From 86c2d7a648c3a335b307961a3e50ff4a385d2db5 Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 29 Oct 2017 03:46:24 -0400 Subject: [PATCH] Remove many duplicate linux CVE patches and update patchers --- Patches/Linux_CVEs/CVE-2012-6703/1.patch | 31 -- Patches/Linux_CVEs/CVE-2012-6703/2.patch | 66 --- Patches/Linux_CVEs/CVE-2014-4656/1.patch | 39 -- Patches/Linux_CVEs/CVE-2014-9420/0.patch | 13 +- Patches/Linux_CVEs/CVE-2014-9420/1.patch | 57 -- Patches/Linux_CVEs/CVE-2014-9683/1.patch | 37 -- Patches/Linux_CVEs/CVE-2014-9715/1.patch | 56 -- Patches/Linux_CVEs/CVE-2014-9778/0.patch | 48 -- Patches/Linux_CVEs/CVE-2014-9898/0.patch | 178 ------ Patches/Linux_CVEs/CVE-2015-2041/1.patch | 58 -- Patches/Linux_CVEs/CVE-2015-8830/1.patch | 106 ---- Patches/Linux_CVEs/CVE-2016-10229/0.patch | 94 ---- Patches/Linux_CVEs/CVE-2016-10296/0.patch | 88 --- Patches/Linux_CVEs/CVE-2016-2185/1.patch | 109 ---- Patches/Linux_CVEs/CVE-2016-2186/1.patch | 38 -- Patches/Linux_CVEs/CVE-2016-2187/0.patch | 56 -- Patches/Linux_CVEs/CVE-2016-3136/1.patch | 53 -- Patches/Linux_CVEs/CVE-2016-3137/1.patch | 53 -- Patches/Linux_CVEs/CVE-2016-3138/1.patch | 39 -- Patches/Linux_CVEs/CVE-2016-3140/1.patch | 57 -- Patches/Linux_CVEs/CVE-2016-3689/1.patch | 40 -- Patches/Linux_CVEs/CVE-2016-3855/0.patch | 41 -- Patches/Linux_CVEs/CVE-2016-5861/2.patch | 78 --- Patches/Linux_CVEs/CVE-2016-6681/0.patch | 46 -- Patches/Linux_CVEs/CVE-2016-6786/0.patch | 505 ------------------ Patches/Linux_CVEs/CVE-2016-8391/0.patch | 97 ---- Patches/Linux_CVEs/CVE-2016-8393/0.patch | 444 --------------- Patches/Linux_CVEs/CVE-2016-8474/0.patch | 46 -- Patches/Linux_CVEs/CVE-2016-8478/0.patch | 73 --- Patches/Linux_CVEs/CVE-2017-0435/0.patch | 185 ------- Patches/Linux_CVEs/CVE-2017-0435/1.patch | 26 - Patches/Linux_CVEs/CVE-2017-0436/0.patch | 185 ------- Patches/Linux_CVEs/CVE-2017-0438/0.patch | 128 ----- Patches/Linux_CVEs/CVE-2017-0438/1.patch | 127 ----- Patches/Linux_CVEs/CVE-2017-0442/0.patch | 128 ----- Patches/Linux_CVEs/CVE-2017-0442/1.patch | 127 ----- Patches/Linux_CVEs/CVE-2017-0443/0.patch | 128 ----- Patches/Linux_CVEs/CVE-2017-0443/1.patch | 127 ----- Patches/Linux_CVEs/CVE-2017-0445/2.patch | 210 -------- Patches/Linux_CVEs/CVE-2017-0445/3.patch | 181 ------- Patches/Linux_CVEs/CVE-2017-0446/0.patch | 34 -- Patches/Linux_CVEs/CVE-2017-0447/0.patch | 34 -- Patches/Linux_CVEs/CVE-2017-0533/0.patch | 73 --- Patches/Linux_CVEs/CVE-2017-0534/0.patch | 73 --- Patches/Linux_CVEs/CVE-2017-0536/0.patch | 91 ---- Patches/Linux_CVEs/CVE-2017-0569/0.patch | 79 --- Patches/Linux_CVEs/CVE-2017-0570/0.patch | 79 --- Patches/Linux_CVEs/CVE-2017-0628/0.patch | 56 -- Patches/Linux_CVEs/CVE-2017-0788/0.patch | 60 --- Patches/Linux_CVEs/CVE-2017-10998/1.patch | 43 -- Patches/Linux_CVEs/CVE-2017-5669/1.patch | 75 --- Patches/Linux_CVEs/CVE-2017-6074/1.patch | 47 -- Patches/Linux_CVEs/CVE-2017-7369/1.patch | 50 -- Patches/Linux_CVEs/CVE-2017-7371/1.patch | 45 -- Patches/Linux_CVEs/CVE-2017-7618/1.patch | 1 - Patches/Linux_CVEs/CVE-2017-9077/0.patch | 64 --- .../android_kernel_amazon_hdx-common.sh | 93 ++-- .../android_kernel_asus_msm8916.sh | 11 +- .../android_kernel_fairphone_msm8974.sh | 19 +- .../android_kernel_google_marlin.sh | 135 ++--- .../CVE_Patchers/android_kernel_google_msm.sh | 21 +- .../android_kernel_htc_flounder.sh | 51 +- .../android_kernel_huawei_angler.sh | 102 ++-- .../android_kernel_lge_bullhead.sh | 92 ++-- .../android_kernel_lge_hammerhead.sh | 47 +- .../CVE_Patchers/android_kernel_lge_mako.sh | 7 +- .../CVE_Patchers/android_kernel_moto_shamu.sh | 108 ++-- .../android_kernel_motorola_msm8916.sh | 41 +- .../android_kernel_motorola_msm8992.sh | 154 +++--- .../android_kernel_nextbit_msm8992.sh | 11 +- .../android_kernel_oneplus_msm8974.sh | 41 +- .../android_kernel_samsung_smdk4412.sh | 56 +- 72 files changed, 513 insertions(+), 5578 deletions(-) delete mode 100644 Patches/Linux_CVEs/CVE-2012-6703/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2012-6703/2.patch delete mode 100644 Patches/Linux_CVEs/CVE-2014-4656/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2014-9420/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2014-9683/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2014-9715/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2014-9778/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2014-9898/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2015-2041/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2015-8830/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-10229/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-10296/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-2185/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-2186/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-2187/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-3136/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-3137/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-3138/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-3140/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-3689/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-3855/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-5861/2.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-6681/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-6786/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-8391/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-8393/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-8474/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2016-8478/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0435/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0435/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0436/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0438/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0438/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0442/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0442/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0443/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0443/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0445/2.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0445/3.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0446/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0447/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0533/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0534/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0536/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0569/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0570/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0628/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-0788/0.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-10998/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-5669/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-6074/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-7369/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-7371/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-7618/1.patch delete mode 100644 Patches/Linux_CVEs/CVE-2017-9077/0.patch diff --git a/Patches/Linux_CVEs/CVE-2012-6703/1.patch b/Patches/Linux_CVEs/CVE-2012-6703/1.patch deleted file mode 100644 index a93bedec..00000000 --- a/Patches/Linux_CVEs/CVE-2012-6703/1.