang" -Signed-off-by: Vladis Dronov -Signed-off-by: Steffen Klassert +Bug: 64257838 +Signed-off-by: Suren Baghdasaryan +Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0 --- - net/xfrm/xfrm_policy.c | 6 ++++++ - 1 file changed, 6 insertions(+) + net/xfrm/xfrm_user.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) -diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index ff61d85..6f5a0dad 100644 ---- a/net/xfrm/xfrm_policy.c -+++ b/net/xfrm/xfrm_policy.c -@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, - struct xfrm_state *x_new[XFRM_MAX_DEPTH]; - struct xfrm_migrate *mp; +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 3f565e495ac6..0cc105403826 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1583,6 +1583,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, + struct sk_buff *skb; + int err; -+ /* Stage 0 - sanity checks */ - if ((err = xfrm_migrate_check(m, num_migrate)) < 0) - goto out; - -+ if (dir >= XFRM_POLICY_MAX) { -+ err = -EINVAL; -+ goto out; -+ } ++ err = verify_policy_dir(dir); ++ if (err) ++ return ERR_PTR(err); + - /* Stage 1 - find policy */ - if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { - err = -ENOENT; --- -cgit v1.1 - + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!skb) + return ERR_PTR(-ENOMEM); +@@ -2129,6 +2133,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, + int err; + int n = 0; + ++ err = verify_policy_dir(pi->dir); ++ if (err) ++ return err; ++ + if (attrs[XFRMA_MIGRATE] == NULL) + return -EINVAL; + +@@ -2243,6 +2251,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + { + struct net *net = &init_net; + struct sk_buff *skb; ++ int err; ++ ++ err = verify_policy_dir(dir); ++ if (err) ++ return err; + + skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC); + if (skb == NULL) +@@ -2871,6 +2884,11 @@ static int xfrm_notify_policy_flush(const struct km_event *c) + + static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) + { ++ int err; ++ ++ err = verify_policy_dir(dir); ++ if (err) ++ return err; + + switch (c->event) { + case XFRM_MSG_NEWPOLICY: diff --git a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-11600/3.10/0002.patch new file mode 100644 index 00000000..61187e6f --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11600/3.10/0002.patch @@ -0,0 +1,44 @@ +From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Wed, 2 Aug 2017 19:50:14 +0200 +Subject: xfrm: policy: check policy direction value + +The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used +as an array index. This can lead to an out-of-bound access, kernel lockup and +DoS. Add a check for the 'dir' value. + +This fixes CVE-2017-11600. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Cc: # v2.6.21-rc1 +Reported-by: "bo Zhang" +Signed-off-by: Vladis Dronov +Signed-off-by: Steffen Klassert +--- + net/xfrm/xfrm_policy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index ff61d85..6f5a0dad 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + struct xfrm_state *x_new[XFRM_MAX_DEPTH]; + struct xfrm_migrate *mp; + ++ /* Stage 0 - sanity checks */ + if ((err = xfrm_migrate_check(m, num_migrate)) < 0) + goto out; + ++ if (dir >= XFRM_POLICY_MAX) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /* Stage 1 - find policy */ + if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { + err = -ENOENT; +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-16537/^4.13/0001.patch b/Patches/Linux_CVEs/CVE-2017-16537/^4.13/0001.patch new file mode 100644 index 00000000..c5eeb700 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-16537/^4.13/0001.patch @@ -0,0 +1,32 @@ +From 58fd55e838276a0c13d1dc7c387f90f25063cbf3 Mon Sep 17 00:00:00 2001 +From: Arvind Yadav +Date: Mon, 9 Oct 2017 20:14:48 +0200 +Subject: [PATCH] media: imon: Fix null-ptr-deref in imon_probe + +It seems that the return value of usb_ifnum_to_if() can be NULL and +needs to be checked. + +Signed-off-by: Arvind Yadav +Tested-by: Andrey Konovalov +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/rc/imon.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c +index 9724fe8110e3d..9fef8cc171140 100644 +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -2515,6 +2515,11 @@ static int imon_probe(struct usb_interface *interface, + mutex_lock(&driver_lock); + + first_if = usb_ifnum_to_if(usbdev, 0); ++ if (!first_if) { ++ ret = -ENODEV; ++ goto fail; ++ } ++ + first_if_ctx = usb_get_intfdata(first_if); + + if (ifnum == 0) { diff --git a/Patches/Linux_CVEs/CVE-2017-16648/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-16648/ANY/0001.patch new file mode 100644 index 00000000..c9bc20d8 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-16648/ANY/0001.patch @@ -0,0 +1,182 @@ +From b1cb7372fa822af6c06c8045963571d13ad6348b Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 7 Nov 2017 08:39:39 -0500 +Subject: [PATCH] dvb_frontend: don't use-after-free the frontend struct + +dvb_frontend_invoke_release() may free the frontend struct. +So, the free logic can't update it anymore after calling it. + +That's OK, as __dvb_frontend_free() is called only when the +krefs are zeroed, so nobody is using it anymore. + +That should fix the following KASAN error: + +The KASAN report looks like this (running on kernel 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+)): +================================================================== +BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120 +Write of size 8 at addr ffff880067d45a00 by task kworker/0:1/24 + +CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + print_address_description+0x78/0x280 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 + kasan_report+0x23d/0x350 mm/kasan/report.c:409 + __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435 + __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156 + dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176 + dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803 + dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340 + dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116 + dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132 + dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295 + usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423 + __device_release_driver drivers/base/dd.c:861 + device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893 + device_release_driver+0x1e/0x30 drivers/base/dd.c:918 + bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565 + device_del+0x5c4/0xab0 drivers/base/core.c:1985 + usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170 + usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 + hub_port_connect drivers/usb/core/hub.c:4754 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x363/0x440 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 + +Allocated by task 24: + save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 + kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 + kmalloc ./include/linux/slab.h:493 + kzalloc ./include/linux/slab.h:666 + dtt200u_fe_attach+0x4c/0x110 drivers/media/usb/dvb-usb/dtt200u-fe.c:212 + dtt200u_frontend_attach+0x35/0x80 drivers/media/usb/dvb-usb/dtt200u.c:136 + dvb_usb_adapter_frontend_init+0x32b/0x660 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286 + dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 + dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162 + dvb_usb_device_init+0xf73/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277 + dtt200u_usb_probe+0xa1/0xe0 drivers/media/usb/dvb-usb/dtt200u.c:155 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26b/0x3c0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 + generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 + usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26b/0x3c0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x363/0x440 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 + +Freed by task 24: + save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 + kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 + slab_free_hook mm/slub.c:1390 + slab_free_freelist_hook mm/slub.c:1412 + slab_free mm/slub.c:2988 + kfree+0xf6/0x2f0 mm/slub.c:3919 + dtt200u_fe_release+0x3c/0x50 drivers/media/usb/dvb-usb/dtt200u-fe.c:202 + dvb_frontend_invoke_release.part.13+0x1c/0x30 drivers/media/dvb-core/dvb_frontend.c:2790 + dvb_frontend_invoke_release drivers/media/dvb-core/dvb_frontend.c:2789 + __dvb_frontend_free+0xad/0x120 drivers/media/dvb-core/dvb_frontend.c:153 + dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176 + dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803 + dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340 + dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116 + dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132 + dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295 + usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423 + __device_release_driver drivers/base/dd.c:861 + device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893 + device_release_driver+0x1e/0x30 drivers/base/dd.c:918 + bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565 + device_del+0x5c4/0xab0 drivers/base/core.c:1985 + usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170 + usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 + hub_port_connect drivers/usb/core/hub.c:4754 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x363/0x440 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 + +The buggy address belongs to the object at ffff880067d45500 + which belongs to the cache kmalloc-2048 of size 2048 +The buggy address is located 1280 bytes inside of + 2048-byte region [ffff880067d45500, ffff880067d45d00) +The buggy address belongs to the page: +page:ffffea00019f5000 count:1 mapcount:0 mapping: (null) +index:0x0 compound_mapcount: 0 +flags: 0x100000000008100(slab|head) +raw: 0100000000008100 0000000000000000 0000000000000000 00000001000f000f +raw: dead000000000100 dead000000000200 ffff88006c002d80 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff880067d45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff880067d45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff880067d45a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff880067d45a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff880067d45b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: ead666000a5f ("media: dvb_frontend: only use kref after initialized") + +Reported-by: Andrey Konovalov +Suggested-by: Matthias Schwarzott +Tested-by: Andrey Konovalov +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/dvb-core/dvb_frontend.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index d485d5f6cc887..3ad83359098bd 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -150,11 +150,8 @@ static void __dvb_frontend_free(struct dvb_frontend *fe) + + dvb_frontend_invoke_release(fe, fe->ops.release); + +- if (!fepriv) +- return; +- +- kfree(fepriv); +- fe->frontend_priv = NULL; ++ if (fepriv) ++ kfree(fepriv); + } + + static void dvb_frontend_free(struct kref *ref) diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0006.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0006.patch new file mode 100644 index 00000000..f33cb0d2 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0006.patch @@ -0,0 +1,96 @@ +From f9a1c372299fed53d4b72bb601f7f3bfe6f9999c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 6 Nov 2017 10:47:14 +0100 +Subject: [PATCH] ALSA: usx2y: Fix invalid stream URBs + +The us122l driver creates URBs per the fixed endpoints, and this may +end up with URBs with inconsistent pipes when a fuzzer or a malicious +program deals with the manipulated endpoints. It ends up with a +kernel warning like: + + usb 1-1: BOGUS urb xfer, pipe 0 != type 3 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:471 + usb_submit_urb+0x113e/0x1400 + Call Trace: + usb_stream_start+0x48a/0x9f0 sound/usb/usx2y/usb_stream.c:690 + us122l_start+0x116/0x290 sound/usb/usx2y/us122l.c:365 + us122l_create_card sound/usb/usx2y/us122l.c:502 + us122l_usb_probe sound/usb/usx2y/us122l.c:588 + .... + +For avoiding the bad access, this patch adds a few sanity checks of +the validity of created URBs like previous similar fixes using the new +usb_urb_ep_type_check() helper function. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +--- + sound/usb/usx2y/usb_stream.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c +index e229abd216526..b0f8979ff2d2f 100644 +--- a/sound/usb/usx2y/usb_stream.c ++++ b/sound/usb/usx2y/usb_stream.c +@@ -56,7 +56,7 @@ static void playback_prep_freqn(struct usb_stream_kernel *sk, struct urb *urb) + lb, s->period_size); + } + +-static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, ++static int init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, + struct urb **urbs, char *transfer, + struct usb_device *dev, int pipe) + { +@@ -77,6 +77,8 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, + urb->interval = 1; + if (usb_pipeout(pipe)) + continue; ++ if (usb_urb_ep_type_check(urb)) ++ return -EINVAL; + + urb->transfer_buffer_length = transfer_length; + desc = urb->iso_frame_desc; +@@ -87,9 +89,11 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, + desc[p].length = maxpacket; + } + } ++ ++ return 0; + } + +-static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, ++static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, + struct usb_device *dev, int in_pipe, int out_pipe) + { + struct usb_stream *s = sk->s; +@@ -103,9 +107,12 @@ static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, + sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL); + } + +- init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe); +- init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev, +- out_pipe); ++ if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe) || ++ init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev, ++ out_pipe)) ++ return -EINVAL; ++ ++ return 0; + } + + +@@ -226,7 +233,11 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk, + else + sk->freqn = get_usb_high_speed_rate(sample_rate); + +- init_urbs(sk, use_packsize, dev, in_pipe, out_pipe); ++ if (init_urbs(sk, use_packsize, dev, in_pipe, out_pipe) < 0) { ++ usb_stream_free(sk); ++ return NULL; ++ } ++ + sk->s->state = usb_stream_stopped; + out: + return sk->s; diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0007.