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 81ce573830e9d5531531b3ec778c58e6b9167bcd Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Wed, 5 Sep 2012 15:32:18 +0300 -Subject: [PATCH] ALSA: compress_core: integer overflow in - snd_compr_allocate_buffer() - -These are 32 bit values that come from the user, we need to check for -integer overflows or we could end up allocating a smaller buffer than -expected. - -Signed-off-by: Dan Carpenter -Signed-off-by: Takashi Iwai ---- - sound/core/compress_offload.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c -index eb60cb8dbb8a6..68fe02c7400a2 100644 ---- a/sound/core/compress_offload.c -+++ b/sound/core/compress_offload.c -@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, - unsigned int buffer_size; - void *buffer; - -+ if (params->buffer.fragment_size == 0 || -+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) -+ return -EINVAL; -+ - buffer_size = params->buffer.fragment_size * params->buffer.fragments; - if (stream->ops->copy) { - buffer = NULL; diff --git a/Patches/Linux_CVEs/CVE-2012-6703/2.patch b/Patches/Linux_CVEs/CVE-2012-6703/2.patch deleted file mode 100644 index d3ff0972..00000000 --- a/Patches/Linux_CVEs/CVE-2012-6703/2.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 4dc040a0b34890d2adc0d63da6e9bfb4eb791b19 Mon Sep 17 00:00:00 2001 -From: Vinod Koul -Date: Mon, 17 Sep 2012 11:51:25 +0530 -Subject: [PATCH] ALSA: compress - move the buffer check - -Commit ALSA: compress_core: integer overflow in snd_compr_allocate_buffer() -added a new error check for input params. -this add new routine for input checks and moves buffer overflow check to this -new routine. This allows the error value to be propogated to user space - -Signed-off-by: Vinod Koul -Signed-off-by: Takashi Iwai ---- - sound/core/compress_offload.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c -index 68fe02c7400a2..bd7f28e892540 100644 ---- a/sound/core/compress_offload.c -+++ b/sound/core/compress_offload.c -@@ -407,10 +407,6 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, - unsigned int buffer_size; - void *buffer; - -- if (params->buffer.fragment_size == 0 || -- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) -- return -EINVAL; -- - buffer_size = params->buffer.fragment_size * params->buffer.fragments; - if (stream->ops->copy) { - buffer = NULL; -@@ -429,6 +425,16 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, - return 0; - } - -+static int snd_compress_check_input(struct snd_compr_params *params) -+{ -+ /* first let's check the buffer parameter's */ -+ if (params->buffer.fragment_size == 0 || -+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size) -+ return -EINVAL; -+ -+ return 0; -+} -+ - static int - snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg) - { -@@ -447,11 +453,17 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg) - retval = -EFAULT; - goto out; - } -+ -+ retval = snd_compress_check_input(params); -+ if (retval) -+ goto out; -+ - retval = snd_compr_allocate_buffer(stream, params); - if (retval) { - retval = -ENOMEM; - goto out; - } -+ - retval = stream->ops->set_params(stream, params); - if (retval) - goto out; diff --git a/Patches/Linux_CVEs/CVE-2014-4656/1.patch b/Patches/Linux_CVEs/CVE-2014-4656/1.patch deleted file mode 100644 index 9cc4560c..00000000 --- a/Patches/Linux_CVEs/CVE-2014-4656/1.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f7500568b7633324e7c4282bb8baa3ff3f17fd7a Mon Sep 17 00:00:00 2001 -From: Lars-Peter Clausen -Date: Wed, 18 Jun 2014 13:32:35 +0200 -Subject: ALSA: control: Make sure that id->index does not overflow - -commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. - -The ALSA control code expects that the range of assigned indices to a control is -continuous and does not overflow. Currently there are no checks to enforce this. -If a control with a overflowing index range is created that control becomes -effectively inaccessible and unremovable since snd_ctl_find_id() will not be -able to find it. This patch adds a check that makes sure that controls with a -overflowing index range can not be created. - -Signed-off-by: Lars-Peter Clausen -Acked-by: Jaroslav Kysela -Signed-off-by: Takashi Iwai -Signed-off-by: Ben Hutchings ---- - sound/core/control.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/sound/core/control.c b/sound/core/control.c -index d3f17de..9210594 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -341,6 +341,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) - if (snd_BUG_ON(!card || !kcontrol->info)) - goto error; - id = kcontrol->id; -+ if (id.index > UINT_MAX - kcontrol->count) -+ goto error; -+ - down_write(&card->controls_rwsem); - if (snd_ctl_find_id(card, &id)) { - up_write(&card->controls_rwsem); --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2014-9420/0.patch b/Patches/Linux_CVEs/CVE-2014-9420/0.patch index d677dc89..12f7d903 100644 --- a/Patches/Linux_CVEs/CVE-2014-9420/0.patch +++ b/Patches/Linux_CVEs/CVE-2014-9420/0.patch @@ -1,7 +1,9 @@ -From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001 +From 212c4d33ca83e2144064fe9c2911607fbed5386f Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Mon, 15 Dec 2014 14:22:46 +0100 -Subject: [PATCH] isofs: Fix infinite looping over CE entries +Subject: isofs: Fix infinite looping over CE entries + +commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream. Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs @@ -13,14 +15,14 @@ Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. Reported-by: P J P -CC: stable@vger.kernel.org Signed-off-by: Jan Kara +Signed-off-by: Ben Hutchings --- fs/isofs/rock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index f488bbae541ac..bb63254ed8486 100644 +index ee62cc0..26859de 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -30,6 +30,7 @@ struct rock_state { @@ -50,3 +52,6 @@ index f488bbae541ac..bb63254ed8486 100644 bh = sb_bread(rs->inode->i_sb, rs->cont_extent); if (bh) { memcpy(rs->buffer, bh->b_data + rs->cont_offset, +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2014-9420/1.patch b/Patches/Linux_CVEs/CVE-2014-9420/1.patch deleted file mode 100644 index 12f7d903..00000000 --- a/Patches/Linux_CVEs/CVE-2014-9420/1.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 212c4d33ca83e2144064fe9c2911607fbed5386f Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Mon, 15 Dec 2014 14:22:46 +0100 -Subject: isofs: Fix infinite looping over CE entries - -commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream. - -Rock Ridge extensions define so called Continuation Entries (CE) which -define where is further space with Rock Ridge data. Corrupted isofs -image can contain arbitrarily long chain of these, including a one -containing loop and thus causing kernel to end in an infinite loop when -traversing these entries. - -Limit the traversal to 32 entries which should be more than enough space -to store all the Rock Ridge data. - -Reported-by: P J P -Signed-off-by: Jan Kara -Signed-off-by: Ben Hutchings ---- - fs/isofs/rock.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index ee62cc0..26859de 100644 ---- a/fs/isofs/rock.c -+++ b/fs/isofs/rock.c -@@ -30,6 +30,7 @@ struct rock_state { - int cont_size; - int cont_extent; - int cont_offset; -+ int cont_loops; - struct inode *inode; - }; - -@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode) - rs->inode = inode; - } - -+/* Maximum number of Rock Ridge continuation entries */ -+#define RR_MAX_CE_ENTRIES 32 -+ - /* - * Returns 0 if the caller should continue scanning, 1 if the scan must end - * and -ve on error. -@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs) - goto out; - } - ret = -EIO; -+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES) -+ goto out; - bh = sb_bread(rs->inode->i_sb, rs->cont_extent); - if (bh) { - memcpy(rs->buffer, bh->b_data + rs->cont_offset, --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2014-9683/1.patch b/Patches/Linux_CVEs/CVE-2014-9683/1.patch deleted file mode 100644 index 38919fbe..00000000 --- a/Patches/Linux_CVEs/CVE-2014-9683/1.