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0007.patch new file mode 100644 index 00000000..917a1c73 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0007.patch @@ -0,0 +1,51 @@ +From 58fc7f73a85d45a47057dad2af53502fdf6cf778 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 4 Oct 2017 15:07:21 +0200 +Subject: [PATCH] ALSA: caiaq: Add a sanity check for invalid EPs + +As syzkaller spotted, currently caiaq driver submits a URB with the +fixed EP without checking whether it's actually available, which may +result in a kernel warning like: + usb 1-1: BOGUS urb xfer, pipe 3 != type 1 + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449 + usb_submit_urb+0xf8a/0x11d0 + Modules linked in: + CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted + 4.14.0-rc2-42660-g24b7bd59eec0 #277 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: usb_hub_wq hub_event + Call Trace: + init_card sound/usb/caiaq/device.c:467 + snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + .... + +This patch adds a sanity check of validity of EPs at the device +initialization phase for avoiding the call with an invalid EP. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +--- + sound/usb/caiaq/device.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c +index 0fb6b1b792617..a29674bf96e57 100644 +--- a/sound/usb/caiaq/device.c ++++ b/sound/usb/caiaq/device.c +@@ -461,6 +461,13 @@ static int init_card(struct snd_usb_caiaqdev *cdev) + cdev->midi_out_buf, EP1_BUFSIZE, + snd_usb_caiaq_midi_output_done, cdev); + ++ /* sanity checks of EPs before actually submitting */ ++ if (usb_urb_ep_type_check(&cdev->ep1_in_urb) || ++ usb_urb_ep_type_check(&cdev->midi_out_urb)) { ++ dev_err(dev, "invalid EPs\n"); ++ return -EINVAL; ++ } ++ + init_waitqueue_head(&cdev->ep1_wait_queue); + init_waitqueue_head(&cdev->prepare_wait_queue); + diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0008.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0008.patch new file mode 100644 index 00000000..2c457bc7 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0008.patch @@ -0,0 +1,52 @@ +From 2a4340c57717162c6bf07a0860d05711d4de994b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 4 Oct 2017 15:09:24 +0200 +Subject: [PATCH] ALSA: line6: Add a sanity check for invalid EPs + +As syzkaller spotted, currently line6 drivers submit a URB with the +fixed EP without checking whether it's actually available, which may +result in a kernel warning like: + usb 1-1: BOGUS urb xfer, pipe 3 != type 1 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449 + usb_submit_urb+0xf8a/0x11d0 + Modules linked in: + CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: usb_hub_wq hub_event + Call Trace: + line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82 + line6_init_cap_control sound/usb/line6/driver.c:690 + line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764 + podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + .... + +This patch adds a sanity check of validity of EPs at the device +initialization phase for avoiding the call with an invalid EP. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +--- + sound/usb/line6/driver.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c +index 0ff5a7d2e19fe..0da6f68761e3e 100644 +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -78,6 +78,13 @@ static int line6_start_listen(struct usb_line6 *line6) + line6->buffer_listen, LINE6_BUFSIZE_LISTEN, + line6_data_received, line6); + } ++ ++ /* sanity checks of EP before actually submitting */ ++ if (usb_urb_ep_type_check(line6->urb_listen)) { ++ dev_err(line6->ifcdev, "invalid control EP\n"); ++ return -EINVAL; ++ } ++ + line6->urb_listen->actual_length = 0; + err = usb_submit_urb(line6->urb_listen, GFP_ATOMIC); + return err; diff --git a/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0009.patch b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0009.patch new file mode 100644 index 00000000..3590c21d --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-16USB/ANY/0009.patch @@ -0,0 +1,52 @@ +From 6815a0b444572527256f0d0efd8efe3ddede6018 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 4 Oct 2017 15:03:40 +0200 +Subject: [PATCH] ALSA: bcd2000: Add a sanity check for invalid EPs + +As syzkaller spotted, currently bcd2000 driver submits a URB with the +fixed EP without checking whether it's actually available, which may +result in a kernel warning like: + usb 1-1: BOGUS urb xfer, pipe 1 != type 3 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449 + usb_submit_urb+0xf8a/0x11d0 + Modules linked in: + CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted + 4.14.0-rc2-42613-g1488251d1a98 #238 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: usb_hub_wq hub_event + Call Trace: + bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289 + bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345 + bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + .... + +This patch adds a sanity check of validity of EPs at the device +initialization phase for avoiding the call with an invalid EP. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +--- + sound/usb/bcd2000/bcd2000.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c +index 7371e5b060356..a6408209d7f1d 100644 +--- a/sound/usb/bcd2000/bcd2000.c ++++ b/sound/usb/bcd2000/bcd2000.c +@@ -342,6 +342,13 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k) + bcd2k->midi_out_buf, BUFSIZE, + bcd2000_output_complete, bcd2k, 1); + ++ /* sanity checks of EPs before actually submitting */ ++ if (usb_urb_ep_type_check(bcd2k->midi_in_urb) || ++ usb_urb_ep_type_check(bcd2k->midi_out_urb)) { ++ dev_err(&bcd2k->dev->dev, "invalid MIDI EP\n"); ++ return -EINVAL; ++ } ++ + bcd2000_init_device(bcd2k); + + return 0; diff --git a/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch new file mode 100644 index 00000000..606bc5b0 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch @@ -0,0 +1,61 @@ +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c +index 1dcaba4..e08cf95 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c +@@ -1613,6 +1613,9 @@ + int tstate, throt_cur_tstate, edp_cur_tstate; + unsigned long freq, cur_freq = ULONG_MAX; + ++ if (cur_state > bthrot_ins->throt_tab_size) ++ return -EINVAL; ++ + if (bthrot_ins->cur_state == cur_state) + return 0; + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c +index a18e4c9..1243d21 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c +@@ -314,6 +314,9 @@ + struct gk20a_volt_priv *priv = (struct gk20a_volt_priv *)cdev->devdata; + struct nvkm_volt *volt = &priv->base; + ++ if (cur_state >= MAX_THERMAL_LIMITS) ++ return -EINVAL; ++ + mutex_lock(&volt->therm_lock); + + if (priv->therm_idx == cur_state) +diff --git a/drivers/soc/tegra/tegra-dvfs.c b/drivers/soc/tegra/tegra-dvfs.c +index 5c0af3b..990cd61 100644 +--- a/drivers/soc/tegra/tegra-dvfs.c ++++ b/drivers/soc/tegra/tegra-dvfs.c +@@ -1068,6 +1068,14 @@ + if (IS_ERR_OR_NULL(tegra_core_rail) || !tegra_core_rail->is_ready) + return -EINVAL; + ++ if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) { ++ if (new_idx >= rail->therm_floors_size) ++ return -EINVAL; ++ } else if (type == TEGRA_DVFS_CORE_THERMAL_CAP) { ++ if (new_idx > rail->therm_caps_size) ++ return -EINVAL; ++ } ++ + mutex_lock(&dvfs_lock); + if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) { + if (rail->therm_floor_idx != new_idx) { +diff --git a/drivers/thermal/tegra/tegra_throttle.c b/drivers/thermal/tegra/tegra_throttle.c +index 39a913e..e9991db 100644 +--- a/drivers/thermal/tegra/tegra_throttle.c ++++ b/drivers/thermal/tegra/tegra_throttle.c +@@ -198,6 +198,9 @@ + if (bthrot->cpu_freq_table == NULL) + return 0; + ++ if (cur_state > bthrot_ins->throt_tab_size) ++ return -EINVAL; ++ + if (bthrot_ins->cur_state == cur_state) + return 0; + diff --git a/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch.base64 new file mode 100644 index 00000000..dfe3bd98 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L2Nsay9nbTIwYi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKaW5kZXggMWRjYWJhNC4uZTA4Y2Y5NSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKQEAgLTE2MTMsNiArMTYxMyw5IEBACiAJaW50IHRzdGF0ZSwgdGhyb3RfY3VyX3RzdGF0ZSwgZWRwX2N1cl90c3RhdGU7CiAJdW5zaWduZWQgbG9uZyBmcmVxLCBjdXJfZnJlcSA9IFVMT05HX01BWDsKIAorCWlmIChjdXJfc3RhdGUgPiBidGhyb3RfaW5zLT50aHJvdF90YWJfc2l6ZSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoYnRocm90X2lucy0+Y3VyX3N0YXRlID09IGN1cl9zdGF0ZSkKIAkJcmV0dXJuIDA7CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYyBiL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYwppbmRleCBhMThlNGM5Li4xMjQzZDIxIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi92b2x0L2drMjBhLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvdm9sdC9nazIwYS5jCkBAIC0zMTQsNiArMzE0LDkgQEAKIAlzdHJ1Y3QgZ2syMGFfdm9sdF9wcml2ICpwcml2ID0gKHN0cnVjdCBnazIwYV92b2x0X3ByaXYgKiljZGV2LT5kZXZkYXRhOwogCXN0cnVjdCBudmttX3ZvbHQgKnZvbHQgPSAmcHJpdi0+YmFzZTsKIAorCWlmIChjdXJfc3RhdGUgPj0gTUFYX1RIRVJNQUxfTElNSVRTKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCW11dGV4X2xvY2soJnZvbHQtPnRoZXJtX2xvY2spOwogCiAJaWYgKHByaXYtPnRoZXJtX2lkeCA9PSBjdXJfc3RhdGUpCmRpZmYgLS1naXQgYS9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMgYi9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMKaW5kZXggNWMwYWYzYi4uOTkwY2Q2MSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zb2MvdGVncmEvdGVncmEtZHZmcy5jCisrKyBiL2RyaXZlcnMvc29jL3RlZ3JhL3RlZ3JhLWR2ZnMuYwpAQCAtMTA2OCw2ICsxMDY4LDE0IEBACiAJaWYgKElTX0VSUl9PUl9OVUxMKHRlZ3JhX2NvcmVfcmFpbCkgfHwgIXRlZ3JhX2NvcmVfcmFpbC0+aXNfcmVhZHkpCiAJCXJldHVybiAtRUlOVkFMOwogCisJaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfRkxPT1IpIHsKKwkJaWYgKG5ld19pZHggPj0gcmFpbC0+dGhlcm1fZmxvb3JzX3NpemUpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwl9IGVsc2UgaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfQ0FQKSB7CisJCWlmIChuZXdfaWR4ID4gcmFpbC0+dGhlcm1fY2Fwc19zaXplKQorCQkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJbXV0ZXhfbG9jaygmZHZmc19sb2NrKTsKIAlpZiAodHlwZSA9PSBURUdSQV9EVkZTX0NPUkVfVEhFUk1BTF9GTE9PUikgewogCQlpZiAocmFpbC0+dGhlcm1fZmxvb3JfaWR4ICE9IG5ld19pZHgpIHsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdGhlcm1hbC90ZWdyYS90ZWdyYV90aHJvdHRsZS5jIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKaW5kZXggMzlhOTEzZS4uZTk5OTFkYiAxMDA2NDQKLS0tIGEvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKKysrIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKQEAgLTE5OCw2ICsxOTgsOSBAQAogCWlmIChidGhyb3QtPmNwdV9mcmVxX3RhYmxlID09IE5VTEwpCiAJCXJldHVybiAwOwogCisJaWYgKGN1cl9zdGF0ZSA+IGJ0aHJvdF9pbnMtPnRocm90X3RhYl9zaXplKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCWlmIChidGhyb3RfaW5zLT5jdXJfc3RhdGUgPT0gY3VyX3N0YXRlKQogCQlyZXR1cm4gMDsKIAo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch new file mode 100644 index 00000000..606bc5b0 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch @@ -0,0 +1,61 @@ +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c +index 1dcaba4..e08cf95 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c +@@ -1613,6 +1613,9 @@ + int tstate, throt_cur_tstate, edp_cur_tstate; + unsigned long freq, cur_freq = ULONG_MAX; + ++ if (cur_state > bthrot_ins->throt_tab_size) ++ return -EINVAL; ++ + if (bthrot_ins->cur_state == cur_state) + return 0; + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c +index a18e4c9..1243d21 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c +@@ -314,6 +314,9 @@ + struct gk20a_volt_priv *priv = (struct gk20a_volt_priv *)cdev->devdata; + struct nvkm_volt *volt = &priv->base; + ++ if (cur_state >= MAX_THERMAL_LIMITS) ++ return -EINVAL; ++ + mutex_lock(&volt->therm_lock); + + if (priv->therm_idx == cur_state) +diff --git a/drivers/soc/tegra/tegra-dvfs.c b/drivers/soc/tegra/tegra-dvfs.c +index 5c0af3b..990cd61 100644 +--- a/drivers/soc/tegra/tegra-dvfs.c ++++ b/drivers/soc/tegra/tegra-dvfs.c +@@ -1068,6 +1068,14 @@ + if (IS_ERR_OR_NULL(tegra_core_rail) || !tegra_core_rail->is_ready) + return -EINVAL; + ++ if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) { ++ if (new_idx >= rail->therm_floors_size) ++ return -EINVAL; ++ } else if (type == TEGRA_DVFS_CORE_THERMAL_CAP) { ++ if (new_idx > rail->therm_caps_size) ++ return -EINVAL; ++ } ++ + mutex_lock(&dvfs_lock); + if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) { + if (rail->therm_floor_idx != new_idx) { +diff --git a/drivers/thermal/tegra/tegra_throttle.c b/drivers/thermal/tegra/tegra_throttle.c +index 39a913e..e9991db 100644 +--- a/drivers/thermal/tegra/tegra_throttle.c ++++ b/drivers/thermal/tegra/tegra_throttle.c +@@ -198,6 +198,9 @@ + if (bthrot->cpu_freq_table == NULL) + return 0; + ++ if (cur_state > bthrot_ins->throt_tab_size) ++ return -EINVAL; ++ + if (bthrot_ins->cur_state == cur_state) + return 0; + diff --git a/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch.base64 new file mode 100644 index 00000000..dfe3bd98 