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f2d130454e46c3989af1b4f882b6a666d24fa2e0 Mon Sep 17 00:00:00 2001 -From: Michael Halcrow -Date: Wed, 26 Nov 2014 09:09:16 -0800 -Subject: eCryptfs: Remove buggy and unnecessary write in file name decode - routine - -commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream. - -Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the -end of the allocated buffer during encrypted filename decoding. This -fix corrects the issue by getting rid of the unnecessary 0 write when -the current bit offset is 2. - -Signed-off-by: Michael Halcrow -Reported-by: Dmitry Chernenkov -Suggested-by: Kees Cook -Signed-off-by: Tyler Hicks -Signed-off-by: Ben Hutchings ---- - fs/ecryptfs/crypto.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c -index 68b19ab..dceedec 100644 ---- a/fs/ecryptfs/crypto.c -+++ b/fs/ecryptfs/crypto.c -@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size, - break; - case 2: - dst[dst_byte_offset++] |= (src_byte); -- dst[dst_byte_offset] = 0; - current_bit_offset = 0; - break; - } --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2014-9715/1.patch b/Patches/Linux_CVEs/CVE-2014-9715/1.patch deleted file mode 100644 index 3f7042c9..00000000 --- a/Patches/Linux_CVEs/CVE-2014-9715/1.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 33eedfe8ecbaabcdc38be63901cb2b79e3190fda Mon Sep 17 00:00:00 2001 -From: Andrey Vagin -Date: Fri, 28 Mar 2014 13:54:32 +0400 -Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len - -commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream. - -"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst -case it can contain all extensions. Bellow you can find sizes for all -types of extensions. Their sum is definitely bigger than 256. - -nf_ct_ext_types[0]->len = 24 -nf_ct_ext_types[1]->len = 32 -nf_ct_ext_types[2]->len = 24 -nf_ct_ext_types[3]->len = 32 -nf_ct_ext_types[4]->len = 152 -nf_ct_ext_types[5]->len = 2 -nf_ct_ext_types[6]->len = 16 -nf_ct_ext_types[7]->len = 8 - -I have seen "len" up to 280 and my host has crashes w/o this patch. - -The right way to fix this problem is reducing the size of the ecache -extension (4) and Florian is going to do this, but these changes will -be quite large to be appropriate for a stable tree. - -Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable) -Cc: Pablo Neira Ayuso -Cc: Patrick McHardy -Cc: Jozsef Kadlecsik -Cc: "David S. Miller" -Signed-off-by: Andrey Vagin -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Ben Hutchings ---- - include/net/netfilter/nf_conntrack_extend.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h -index 2dcf317..d918074 100644 ---- a/include/net/netfilter/nf_conntrack_extend.h -+++ b/include/net/netfilter/nf_conntrack_extend.h -@@ -33,8 +33,8 @@ enum nf_ct_ext_id { - /* Extensions: optional stuff which isn't permanently in struct. */ - struct nf_ct_ext { - struct rcu_head rcu; -- u8 offset[NF_CT_EXT_NUM]; -- u8 len; -+ u16 offset[NF_CT_EXT_NUM]; -+ u16 len; - char data[0]; - }; - --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2014-9778/0.patch b/Patches/Linux_CVEs/CVE-2014-9778/0.patch deleted file mode 100644 index 3d3613c3..00000000 --- a/Patches/Linux_CVEs/CVE-2014-9778/0.patch +++ /dev/null @@ -1,48 +0,0 @@ -From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001 -From: "Pachika, Vikas Reddy" -Date: Fri, 1 Nov 2013 21:06:37 +0530 -Subject: msm: vidc: Validate userspace buffer count - -Makesure the number of buffers count is less than -the maximum limit to avoid structure overflow errors. - -Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31 -CRs-fixed: 563694 -Signed-off-by: Pachika, Vikas Reddy ---- - drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++ - include/media/msm/vidc_init.h | 1 + - 2 files changed, 7 insertions(+) - -diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c -index a843889..b45100f 100644 ---- a/drivers/video/msm/vidc/common/dec/vdec.c -+++ b/drivers/video/msm/vidc/common/dec/vdec.c -@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx, - vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd; - vcd_h264_mv_buffer->offset = mv_data->offset; - -+ if (mv_data->count > MAX_MV_BUFFERS) { -+ ERR("MV buffers maximum count reached, count = %d", -+ mv_data->count); -+ return false; -+ } -+ - if (!vcd_get_ion_status()) { - if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd, - (unsigned long *) (&(vcd_h264_mv_buffer-> -diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h -index c35f770..5df0c3e 100644 ---- a/include/media/msm/vidc_init.h -+++ b/include/media/msm/vidc_init.h -@@ -20,6 +20,7 @@ - #define VIDC_MAX_NUM_CLIENTS 4 - #define MAX_VIDEO_NUM_OF_BUFF 100 - #define MAX_META_BUFFERS 32 -+#define MAX_MV_BUFFERS 32 - - enum buffer_dir { - BUFFER_TYPE_INPUT, --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2014-9898/0.patch b/Patches/Linux_CVEs/CVE-2014-9898/0.patch deleted file mode 100644 index 15191d3a..00000000 --- a/Patches/Linux_CVEs/CVE-2014-9898/0.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 80be0e249c906704085d13d4ae446f73913fc225 Mon Sep 17 00:00:00 2001 -From: Baruch Eruchimovitch -Date: Mon, 14 Oct 2013 15:49:41 +0300 -Subject: msm: ultrasound: add verifications of some input parameters - -Some security vulnerabilities were found. -To fix them, additional verifications of some input parameters -are required. - -CRs-Fixed: 554575, 554560, 555030 -Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020 -Signed-off-by: Baruch Eruchimovitch ---- - arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c | 82 ++++++++++++++++++------------ - 1 file changed, 49 insertions(+), 33 deletions(-) - -diff --git a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c -index 1ea213a..01fcfd9 100644 ---- a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c -+++ b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c -@@ -51,6 +51,11 @@ - #define Y_IND 1 - #define Z_IND 2 - -+/* Shared memory limits */ -+/* max_buf_size = (port_size(65535*2) * port_num(8) * group_size(3) */ -+#define USF_MAX_BUF_SIZE 3145680 -+#define USF_MAX_BUF_NUM 32 -+ - /* Place for opreation result, received from QDSP6 */ - #define APR_RESULT_IND 1 - -@@ -436,6 +441,15 @@ static int config_xx(struct usf_xx_type *usf_xx, struct us_xx_info_type *config) - (config == NULL)) - return -EINVAL; - -+ if ((config->buf_size == 0) || -+ (config->buf_size > USF_MAX_BUF_SIZE) || -+ (config->buf_num == 0) || -+ (config->buf_num > USF_MAX_BUF_NUM)) { -+ pr_err("%s: wrong params: buf_size=%d; buf_num=%d\n", -+ __func__, config->buf_size, config->buf_num); -+ return -EINVAL; -+ } -+ - data_map_size = sizeof(usf_xx->encdec_cfg.cfg_common.data_map); - min_map_size = min(data_map_size, config->port_cnt); - -@@ -748,6 +762,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg) - { - uint32_t timeout = 0; - struct us_detect_info_type detect_info; -+ struct usm_session_cmd_detect_info *p_allocated_memory = NULL; - struct usm_session_cmd_detect_info usm_detect_info; - struct usm_session_cmd_detect_info *p_usm_detect_info = - &usm_detect_info; -@@ -774,12 +789,13 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg) - uint8_t *p_data = NULL; - - detect_info_size += detect_info.params_data_size; -- p_usm_detect_info = kzalloc(detect_info_size, GFP_KERNEL); -- if (p_usm_detect_info == NULL) { -+ p_allocated_memory = kzalloc(detect_info_size, GFP_KERNEL); -+ if (p_allocated_memory == NULL) { - pr_err("%s: detect_info[%d] allocation failed\n", - __func__, detect_info_size); - return -ENOMEM; - } -+ p_usm_detect_info = p_allocated_memory; - p_data = (uint8_t *)p_usm_detect_info + - sizeof(struct usm_session_cmd_detect_info); - -@@ -789,7 +805,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg) - if (rc) { - pr_err("%s: copy params from user; rc=%d\n", - __func__, rc); -- kfree(p_usm_detect_info); -+ kfree(p_allocated_memory); - return -EFAULT; - } - p_usm_detect_info->algorithm_cfg_size = -@@ -806,9 +822,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg) - p_usm_detect_info, - detect_info_size); - if (rc || (detect_info.detect_timeout == USF_NO_WAIT_TIMEOUT)) { -- if (detect_info_size > -- sizeof(struct usm_session_cmd_detect_info)) -- kfree(p_usm_detect_info); -+ kfree(p_allocated_memory); - return rc; - } - -@@ -828,25 +842,24 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg) - USF_US_DETECT_UNDEF), - timeout); - /* In the case of timeout, "no US" is assumed */ -- if (rc < 0) { -+ if (rc < 0) - pr_err("%s: Getting US detection failed rc[%d]\n", - __func__, rc); -- return rc; -- } -- -- usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type; -- detect_info.is_us = (usf_xx->us_detect_type == USF_US_DETECT_YES); -- rc = copy_to_user((void __user *)arg, -- &detect_info, -- sizeof(detect_info)); -- if (rc) { -- pr_err("%s: copy detect_info to user; rc=%d\n", -- __func__, rc); -- rc = -EFAULT; -+ else { -+ usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type; -+ detect_info.is_us = -+ (usf_xx->us_detect_type == USF_US_DETECT_YES); -+ rc = copy_to_user((void __user *)arg, -+ &detect_info, -+ sizeof(detect_info)); -+ if (rc) { -+ pr_err("%s: copy detect_info to user; rc=%d\n", -+ __func__, rc); -+ rc = -EFAULT; -+ } - } - -- if (detect_info_size > sizeof(struct usm_session_cmd_detect_info)) -- kfree(p_usm_detect_info); -+ kfree(p_allocated_memory); - - return rc; - } /* usf_set_us_detection */ -@@ -947,16 +960,14 @@ static int usf_set_rx_info(struct usf_type *usf, unsigned long arg) - if (rc) - return rc; - -- if (usf_xx->buffer_size && usf_xx->buffer_count) { -- rc = q6usm_us_client_buf_alloc( -- IN, -- usf_xx->usc, -- usf_xx->buffer_size, -- usf_xx->buffer_count); -- if (rc) { -- (void)q6usm_cmd(usf_xx->usc, CMD_CLOSE); -- return rc; -- } -+ rc = q6usm_us_client_buf_alloc( -+ IN, -+ usf_xx->usc, -+ usf_xx->buffer_size, -+ usf_xx->buffer_count); -+ if (rc) { -+ (void)q6usm_cmd(usf_xx->usc, CMD_CLOSE); -+ return rc; - } - - rc = q6usm_dec_cfg_blk(usf_xx->usc, -@@ -1175,10 +1186,15 @@ static int usf_get_version(unsigned long arg) - return -EFAULT; - } - -- /* version_info.buf is pointer to place for the version string */ -+ if (version_info.buf_size < sizeof(DRV_VERSION)) { -+ pr_err("%s: buf_size (%d) < version string size (%d)\n", -+ __func__, version_info.buf_size, sizeof(DRV_VERSION)); -+ return -EINVAL; -+ } -+ - rc = copy_to_user(version_info.pbuf, - DRV_VERSION, -- version_info.buf_size); -+ sizeof(DRV_VERSION)); - if (rc) { - pr_err("%s: copy to version_info.pbuf; rc=%d\n", - __func__, rc); --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2015-2041/1.patch b/Patches/Linux_CVEs/CVE-2015-2041/1.patch deleted file mode 100644 index 5cf3aecf..00000000 --- a/Patches/Linux_CVEs/CVE-2015-2041/1.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 88fe14be08a475ad0eea4ca7c51f32437baf41af Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 23 Jan 2015 20:47:00 -0500 -Subject: net: llc: use correct size for sysctl timeout entries - -commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream. - -The timeout entries are sizeof(int) rather than sizeof(long), which -means that when they were getting read we'd also leak kernel memory -to userspace along with the timeout values. - -Signed-off-by: Sasha Levin -Signed-off-by: David S. Miller -Signed-off-by: Ben Hutchings ---- - net/llc/sysctl_net_llc.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c -index e2ebe35..be078ec 100644 ---- a/net/llc/sysctl_net_llc.c -+++ b/net/llc/sysctl_net_llc.c -@@ -17,28 +17,28 @@ static struct ctl_table llc2_timeout_table[] = { - { - .procname = "ack", - .data = &sysctl_llc2_ack_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_ack_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, - { - .procname = "busy", - .data = &sysctl_llc2_busy_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_busy_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, - { - .procname = "p", - .data = &sysctl_llc2_p_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_p_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, - { - .procname = "rej", - .data = &sysctl_llc2_rej_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_rej_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2015-8830/1.patch b/Patches/Linux_CVEs/CVE-2015-8830/1.patch deleted file mode 100644 index 7b75df93..00000000 --- a/Patches/Linux_CVEs/CVE-2015-8830/1.patch +++ /dev/null @@ -1,106 +0,0 @@ -From a70b52ec1aaeaf60f4739edb1b422827cb6f3893 Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Mon, 21 May 2012 16:06:20 -0700 -Subject: vfs: make AIO use the proper rw_verify_area() area helpers - -We had for some reason overlooked the AIO interface, and it didn't use -the proper rw_verify_area() helper function that checks (for example) -mandatory locking on the file, and that the size of the access doesn't -cause us to overflow the provided offset limits etc. - -Instead, AIO did just the security_file_permission() thing (that -rw_verify_area() also does) directly. - -This fixes it to do all the proper helper functions, which not only -means that now mandatory file locking works with AIO too, we can -actually remove lines of code. - -Reported-by: Manish Honap -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds ---- - fs/aio.c | 30 ++++++++++++++---------------- - 1 file changed, 14 insertions(+), 16 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 67a6db3..e7f2fad 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1456,6 +1456,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) - if (ret < 0) - goto out; - -+ ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret); -+ if (ret < 0) -+ goto out; -+ - kiocb->ki_nr_segs = kiocb->ki_nbytes; - kiocb->ki_cur_seg = 0; - /* ki_nbytes/left now reflect bytes instead of segs */ -@@ -1467,11 +1471,17 @@ out: - return ret; - } - --static ssize_t aio_setup_single_vector(struct kiocb *kiocb) -+static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb) - { -+ int bytes; -+ -+ bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left); -+ if (bytes < 0) -+ return bytes; -+ - kiocb->ki_iovec = &kiocb->ki_inline_vec; - kiocb->ki_iovec->iov_base = kiocb->ki_buf; -- kiocb->ki_iovec->iov_len = kiocb->ki_left; -+ kiocb->ki_iovec->iov_len = bytes; - kiocb->ki_nr_segs = 1; - kiocb->ki_cur_seg = 0; - return 0; -@@ -1496,10 +1506,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat) - if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf, - kiocb->ki_left))) - break; -- ret = security_file_permission(file, MAY_READ); -- if (unlikely(ret)) -- break; -- ret = aio_setup_single_vector(kiocb); -+ ret = aio_setup_single_vector(READ, file, kiocb); - if (ret) - break; - ret = -EINVAL; -@@ -1514,10 +1521,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat) - if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf, - kiocb->ki_left))) - break; -- ret = security_file_permission(file, MAY_WRITE); -- if (unlikely(ret)) -- break; -- ret = aio_setup_single_vector(kiocb); -+ ret = aio_setup_single_vector(WRITE, file, kiocb); - if (ret) - break; - ret = -EINVAL; -@@ -1528,9 +1532,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat) - ret = -EBADF; - if (unlikely(!