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L2Nsay9nbTIwYi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKaW5kZXggMWRjYWJhNC4uZTA4Y2Y5NSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKQEAgLTE2MTMsNiArMTYxMyw5IEBACiAJaW50IHRzdGF0ZSwgdGhyb3RfY3VyX3RzdGF0ZSwgZWRwX2N1cl90c3RhdGU7CiAJdW5zaWduZWQgbG9uZyBmcmVxLCBjdXJfZnJlcSA9IFVMT05HX01BWDsKIAorCWlmIChjdXJfc3RhdGUgPiBidGhyb3RfaW5zLT50aHJvdF90YWJfc2l6ZSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoYnRocm90X2lucy0+Y3VyX3N0YXRlID09IGN1cl9zdGF0ZSkKIAkJcmV0dXJuIDA7CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYyBiL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYwppbmRleCBhMThlNGM5Li4xMjQzZDIxIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi92b2x0L2drMjBhLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvdm9sdC9nazIwYS5jCkBAIC0zMTQsNiArMzE0LDkgQEAKIAlzdHJ1Y3QgZ2syMGFfdm9sdF9wcml2ICpwcml2ID0gKHN0cnVjdCBnazIwYV92b2x0X3ByaXYgKiljZGV2LT5kZXZkYXRhOwogCXN0cnVjdCBudmttX3ZvbHQgKnZvbHQgPSAmcHJpdi0+YmFzZTsKIAorCWlmIChjdXJfc3RhdGUgPj0gTUFYX1RIRVJNQUxfTElNSVRTKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCW11dGV4X2xvY2soJnZvbHQtPnRoZXJtX2xvY2spOwogCiAJaWYgKHByaXYtPnRoZXJtX2lkeCA9PSBjdXJfc3RhdGUpCmRpZmYgLS1naXQgYS9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMgYi9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMKaW5kZXggNWMwYWYzYi4uOTkwY2Q2MSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zb2MvdGVncmEvdGVncmEtZHZmcy5jCisrKyBiL2RyaXZlcnMvc29jL3RlZ3JhL3RlZ3JhLWR2ZnMuYwpAQCAtMTA2OCw2ICsxMDY4LDE0IEBACiAJaWYgKElTX0VSUl9PUl9OVUxMKHRlZ3JhX2NvcmVfcmFpbCkgfHwgIXRlZ3JhX2NvcmVfcmFpbC0+aXNfcmVhZHkpCiAJCXJldHVybiAtRUlOVkFMOwogCisJaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfRkxPT1IpIHsKKwkJaWYgKG5ld19pZHggPj0gcmFpbC0+dGhlcm1fZmxvb3JzX3NpemUpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwl9IGVsc2UgaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfQ0FQKSB7CisJCWlmIChuZXdfaWR4ID4gcmFpbC0+dGhlcm1fY2Fwc19zaXplKQorCQkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJbXV0ZXhfbG9jaygmZHZmc19sb2NrKTsKIAlpZiAodHlwZSA9PSBURUdSQV9EVkZTX0NPUkVfVEhFUk1BTF9GTE9PUikgewogCQlpZiAocmFpbC0+dGhlcm1fZmxvb3JfaWR4ICE9IG5ld19pZHgpIHsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdGhlcm1hbC90ZWdyYS90ZWdyYV90aHJvdHRsZS5jIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKaW5kZXggMzlhOTEzZS4uZTk5OTFkYiAxMDA2NDQKLS0tIGEvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKKysrIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKQEAgLTE5OCw2ICsxOTgsOSBAQAogCWlmIChidGhyb3QtPmNwdV9mcmVxX3RhYmxlID09IE5VTEwpCiAJCXJldHVybiAwOwogCisJaWYgKGN1cl9zdGF0ZSA+IGJ0aHJvdF9pbnMtPnRocm90X3RhYl9zaXplKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCWlmIChidGhyb3RfaW5zLT5jdXJfc3RhdGUgPT0gY3VyX3N0YXRlKQogCQlyZXR1cm4gMDsKIAo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7541/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-7541/3.10/0002.patch new file mode 100644 index 00000000..8f982048 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7541/3.10/0002.patch @@ -0,0 +1,50 @@ +From 7136ca73ff3496758b56f60b6fe76d675e69cd21 Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Fri, 7 Jul 2017 21:09:06 +0100 +Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream. + +The lower level nl80211 code in cfg80211 ensures that "len" is between +25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from +"len" so thats's max of 2280. However, the action_frame->data[] buffer is +only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can +overflow. + + memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], + le16_to_cpu(action_frame->len)); + +Cc: stable@vger.kernel.org # 3.9.x +Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.") +Reported-by: "freenerguo(郭大兴)" +Signed-off-by: Arend van Spriel +Signed-off-by: David S. Miller +[wt: s/cfg80211.c/wl_cfg80211.c in 3.10] + +Signed-off-by: Willy Tarreau +--- + drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c +index 2c52430..8afb609 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c +@@ -4019,6 +4019,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, + cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true, + GFP_KERNEL); + } else if (ieee80211_is_action(mgmt->frame_control)) { ++ if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) { ++ brcmf_err("invalid action frame length\n"); ++ err = -EINVAL; ++ goto exit; ++ } + af_params = kzalloc(sizeof(*af_params), GFP_KERNEL); + if (af_params == NULL) { + brcmf_err("unable to allocate frame\n"); +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-7541/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7541/^4.12/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7541/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7541/^4.12/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-8890/3.10/0002.patch new file mode 100644 index 00000000..adc039a1 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8890/3.10/0002.patch @@ -0,0 +1,42 @@ +From 1853870b216d3446efd39190a8ff0006c54dfd46 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 9 May 2017 06:29:19 -0700 +Subject: [PATCH] BACKPORT: dccp/tcp: do not inherit mc_list from parent + +syzkaller found a way to trigger double frees from ip_mc_drop_socket() + +It turns out that leave a copy of parent mc_list at accept() time, +which is very bad. + +Very similar to commit 8b485ce69876 ("tcp: do not inherit +fastopen_req from parent") + +Initial report from Pray3r, completed by Andrey one. +Thanks a lot to them ! + +Signed-off-by: Eric Dumazet +Reported-by: Pray3r +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Roberto Pereira +(cherry picked from commit 657831ffc38e30092a2d5f03d385d710eb88b09a) +Bug:38413975 +Change-Id: Icf89ad025cb8225e806e52c573d68533912111ad +--- + net/ipv4/inet_connection_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 64198a381ddca..008b52bc99a3d 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -697,6 +697,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, + inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port; + newsk->sk_write_space = sk_stream_write_space; + ++ inet_sk(newsk)->mc_list = NULL; ++ + newsk->sk_mark = inet_rsk(req)->ir_mark; + + newicsk->icsk_retransmits = 0; diff --git a/Patches/Linux_CVEs/CVE-2017-8890/^4.11/0002.patch b/Patches/Linux_CVEs/CVE-2017-8890/^4.11/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8890/^4.11/0002.patch rename to Patches/Linux_CVEs/CVE-2017-8890/^4.11/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9690/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9690/3.18/0001.patch new file mode 100644 index 00000000..15d4323f --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9690/3.18/0001.patch @@ -0,0 +1,29 @@ +From b59b67fbd2f1d4f71e7a4f9e6723f04b717efc74 Mon Sep 17 00:00:00 2001 +From: Siarhei Vishniakou +Date: Thu, 16 Mar 2017 16:26:53 -0700 +Subject: [PATCH] arm64: dts: marlin: remove QBT1000 from device tree + +Marlin does not use QBT1000. + +Bug: 36575870 +Bug: 36227548 +Test: Tested on marlin and sailfish. + +Change-Id: I48a2b75f1cd678a673a8706e8d3304b25f45d3cd +Signed-off-by: Siarhei Vishniakou +--- + arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi b/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi +index 831a99c32c0aa..4fedb4b6149c4 100644 +--- a/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi ++++ b/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi +@@ -109,6 +109,7 @@ + qcom,mitigation-freq-khz = <1132800>; + }; + }; ++ /delete-node/ qcom,qbt1000; + }; + + &wdog { diff --git a/Patches/Linux_CVEs/CVE-2017-9696/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9696/3.10/0001.patch new file mode 100644 index 00000000..a38c6108 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9696/3.10/0001.patch @@ -0,0 +1,34 @@ +From 8b44a684139301fa31548e8120b7e6299965572a Mon Sep 17 00:00:00 2001 +From: Alok Kediya +Date: Thu, 2 Mar 2017 15:51:35 +0530 +Subject: [PATCH] msm: camera: Bound check for num_of_stream. + +- num of stream comes from userspace and used without +any bound check.It may result to overflow