(file->f_mode & FMODE_READ))) - break; -- ret = security_file_permission(file, MAY_READ); -- if (unlikely(ret)) -- break; - ret = aio_setup_vectored_rw(READ, kiocb, compat); - if (ret) - break; -@@ -1542,9 +1543,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat) - ret = -EBADF; - if (unlikely(!(file->f_mode & FMODE_WRITE))) - break; -- ret = security_file_permission(file, MAY_WRITE); -- if (unlikely(ret)) -- break; - ret = aio_setup_vectored_rw(WRITE, kiocb, compat); - if (ret) - break; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-10229/0.patch b/Patches/Linux_CVEs/CVE-2016-10229/0.patch deleted file mode 100644 index 1d12eaa4..00000000 --- a/Patches/Linux_CVEs/CVE-2016-10229/0.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Wed, 30 Dec 2015 08:51:12 -0500 -Subject: udp: properly support MSG_PEEK with truncated buffers - -Backport of this upstream commit into stable kernels : -89c22d8c3b27 ("net: Fix skb csum races when peeking") -exposed a bug in udp stack vs MSG_PEEK support, when user provides -a buffer smaller than skb payload. - -In this case, -skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), - msg->msg_iov); -returns -EFAULT. - -This bug does not happen in upstream kernels since Al Viro did a great -job to replace this into : -skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); -This variant is safe vs short buffers. - -For the time being, instead reverting Herbert Xu patch and add back -skb->ip_summed invalid changes, simply store the result of -udp_lib_checksum_complete() so that we avoid computing the checksum a -second time, and avoid the problematic -skb_copy_and_csum_datagram_iovec() call. - -This patch can be applied on recent kernels as it avoids a double -checksumming, then backported to stable kernels as a bug fix. - -Signed-off-by: Eric Dumazet -Acked-by: Herbert Xu -Signed-off-by: David S. Miller ---- - net/ipv4/udp.c | 6 ++++-- - net/ipv6/udp.c | 6 ++++-- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 8841e98..ac14ae4 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1271,6 +1271,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, - int peeked, off = 0; - int err; - int is_udplite = IS_UDPLITE(sk); -+ bool checksum_valid = false; - bool slow; - - if (flags & MSG_ERRQUEUE) -@@ -1296,11 +1297,12 @@ try_again: - */ - - if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { -- if (udp_lib_checksum_complete(skb)) -+ checksum_valid = !udp_lib_checksum_complete(skb); -+ if (!checksum_valid) - goto csum_copy_err; - } - -- if (skb_csum_unnecessary(skb)) -+ if (checksum_valid || skb_csum_unnecessary(skb)) - err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), - msg, copied); - else { -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 9da3287..00775ee 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, - int peeked, off = 0; - int err; - int is_udplite = IS_UDPLITE(sk); -+ bool checksum_valid = false; - int is_udp4; - bool slow; - -@@ -433,11 +434,12 @@ try_again: - */ - - if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { -- if (udp_lib_checksum_complete(skb)) -+ checksum_valid = !udp_lib_checksum_complete(skb); -+ if (!checksum_valid) - goto csum_copy_err; - } - -- if (skb_csum_unnecessary(skb)) -+ if (checksum_valid || skb_csum_unnecessary(skb)) - err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), - msg, copied); - else { --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-10296/0.patch b/Patches/Linux_CVEs/CVE-2016-10296/0.patch deleted file mode 100644 index ac233c61..00000000 --- a/Patches/Linux_CVEs/CVE-2016-10296/0.patch +++ /dev/null @@ -1,88 +0,0 @@ -From a5e46d8635a2e28463b365aacdeab6750abd0d49 Mon Sep 17 00:00:00 2001 -From: Sahitya Tummala -Date: Fri, 3 Feb 2017 13:24:19 +0530 -Subject: uio: fix potential use after free issue when accessing debug_buffer - -The variable debug_buffer is a global variable which is allocated -and free'd when open/close is called on debugfs file - -"/sys/kernel/debug/rmt_storage/info". The current code doesn't -have locks to handle concurrent accesses to the above file. -This results into use after free issue when debug_buffer is -accessed by two threads at the same time. Fix this by adding -a mutex lock to protect this global variable. - -Change-Id: I6bc3f0ae2d7fca3ca9fe8561612f5863b6c3268a -Signed-off-by: Sahitya Tummala ---- - drivers/uio/msm_sharedmem/sharedmem_qmi.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/drivers/uio/msm_sharedmem/sharedmem_qmi.c b/drivers/uio/msm_sharedmem/sharedmem_qmi.c -index 48fb17e..fd95dee 100644 ---- a/drivers/uio/msm_sharedmem/sharedmem_qmi.c -+++ b/drivers/uio/msm_sharedmem/sharedmem_qmi.c -@@ -1,4 +1,4 @@ --/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved. -+/* Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 and -@@ -223,6 +223,7 @@ static int sharedmem_qmi_req_cb(struct qmi_handle *handle, void *conn_h, - #define DEBUG_BUF_SIZE (2048) - static char *debug_buffer; - static u32 debug_data_size; -+static struct mutex dbg_buf_lock; /* mutex for debug_buffer */ - - static ssize_t debug_read(struct file *file, char __user *buf, - size_t count, loff_t *file_pos) -@@ -279,21 +280,29 @@ static int debug_open(struct inode *inode, struct file *file) - { - u32 buffer_size; - -- if (debug_buffer != NULL) -+ mutex_lock(&dbg_buf_lock); -+ if (debug_buffer != NULL) { -+ mutex_unlock(&dbg_buf_lock); - return -EBUSY; -+ } - buffer_size = DEBUG_BUF_SIZE; - debug_buffer = kzalloc(buffer_size, GFP_KERNEL); -- if (debug_buffer == NULL) -+ if (debug_buffer == NULL) { -+ mutex_unlock(&dbg_buf_lock); - return -ENOMEM; -+ } - debug_data_size = fill_debug_info(debug_buffer, buffer_size); -+ mutex_unlock(&dbg_buf_lock); - return 0; - } - - static int debug_close(struct inode *inode, struct file *file) - { -+ mutex_lock(&dbg_buf_lock); - kfree(debug_buffer); - debug_buffer = NULL; - debug_data_size = 0; -+ mutex_unlock(&dbg_buf_lock); - return 0; - } - -@@ -324,6 +333,7 @@ static void debugfs_init(void) - { - struct dentry *f_ent; - -+ mutex_init(&dbg_buf_lock); - dir_ent = debugfs_create_dir("rmt_storage", NULL); - if (IS_ERR(dir_ent)) { - pr_err("Failed to create debug_fs directory\n"); -@@ -352,6 +362,7 @@ static void debugfs_init(void) - static void debugfs_exit(void) - { - debugfs_remove_recursive(dir_ent); -+ mutex_destroy(&dbg_buf_lock); - } - - static void sharedmem_qmi_svc_recv_msg(struct work_struct *work) --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-2185/1.patch b/Patches/Linux_CVEs/CVE-2016-2185/1.patch deleted file mode 100644 index 9cf00e3d..00000000 --- a/Patches/Linux_CVEs/CVE-2016-2185/1.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 37735ed2c8c12e9671a3742d6b9028bad43852df Mon Sep 17 00:00:00 2001 -From: Vladis Dronov -Date: Wed, 23 Mar 2016 11:53:46 -0700 -Subject: [PATCH] Input: ati_remote2 - fix crashes on detecting device with - invalid descriptor - -[ Upstream commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d ] - -The ati_remote2 driver expects at least two interfaces with one -endpoint each. If given malicious descriptor that specify one -interface or no endpoints, it will crash in the probe function. -Ensure there is at least two interfaces and one endpoint for each -interface before using it. - -The full disclosure: http://seclists.org/bugtraq/2016/Mar/90 - -Reported-by: Ralf Spenneberg -Signed-off-by: Vladis Dronov -Cc: stable@vger.kernel.org -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------ - 1 file changed, 30 insertions(+), 6 deletions(-) - -diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c -index f63341f20b91a..e8c6a4842e91c 100644 ---- a/drivers/input/misc/ati_remote2.c -+++ b/drivers/input/misc/ati_remote2.c -@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - ar2->udev = udev; - -+ /* Sanity check, first interface must have an endpoint */ -+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { -+ dev_err(&interface->dev, -+ "%s(): interface 0 must have an endpoint\n", __func__); -+ r = -ENODEV; -+ goto fail1; -+ } - ar2->intf[0] = interface; - ar2->ep[0] = &alt->endpoint[0].desc; - -+ /* Sanity check, the device must have two interfaces */ - ar2->intf[1] = usb_ifnum_to_if(udev, 1); -+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { -+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", -+ __func__, udev->actconfig->desc.bNumInterfaces); -+ r = -ENODEV; -+ goto fail1; -+ } -+ - r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); - if (r) - goto fail1; -+ -+ /* Sanity check, second interface must have an endpoint */ - alt = ar2->intf[1]->cur_altsetting; -+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { -+ dev_err(&interface->dev, -+ "%s(): interface 1 must have an endpoint\n", __func__); -+ r = -ENODEV; -+ goto fail2; -+ } - ar2->ep[1] = &alt->endpoint[0].desc; - - r = ati_remote2_urb_init(ar2); - if (r) -- goto fail2; -+ goto fail3; - - ar2->channel_mask = channel_mask; - ar2->mode_mask = mode_mask; - - r = ati_remote2_setup(ar2, ar2->channel_mask); - if (r) -- goto fail2; -+ goto fail3; - - usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); - strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); -@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); - if (r) -- goto fail2; -+ goto fail3; - - r = ati_remote2_input_init(ar2); - if (r) -- goto fail3; -+ goto fail4; - - usb_set_intfdata(interface, ar2); - -@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - return 0; - -- fail3: -+ fail4: - sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); -- fail2: -+ fail3: - ati_remote2_urb_cleanup(ar2); -+ fail2: - usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); - fail1: - kfree(ar2); diff --git a/Patches/Linux_CVEs/CVE-2016-2186/1.patch b/Patches/Linux_CVEs/CVE-2016-2186/1.patch deleted file mode 100644 index e0bca0ae..00000000 --- a/Patches/Linux_CVEs/CVE-2016-2186/1.patch +++ /dev/null @@ -1,38 +0,0 @@ -From b684cb33d6867e10ba45375a12ef9f3ceb6f0aa7 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Mon, 14 Mar 2016 09:33:40 -0700 -Subject: [PATCH] Input: powermate - fix oops with malicious USB descriptors - -[ Upstream commit 9c6ba456711687b794dcf285856fc14e2c76074f ] - -The powermate driver expects at least one valid USB endpoint in its -probe function. If given malicious descriptors that specify 0 for -the number of endpoints, it will crash. Validate the number of -endpoints on the interface before using them. - -The full report for this issue can be found here: -http://seclists.org/bugtraq/2016/Mar/85 - -Reported-by: Ralf Spenneberg -Cc: stable -Signed-off-by: Josh Boyer -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/misc/powermate.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c -index 63b539d3dabae..84909a12ff36c 100644 ---- a/drivers/input/misc/powermate.c -+++ b/drivers/input/misc/powermate.c -@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i - int error = -ENOMEM; - - interface = intf->cur_altsetting; -+ if (interface->desc.bNumEndpoints < 1) -+ return -EINVAL; -+ - endpoint = &interface->endpoint[0].desc; - if (!usb_endpoint_is_int_in(endpoint)) - return -EIO; diff --git a/Patches/Linux_CVEs/CVE-2016-2187/0.patch b/Patches/Linux_CVEs/CVE-2016-2187/0.patch deleted file mode 100644 index d6b97d0d..00000000 --- a/Patches/Linux_CVEs/CVE-2016-2187/0.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 162f98dea487206d9ab79fc12ed64700667a894d Mon Sep 17 00:00:00 2001 -From: Vladis Dronov -Date: Thu, 31 Mar 2016 10:53:42 -0700 -Subject: Input: gtco - fix crash on detecting device without endpoints - -The gtco driver expects at least one valid endpoint. If given malicious -descriptors that specify 0 for the number of endpoints, it will crash in -the probe function. Ensure there is at least one endpoint on the interface -before using it. - -Also let's fix a minor coding style issue. - -The full correct report of this issue can be found in the public -Red Hat Bugzilla: - -https://bugzilla.redhat.com/show_bug.cgi?id=1283385 - -Reported-by: Ralf Spenneberg -Signed-off-by: Vladis Dronov -Cc: stable@vger.kernel.org -Signed-off-by: Dmitry Torokhov ---- - drivers/input/tablet/gtco.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c -index 3a7f3a4..7c18249 100644 ---- a/drivers/input/tablet/gtco.c -+++ b/drivers/input/tablet/gtco.c -@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, - goto err_free_buf; - } - -+ /* Sanity check that a device has an endpoint */ -+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { -+ dev_err(&usbinterface->dev, -+ "Invalid number of endpoints\n"); -+ error = -EINVAL; -+ goto err_free_urb; -+ } -+ - /* - * The endpoint is always altsetting 0, we know this since we know - * this device only has one interrupt endpoint -@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, - * HID report descriptor - */ - if (usb_get_extra_descriptor(usbinterface->cur_altsetting, -- HID_DEVICE_TYPE, &hid_desc) != 0){ -+ HID_DEVICE_TYPE, &hid_desc) != 0) { - dev_err(&usbinterface->dev, - "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); - error = -EIO; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-3136/1.patch b/Patches/Linux_CVEs/CVE-2016-3136/1.patch deleted file mode 100644 index 52e03439..00000000 --- a/Patches/Linux_CVEs/CVE-2016-3136/1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2633b8df3dff0377066fb32feb8ef06ae834d7ff Mon Sep 17 00:00:00 2001 -From: Badhri Jagan Sridharan -Date: Tue, 30 Aug 2016 13:33:55 -0700 -Subject: UPSTREAM: USB: mct_u232: add sanity checking in probe - -commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream. - -An attack using the lack of sanity checking in probe is known. This -patch checks for the existence of a second port. - -CVE-2016-3136 -BUG: 28242610 -Signed-off-by: Oliver Neukum -[johan: add error message ] -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - -Signed-off-by: Badhri Jagan Sridharan -Change-Id: I284ad648c2087c34a098d67e0cc6d948a568413c ---- - drivers/usb/serial/mct_u232.