update_info. + +CRs-Fixed: 2006829 + +Bug: 36232584 +Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2 +Signed-off-by: Alok Kediya +--- + drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +index 43a2c77dcc8da..490ab13e4e607 100644 +--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c ++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +@@ -817,6 +817,12 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg) + struct msm_vfe_axi_stream_cfg_update_info *update_info = NULL; + struct msm_isp_sw_framskip *sw_skip_info = NULL; + ++ if (update_cmd->num_streams > MSM_ISP_STATS_MAX) { ++ pr_err("%s: Invalid num_streams %d\n", ++ __func__, update_cmd->num_streams); ++ return -EINVAL; ++ } ++ + /*validate request*/ + for (i = 0; i < update_cmd->num_streams; i++) { + update_info = &update_cmd->update_info[i]; diff --git a/Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch new file mode 100644 index 00000000..2ab44552 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch @@ -0,0 +1,43 @@ +From 2ae1eab54e874553c078e5275421398597401ac9 Mon Sep 17 00:00:00 2001 +From: Haibin Liu +Date: Wed, 17 May 2017 18:52:30 +0800 +Subject: [PATCH] msm: camera: fix untrusted pointer for power down setting + +When getting power down setting, there is an untrusted pointer +from a user space pointer.Need to copy to the kernel space first. + +CRs-Fixed: 2037398 +Bug: 36492827 +Change-Id: I64032a96e62ddfeec85eebe984d8ba52754f6148 +Signed-off-by: Haibin Liu +--- + .../platform/msm/camera_v2/sensor/msm_sensor_driver.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c +index 87e741b651c4a..5d3c56191e0d4 100644 +--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c ++++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c +@@ -407,17 +407,11 @@ static int32_t msm_sensor_create_pd_settings(void *setting, + + #ifdef CONFIG_COMPAT + if (is_compat_task()) { +- int i = 0; +- struct msm_sensor_power_setting32 *power_setting_iter = +- (struct msm_sensor_power_setting32 *)compat_ptr(( +- (struct msm_camera_sensor_slave_info32 *)setting)-> +- power_setting_array.power_setting); +- +- for (i = 0; i < size_down; i++) { +- pd[i].config_val = power_setting_iter[i].config_val; +- pd[i].delay = power_setting_iter[i].delay; +- pd[i].seq_type = power_setting_iter[i].seq_type; +- pd[i].seq_val = power_setting_iter[i].seq_val; ++ rc = msm_sensor_get_pw_settings_compat( ++ pd, pu, size_down); ++ if (rc < 0) { ++ pr_err("failed"); ++ return -EFAULT; + } + } else + #endif diff --git a/Patches/Linux_CVEs/CVE-2017-9702/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-9702/3.10/0002.patch new file mode 100644 index 00000000..eba2fa50 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9702/3.10/0002.patch @@ -0,0 +1,122 @@ +From c46b2ecd901a12867d0dd91ae019f4b7256bcfec Mon Sep 17 00:00:00 2001 +From: Haibin Liu +Date: Wed, 9 Aug 2017 16:26:41 +0800 +Subject: [PATCH] msm: sensor: Fix crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG + +Issue: +the invalid slave_info is used by msm_sensor_driver_probe. +This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly. + +Fix: +1) avoid the same msm_sd_subdev added into the ordered_sd_list. +2) enlarge the buffer size for i2c addr and data. + +Bug: 36492827 +Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54 +Signed-off-by: Haibin Liu +--- + drivers/media/platform/msm/camera_v2/msm.c | 5 +++++ + .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 5 +++-- + .../msm/camera_v2/sensor/msm_sensor_driver.c | 25 ++++++++++++++-------- + 3 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/platform/msm/camera_v2/msm.c b/drivers/media/platform/msm/camera_v2/msm.c +index e517f0f589ce6..47ba2f99dd001 100644 +--- a/drivers/media/platform/msm/camera_v2/msm.c ++++ b/drivers/media/platform/msm/camera_v2/msm.c +@@ -334,6 +334,11 @@ static void msm_add_sd_in_position(struct msm_sd_subdev *msm_subdev, + struct msm_sd_subdev *temp_sd; + + list_for_each_entry(temp_sd, sd_list, list) { ++ if (temp_sd == msm_subdev) { ++ pr_err("%s :Fail to add the same sd %d\n", ++ __func__, __LINE__); ++ return; ++ } + if (msm_subdev->close_seq < temp_sd->close_seq) { + list_add_tail(&msm_subdev->list, &temp_sd->list); + return; +diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c +index 877021edc776d..4243005beff50 100644 +--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c ++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c +@@ -17,7 +17,8 @@ + #undef CDBG + #define CDBG(fmt, args...) pr_debug(fmt, ##args) + #define S_I2C_DBG(fmt, args...) pr_debug(fmt, ##args) +- ++#define MAX_I2C_ADDR_TYPE_SIZE (MSM_CAMERA_I2C_3B_ADDR + 1) ++#define MAX_I2C_DATA_TYPE_SIZE (MSM_CAMERA_I2C_SET_BYTE_WRITE_MASK_DATA + 1) + #define I2C_COMPARE_MATCH 0 + #define I2C_COMPARE_MISMATCH 1 + #define I2C_POLL_MAX_ITERATION 20 +@@ -27,7 +28,7 @@ int32_t msm_camera_cci_i2c_read(struct msm_camera_i2c_client *client, + enum msm_camera_i2c_data_type data_type) + { + int32_t rc = -EFAULT; +- unsigned char buf[client->addr_type+data_type]; ++ unsigned char buf[MAX_I2C_ADDR_TYPE_SIZE + MAX_I2C_DATA_TYPE_SIZE]; + struct msm_camera_cci_ctrl cci_ctrl; + + if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR +diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c +index 5d3c56191e0d4..bd376ffa28c10 100644 +--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c ++++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2013-2015,2017 The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -103,7 +103,11 @@ static int32_t msm_sensor_driver_create_i2c_v4l_subdev + s_ctrl->msm_sd.sd.entity.name = s_ctrl->msm_sd.sd.name; + s_ctrl->sensordata->sensor_info->session_id = session_id; + s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3; +- msm_sd_register(&s_ctrl->msm_sd); ++ rc = msm_sd_register(&s_ctrl->msm_sd); ++ if (rc < 0) { ++ pr_err("failed: msm_sd_register rc %d", rc); ++ return rc; ++ } + CDBG("%s:%d\n", __func__, __LINE__); + return rc; + } +@@ -133,7 +137,11 @@ static int32_t msm_sensor_driver_create_v4l_subdev + s_ctrl->msm_sd.sd.entity.group_id = MSM_CAMERA_SUBDEV_SENSOR; + s_ctrl->msm_sd.sd.entity.name = s_ctrl->msm_sd.sd.name; + s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3; +- msm_sd_register(&s_ctrl->msm_sd); ++ rc = msm_sd_register(&s_ctrl->msm_sd); ++ if (rc < 0) { ++ pr_err("failed: msm_sd_register rc %d", rc); ++ return rc; ++ } + msm_sensor_v4l2_subdev_fops = v4l2_subdev_fops; + #ifdef CONFIG_COMPAT + msm_sensor_v4l2_subdev_fops.compat_ioctl32 = +@@ -885,12 +893,6 @@ int32_t msm_sensor_driver_probe(void *setting, + + pr_err("%s probe succeeded", slave_info->sensor_name); + +- /* +- Set probe succeeded flag to 1 so that no other camera shall +- * probed on this slot +- */ +- s_ctrl->is_probe_succeed = 1; +- + /* + * Update the subdevice id of flash-src based on availability in kernel. + */ +@@ -940,6 +942,11 @@ int32_t msm_sensor_driver_probe(void *setting, + + msm_sensor_fill_sensor_info(s_ctrl, probed_info, entity_name); + ++ /* ++ * Set probe succeeded flag to 1 so that no other camera shall ++ * probed on this slot ++ */ ++ s_ctrl->is_probe_succeed = 1; + return rc; + + camera_power_down: diff --git a/Patches/Linux_CVEs/CVE-2017-9719/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9719/3.18/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9719/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9719/3.18/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9719/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-9719/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9719/ANY/0002.patch rename to Patches/Linux_CVEs/CVE-2017-9719/4.4/0002.patch diff --git a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt index 94e35dc2..c07fd9e3 100644 --- a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt +++ b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt @@ -1,7 +1,8 @@ +#Last checked 2017-11-25 #This is a combined list from the following sources # https://source.android.com/security/bulletin # https://source.android.com/security/advisory -# https://cve.lineageos.org +# https://cve.lineageos.org/api/v1/cves # https://www.codeaurora.org/security-advisories # https://www.codeaurora.org/security-advisories/security-bulletins # https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md @@ -71,7 +72,9 @@ CVE-2013-6123 CVE-2013-6282 Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483 CVE-2013-7446 - Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c + Link - ^4.3 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c + Link - ^4.3 - https://github.com/aosp-mirror/kernel_msm/commit/8a292b04183e82d59721ab0893e4216010aa3db9 + Link - ^4.3 - https://github.com/aosp-mirror/kernel_msm/commit/5bed19c9f463f9078063363779548c50aea271a0 CVE-2014-0196 Link - https://github.com/torvalds/linux/commit/4291086b1f081b869c6d79e5b7441633dc3ace00 Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1e5099713ce @@ -293,7 +296,10 @@ CVE-2014-9904 CVE-2014-9914 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9709674e68646cee5a24e3000b3558d25412203a CVE-2014-9922 + Depends Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=69c433ed2ecd2d3264efd7afec4439524b319121 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/48a6c91c1d967cc8375621509676a9eabfac5777 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/57bc19ec472ab303209b2d96a59a619c5221594d CVE-2014-9940 Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=60a2362f769cf549dc466134efe71c8bf9fbaaba CVE-2015-3636 @@ -968,9 +974,13 @@ CVE-2016-6828 CVE-2016-7042 Link - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=03dab869b7b239c4e013ec82aea22e181e441cfc CVE-2016-7097 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=073931017b49d9458aa351605b43a7e34598caef + Depends + Link - ^4.8 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=073931017b49d9458aa351605b43a7e34598caef + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/6b0c893dc08060d6999b07136391d8a298678dae + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/aedf77d56472d1fddf050c61c1017d4f51149fb1 CVE-2016-7117 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d + Link - ^4.5 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d + Link - ^4.5 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=0b5240c45e2029986526b1405ab24906c708f770 CVE-2016-7910 Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=77da160530dd1dc94f6ae15a981f24e5f0021e84 CVE-2016-7911 @@ -1339,6 +1349,9 @@ CVE-2017-0628 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=012e37bf91490c5b59ba2ab68a4d214b632b613f CVE-2017-0629 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=012e37bf91490c5b59ba2ab68a4d214b632b613f +CVE-2017-0630 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/28fb06421ab3d9256d32611138306470996cc4c1 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/45e5a5e1b85f23843b90f3cddcfc26fa862ff80c CVE-2017-0631 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=8236d6ebc7e26361ca7078cbeba01509f10941d8 CVE-2017-0632 @@ -1393,6 +1406,12 @@ CVE-2017-0824 Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3d6c7b39db34369e28b0581be26f57e9467f8408 CVE-2017-0825 Link - https://github.com/android/kernel_msm/commit/83366dd9ddb9337450f704ceef750a06c69df9ff +CVE-2017-0861 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/93533f313a1bf465ff8c33032e91b88315dcf9bf +CVE-2017-0862 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/19384322b5b51987bd6037f7a6b18a62a5d4d654 +CVE-2017-0866 + Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/40286163f84a29993c2f552a237256541875a1b4 CVE-2017-1000251 Link - 3.0 - https://review.lineageos.org/#/c/189602/ Link - 3.4 - https://review.lineageos.org/#/c/189415/ @@ -1443,12 +1462,16 @@ CVE-2017-11012 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=7d0e40d328fa092c36b9585516ed29fc6041be55 CVE-2017-11013 Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=64297e4caffdf6b1a90807bbdb65a66b43582228 + Link - qcacld-2.0 - https://android.googlesource.com/kernel/msm/+/bb3c16f2e001eef9dcdd73e8c6ed6331e5fdd86b Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c9f8654b11a1e693022ad7f163b3bc477fea8ce8 CVE-2017-11014 + Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/adb96af5b080dfe4ee29961a17ed3f04c87d5519 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754 CVE-2017-11015 Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/ac39bfffe109a6cffcaf3b537505130712161dce Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/d0cd3ede7c17ee7fcf0f9b6d125d027bc28640be + Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/d7285900f6fa28b0be51f5d18c52bd06385f8aee + Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/a50ca3ce494ab6bb6b2e37cdd0428aa6d6260bef Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=1ef6add65a36de6c4da788f776de2b5b5c528d8e CVE-2017-11018 @@ -1457,23 +1480,26 @@ CVE-2017-11022 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1379bfb6c09ee2ad5969db45c27fb675602b4ed0 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=f41e3dbc92d448d3d56cae5517e41a4bafafdf3f CVE-2017-11023 - Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=c36e61af0f770125d0061a8d988d0987cc8d116a + Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/17ef83c708be034454df7914ef5484c36515eece + Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=c36e61af0f770125d0061a8d988d0987cc8d116a CVE-2017-11024 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=f2a482422fefadfa0fa9b4146fc0e2b46ac04922 CVE-2017-11025 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=95e72ae9281b77abc3ed0cc6a33c17b989241efa CVE-2017-11028 Depends + Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/a96e06fac09e182b5211f20dd6311f93a5d056af Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fd70b655d901e626403f132b65fc03d993f0a09b Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=6724296d3f3b2821b83219768c1b9e971e380a9f CVE-2017-11029 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/e13a16c079cf8f5c758f5c31fbd72edca2656e54 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=74ab23917b82769644a3299da47b58e080aa63f2 Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=86f0d207d478e1681f6711b46766cfb3c6a30fb5 