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c -index 6a15adf..c14c29f 100644 ---- a/drivers/usb/serial/mct_u232.c -+++ b/drivers/usb/serial/mct_u232.c -@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port, - - static int mct_u232_port_probe(struct usb_serial_port *port) - { -+ struct usb_serial *serial = port->serial; - struct mct_u232_private *priv; - -+ /* check first to simplify error handling */ -+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { -+ dev_err(&port->dev, "expected endpoint missing\n"); -+ return -ENODEV; -+ } -+ - priv = kzalloc(sizeof(*priv), GFP_KERNEL); - if (!priv) - return -ENOMEM; - - /* Use second interrupt-in endpoint for reading. */ -- priv->read_urb = port->serial->port[1]->interrupt_in_urb; -+ priv->read_urb = serial->port[1]->interrupt_in_urb; - priv->read_urb->context = port; - - spin_lock_init(&priv->lock); --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-3137/1.patch b/Patches/Linux_CVEs/CVE-2016-3137/1.patch deleted file mode 100644 index 9e9f9b88..00000000 --- a/Patches/Linux_CVEs/CVE-2016-3137/1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7a17891b0194ba11f7ee15a18e545808b0d27495 Mon Sep 17 00:00:00 2001 -From: Badhri Jagan Sridharan -Date: Mon, 29 Aug 2016 17:33:52 -0700 -Subject: UPSTREAM: USB: cypress_m8: add endpoint sanity check - -commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream. - -An attack using missing endpoints exists. - -CVE-2016-3137 - -BUG: 28242610 -Signed-off-by: Oliver Neukum -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Badhri Jagan Sridharan -Change-Id: I1cc7957a5924175d24f12fdc41162ece67c907e5 ---- - drivers/usb/serial/cypress_m8.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c -index 08212019..09f0f63 100644 ---- a/drivers/usb/serial/cypress_m8.c -+++ b/drivers/usb/serial/cypress_m8.c -@@ -449,6 +449,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) - struct usb_serial *serial = port->serial; - struct cypress_private *priv; - -+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { -+ dev_err(&port->dev, "required endpoint is missing\n"); -+ return -ENODEV; -+ } -+ - priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); - if (!priv) - return -ENOMEM; -@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) - cypress_set_termios(tty, port, &priv->tmp_termios); - - /* setup the port and start reading from the device */ -- if (!port->interrupt_in_urb) { -- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", -- __func__); -- return -1; -- } -- - usb_fill_int_urb(port->interrupt_in_urb, serial->dev, - usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), - port->interrupt_in_urb->transfer_buffer, --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-3138/1.patch b/Patches/Linux_CVEs/CVE-2016-3138/1.patch deleted file mode 100644 index eee71747..00000000 --- a/Patches/Linux_CVEs/CVE-2016-3138/1.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 801c5f937ef7edb23e411bc00d3695496b89dca2 Mon Sep 17 00:00:00 2001 -From: Badhri Jagan Sridharan -Date: Tue, 30 Aug 2016 13:39:02 -0700 -Subject: UPSTREAM: USB: cdc-acm: more sanity checking - -commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream. - -An attack has become available which pretends to be a quirky -device circumventing normal sanity checks and crashes the kernel -by an insufficient number of interfaces. This patch adds a check -to the code path for quirky devices. - -BUG: 28242610 - -Signed-off-by: Oliver Neukum -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Badhri Jagan Sridharan -Change-Id: I9a5f7f3c704b65e866335054f470451fcfae9d1c ---- - drivers/usb/class/cdc-acm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index 9b1cbcf..f519d28 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -972,6 +972,9 @@ static int acm_probe(struct usb_interface *intf, - if (quirks == NO_UNION_NORMAL) { - data_interface = usb_ifnum_to_if(usb_dev, 1); - control_interface = usb_ifnum_to_if(usb_dev, 0); -+ /* we would crash */ -+ if (!data_interface || !control_interface) -+ return -ENODEV; - goto skip_normal_probe; - } - --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-3140/1.patch b/Patches/Linux_CVEs/CVE-2016-3140/1.patch deleted file mode 100644 index bd2011bc..00000000 --- a/Patches/Linux_CVEs/CVE-2016-3140/1.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 129e6372f40a423bcded0a6dae547205edf652fb Mon Sep 17 00:00:00 2001 -From: Oliver Neukum -Date: Thu, 31 Mar 2016 12:04:26 -0400 -Subject: USB: digi_acceleport: do sanity checking for the number of ports - -commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream. - -The driver can be crashed with devices that expose crafted descriptors -with too few endpoints. - -See: http://seclists.org/bugtraq/2016/Mar/61 - -Signed-off-by: Oliver Neukum -[johan: fix OOB endpoint check and add error messages ] -Cc: stable -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Willy Tarreau ---- - drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c -index 7b807d3..8c34d9c 100644 ---- a/drivers/usb/serial/digi_acceleport.c -+++ b/drivers/usb/serial/digi_acceleport.c -@@ -1253,8 +1253,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) - - static int digi_startup(struct usb_serial *serial) - { -+ struct device *dev = &serial->interface->dev; - struct digi_serial *serial_priv; - int ret; -+ int i; -+ -+ /* check whether the device has the expected number of endpoints */ -+ if (serial->num_port_pointers < serial->type->num_ports + 1) { -+ dev_err(dev, "OOB endpoints missing\n"); -+ return -ENODEV; -+ } -+ -+ for (i = 0; i < serial->type->num_ports + 1 ; i++) { -+ if (!serial->port[i]->read_urb) { -+ dev_err(dev, "bulk-in endpoint missing\n"); -+ return -ENODEV; -+ } -+ if (!serial->port[i]->write_urb) { -+ dev_err(dev, "bulk-out endpoint missing\n"); -+ return -ENODEV; -+ } -+ } - - serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); - if (!serial_priv) --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-3689/1.patch b/Patches/Linux_CVEs/CVE-2016-3689/1.patch deleted file mode 100644 index abc036f7..00000000 --- a/Patches/Linux_CVEs/CVE-2016-3689/1.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 7ca573e32c0a6634d679540314a80d235f224bfb Mon Sep 17 00:00:00 2001 -From: Oliver Neukum -Date: Thu, 17 Mar 2016 14:00:17 -0700 -Subject: [PATCH] Input: ims-pcu - sanity check against missing interfaces - -[ Upstream commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff ] - -A malicious device missing interface can make the driver oops. -Add sanity checking. - -Signed-off-by: Oliver Neukum -CC: stable@vger.kernel.org -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/misc/ims-pcu.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c -index afed8e2b2f944..41ef29b516f35 100644 ---- a/drivers/input/misc/ims-pcu.c -+++ b/drivers/input/misc/ims-pcu.c -@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc - - pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev, - union_desc->bMasterInterface0); -+ if (!pcu->ctrl_intf) -+ return -EINVAL; - - alt = pcu->ctrl_intf->cur_altsetting; - pcu->ep_ctrl = &alt->endpoint[0].desc; -@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc - - pcu->data_intf = usb_ifnum_to_if(pcu->udev, - union_desc->bSlaveInterface0); -+ if (!pcu->data_intf) -+ return -EINVAL; - - alt = pcu->data_intf->cur_altsetting; - if (alt->desc.bNumEndpoints != 2) { diff --git a/Patches/Linux_CVEs/CVE-2016-3855/0.patch b/Patches/Linux_CVEs/CVE-2016-3855/0.patch deleted file mode 100644 index 24f90187..00000000 --- a/Patches/Linux_CVEs/CVE-2016-3855/0.