CVE-2017-11032 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2720294757d0ad5294283c15dc837852f7b2329a CVE-2017-11035 - Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c5060da3e741577578d66dfadb7922d853da6156 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=cc1896424ae7a346090f601bc69c6ca51d9c3e04 + Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c5060da3e741577578d66dfadb7922d853da6156 CVE-2017-11040 Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7a4d0eea0ca0c8a72111ae58d9829be817f102c9 CVE-2017-11046 @@ -1510,7 +1536,22 @@ CVE-2017-11064 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=38d6f16b8583bae6a1881c744ae08d609c99cb7e CVE-2017-11067 Link - https://github.com/aosp-mirror/kernel_msm/commit/3fabdcba3a09ce8f3cc757bf6240e53421a1e363 +CVE-2017-11073 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/120d28bad9890eca3a6451a83a7c71cb650dfef7 +CVE-2017-11085 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/dc8f7a19762df2c84678482b60f6b807b919eb44 +CVE-2017-11089 + Link - https://android.googlesource.com/kernel/msm/+/a30bdf229ab1efd96e500c43aabbff20e223128a +CVE-2017-11090 + Link - https://android.googlesource.com/kernel/msm/+/98f7c17df33355e78417e6bb2395f810a903bb64 +CVE-2017-11091 + Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/10b0cb47e92abe52c5372ded0fe80a5a5f18586f +CVE-2017-11092 + Link - https://android.googlesource.com/kernel/msm/+/d78717de292b114f388e900e3e7947ae44630982 +CVE-2017-11093 + Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/072d53b2ca00ac57ca4e0ebe2315b431256cf786 CVE-2017-11600 + Link - 3.10 - https://github.com/aosp-mirror/kernel_common/commit/0af5440977299a17a0f226ce00d872572a426c14 Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e CVE-2017-12146 Link - 3.16+ - https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git/commit/?h=driver-core-next&id=6265539776a0810b7ce6398c27866ddb9c6bd154 @@ -1563,6 +1604,10 @@ CVE-2017-6074 Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 CVE-2017-6214 Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82 +CVE-2017-6274 + Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/0f08eca74276e7ebab4b712d98970c6425207ccc +CVE-2017-6275 + Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/0f08eca74276e7ebab4b712d98970c6425207ccc CVE-2017-6345 Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b74d439e1697110c5e5c600643e823eb1dd0762 CVE-2017-6346 @@ -1645,7 +1690,8 @@ CVE-2017-7495 Link - 3.18 - https://review.lineageos.org/#/c/175289 Link - ^4.6 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06bd3c36a733ac27962fea7d6f47168841376824 CVE-2017-7541 - Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c + Link - ^4.12 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c + Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.10.108&id=7136ca73ff3496758b56f60b6fe76d675e69cd21 CVE-2017-7616 Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 CVE-2017-7618 @@ -1757,6 +1803,7 @@ CVE-2017-8281 Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=9b209c4552779edb86221787fb8681dd212e3a0c CVE-2017-8890 Link - 3.4 - https://review.lineageos.org/#/c/173325/ + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/1853870b216d3446efd39190a8ff0006c54dfd46 Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=657831ffc38e30092a2d5f03d385d710eb88b09a CVE-2017-9074 Depends @@ -1798,6 +1845,8 @@ CVE-2017-9686 CVE-2017-9687 Link - 3.18 - https://github.com/android/kernel_msm/commit/34cff2eb2adc663de32ca682b57551c50c9253c6 Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=8f1a77f5da53edd2b5a1c42ddd766712a90109d6 +CVE-2017-9690 + Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/b59b67fbd2f1d4f71e7a4f9e6723f04b717efc74 CVE-2017-9691 Depends Link - https://github.com/android/kernel_msm/commit/869bd2cd3d6c17826b6f162e0d721174224b867a @@ -1808,9 +1857,14 @@ CVE-2017-9693 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=05a5abb21e4d97001f77d344444a3ec2f9c275f9 CVE-2017-9694 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef +CVE-2017-9696 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/8b44a684139301fa31548e8120b7e6299965572a CVE-2017-9697 Link - 3.18 - https://github.com/android/kernel_msm/commit/4b788ca419ec37e4cdb421fef9edc208a491ce30 Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=7e45e3a6c1f6dd46d71fb6824a7cf702d2e79225 +CVE-2017-9702 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/2ae1eab54e874553c078e5275421398597401ac9 + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/c46b2ecd901a12867d0dd91ae019f4b7256bcfec CVE-2017-9706 Link - https://github.com/android/kernel_msm/commit/7489a0a8f68d0f018d0f9df5df157bb20f83b05e CVE-2017-9714 @@ -1820,8 +1874,8 @@ CVE-2017-9715 CVE-2017-9717 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=bf7486fb6d82fb9ad02e303b6fdf4061cfc0375d CVE-2017-9719 - Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a491499c3490999555b7ccf8ad1a7d6455625807 - Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d815f54f15d765b5e0035a9d208d71567bcaace0 + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a491499c3490999555b7ccf8ad1a7d6455625807 + Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d815f54f15d765b5e0035a9d208d71567bcaace0 CVE-2017-9720 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c74dbab508c7c07d8e2cf8230cc78bff4b710272 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=737f415a5c637802786ec6d36288220cb4d3ae4d @@ -1857,7 +1911,7 @@ CVE-2017-16535 CVE-2017-16536 Link - ^4.13 - https://patchwork.kernel.org/patch/9963527/ CVE-2017-16537 - Link - ^4.13 - https://patchwork.kernel.org/patch/9994017/ + Link - ^4.13 - https://github.com/torvalds/linux/commit/58fd55e838276a0c13d1dc7c387f90f25063cbf3 CVE-2017-16538 Link - ^4.13 - https://patchwork.linuxtv.org/patch/44566/ Link - ^4.13 - https://patchwork.linuxtv.org/patch/44567/ @@ -1872,7 +1926,7 @@ CVE-2017-16646 CVE-2017-16647 Link - https://patchwork.ozlabs.org/patch/834686/ CVE-2017-16648 - Link - https://patchwork.kernel.org/patch/10046189/ + Link - https://github.com/torvalds/linux/commit/b1cb7372fa822af6c06c8045963571d13ad6348b CVE-2017-16649 Link - https://patchwork.ozlabs.org/patch/834771/ CVE-2017-16650 @@ -1883,6 +1937,10 @@ CVE-2017-16USB Link - https://github.com/torvalds/linux/commit/70e743e4cec3733dc13559f6184b35d358b9ef3f Link - https://github.com/torvalds/linux/commit/122d6a347329818419b032c5a1776e6b3866d9b9 Link - https://github.com/torvalds/linux/commit/0a8fd1346254974c3a852338508e4a4cddbb35f1 + Link - https://github.com/torvalds/linux/commit/f9a1c372299fed53d4b72bb601f7f3bfe6f9999c + Link - https://github.com/torvalds/linux/commit/58fc7f73a85d45a47057dad2af53502fdf6cf778 + Link - https://github.com/torvalds/linux/commit/2a4340c57717162c6bf07a0860d05711d4de994b + Link - https://github.com/torvalds/linux/commit/6815a0b444572527256f0d0efd8efe3ddede6018 CVE-2016-GadgetFS Link - https://github.com/torvalds/linux/commit/0173a68bfb0ad1c72a6ee39cc485aa2c97540b98 Link - https://github.com/torvalds/linux/commit/520b72fc64debf8a86c3853b8e486aa5982188f0