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ab3f46119ca10de87a11fe966b0723c48f27acd4 Mon Sep 17 00:00:00 2001 -From: Manaf Meethalavalappu Pallikunhi -Date: Wed, 30 Mar 2016 17:12:16 +0530 -Subject: msm: limits: Check user buffer size before copying to local buffer - -User input data is passed in from userspace through debugfs interface -of supply lm core to validate supply lm core functionality. Ensure -user buffer size is not greater than expected stack buffer size -to avoid out of bounds array accesses. - -Change-Id: I5a93774855241b50895c5e2b3ff939e4c33a0185 -Signed-off-by: Manaf Meethalavalappu Pallikunhi ---- - drivers/thermal/supply_lm_core.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/thermal/supply_lm_core.c b/drivers/thermal/supply_lm_core.c -index fc8e807..a4d137f 100644 ---- a/drivers/thermal/supply_lm_core.c -+++ b/drivers/thermal/supply_lm_core.c -@@ -1,4 +1,4 @@ --/* Copyright (c) 2015, The Linux Foundation. All rights reserved. -+/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 and -@@ -303,6 +303,11 @@ static ssize_t supply_lm_input_write(struct file *fp, - enum corner_state gpu; - enum corner_state modem; - -+ if (count > (MODE_MAX - 1)) { -+ pr_err("Invalid user input\n"); -+ return -EINVAL; -+ } -+ - if (copy_from_user(&buf, user_buffer, count)) - return -EFAULT; - --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-5861/2.patch b/Patches/Linux_CVEs/CVE-2016-5861/2.patch deleted file mode 100644 index 912d44a7..00000000 --- a/Patches/Linux_CVEs/CVE-2016-5861/2.patch +++ /dev/null @@ -1,78 +0,0 @@ -From bfc6eee5e30a0c20bc37495233506f4f0cc4991d Mon Sep 17 00:00:00 2001 -From: Ping Li -Date: Thu, 3 Oct 2013 20:01:52 -0400 -Subject: msm: mdss: Replace the size check for gamut LUTs - -Add more reliable size check for gamut LUTs to prevent potential -security issues such as information leak. - -Change-Id: I32be41a2612a100b9ba6167737c2f8778f720fa2 -Signed-off-by: Ping Li ---- - drivers/video/msm/mdss/mdss_mdp_pp.c | 33 +++++++++++++++++++++++++++++---- - 1 file changed, 29 insertions(+), 4 deletions(-) - -diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c -index ed95030..1d8430e 100644 ---- a/drivers/video/msm/mdss/mdss_mdp_pp.c -+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c -@@ -295,6 +295,10 @@ static void pp_update_argc_lut(char __iomem *addr, - struct mdp_pgc_lut_data *config); - static void pp_update_hist_lut(char __iomem *base, - struct mdp_hist_lut_data *cfg); -+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config); -+static void pp_gamut_config(struct mdp_gamut_cfg_data *gamut_cfg, -+ char __iomem *base, -+ struct pp_sts_type *pp_sts); - static void pp_pa_config(unsigned long flags, char __iomem *addr, - struct pp_sts_type *pp_sts, - struct mdp_pa_cfg *pa_config); -@@ -2086,10 +2090,32 @@ int mdss_mdp_dither_config(struct mdp_dither_cfg_data *config, - return 0; - } - -+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config) -+{ -+ if (config->tbl_size[0] != GAMUT_T0_SIZE) -+ return -EINVAL; -+ if (config->tbl_size[1] != GAMUT_T1_SIZE) -+ return -EINVAL; -+ if (config->tbl_size[2] != GAMUT_T2_SIZE) -+ return -EINVAL; -+ if (config->tbl_size[3] != GAMUT_T3_SIZE) -+ return -EINVAL; -+ if (config->tbl_size[4] != GAMUT_T4_SIZE) -+ return -EINVAL; -+ if (config->tbl_size[5] != GAMUT_T5_SIZE) -+ return -EINVAL; -+ if (config->tbl_size[6] != GAMUT_T6_SIZE) -+ return -EINVAL; -+ if (config->tbl_size[7] != GAMUT_T7_SIZE) -+ return -EINVAL; -+ -+ return 0; -+} -+ - int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config, - u32 *copyback) - { -- int i, j, size_total = 0, ret = 0; -+ int i, j, ret = 0; - - u32 disp_num, dspp_num = 0; - uint16_t *tbl_off; -@@ -2102,9 +2128,8 @@ int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config, - if ((config->block < MDP_LOGICAL_BLOCK_DISP_0) || - (config->block >= MDP_BLOCK_MAX)) - return -EINVAL; -- for (i = 0; i < MDP_GAMUT_TABLE_NUM; i++) -- size_total += config->tbl_size[i]; -- if (size_total != GAMUT_TOTAL_TABLE_SIZE) -+ -+ if (pp_gm_has_invalid_lut_size(config)) - return -EINVAL; - - mutex_lock(&mdss_pp_mutex); --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-6681/0.patch b/Patches/Linux_CVEs/CVE-2016-6681/0.patch deleted file mode 100644 index f827297d..00000000 --- a/Patches/Linux_CVEs/CVE-2016-6681/0.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f3a55611dc1c0363374ad92eb52b6ee09bf5ff49 Mon Sep 17 00:00:00 2001 -From: vivek mehta -Date: Thu, 11 Aug 2016 13:27:32 -0700 -Subject: [PATCH] misc: qcom: qdsp6v2: Add missing initialization - -Use variables in driver context after proper initialization - -Bug: 30152182 30152501 -Change-Id: I3e59e27534b8e1088d74b42c72e0075d2fe910e6 -Signed-off-by: Haynes Mathew George -Signed-off-by: vivek mehta ---- - drivers/misc/qcom/qdsp6v2/audio_utils.c | 3 ++- - drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 1 + - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c -index 2206a3461cc0d..ac56464683600 100644 ---- a/drivers/misc/qcom/qdsp6v2/audio_utils.c -+++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c -@@ -1,4 +1,4 @@ --/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved. -+/* Copyright (c) 2010-2014, 2016, The Linux Foundation. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 and -@@ -593,6 +593,7 @@ long audio_in_compat_ioctl(struct file *file, - } - case AUDIO_GET_CONFIG_32: { - struct msm_audio_config32 cfg_32; -+ memset(&cfg_32, 0, sizeof(cfg_32)); - cfg_32.buffer_size = audio->pcm_cfg.buffer_size; - cfg_32.buffer_count = audio->pcm_cfg.buffer_count; - cfg_32.channel_count = audio->pcm_cfg.channel_count; -diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -index 11d890d443007..d444742c603cb 100644 ---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -@@ -1877,6 +1877,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd, - case AUDIO_GET_CONFIG_32: { - struct msm_audio_config32 cfg_32; - mutex_lock(&audio->lock); -+ memset(&cfg_32, 0, sizeof(cfg_32)); - cfg_32.buffer_size = audio->pcm_cfg.buffer_size; - cfg_32.buffer_count = audio->pcm_cfg.buffer_count; - cfg_32.channel_count = audio->pcm_cfg.channel_count; diff --git a/Patches/Linux_CVEs/CVE-2016-6786/0.patch b/Patches/Linux_CVEs/CVE-2016-6786/0.patch deleted file mode 100644 index 280b6064..00000000 --- a/Patches/Linux_CVEs/CVE-2016-6786/0.patch +++ /dev/null @@ -1,505 +0,0 @@ -From f63a8daa5812afef4f06c962351687e1ff9ccb2b Mon Sep 17 00:00:00 2001 -From: Peter Zijlstra -Date: Fri, 23 Jan 2015 12:24:14 +0100 -Subject: perf: Fix event->ctx locking - -There have been a few reported issues wrt. the lack of locking around -changing event->ctx. This patch tries to address those. - -It avoids the whole rwsem thing; and while it appears to work, please -give it some thought in review. - -What I did fail at is sensible runtime checks on the use of -event->ctx, the RCU use makes it very hard. - -Signed-off-by: Peter Zijlstra (Intel) -Cc: Paul E. McKenney -Cc: Jiri Olsa -Cc: Arnaldo Carvalho de Melo -Cc: Linus Torvalds -Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org -Signed-off-by: Ingo Molnar ---- - kernel/events/core.c | 244 +++++++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 207 insertions(+), 37 deletions(-) - -diff --git a/kernel/events/core.c b/kernel/events/core.c -index b358cb3..417a96b 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -907,6 +907,77 @@ static void put_ctx(struct perf_event_context *ctx) - } - - /* -+ * Because of perf_event::ctx migration in sys_perf_event_open::move_group and -+ * perf_pmu_migrate_context() we need some magic. -+ * -+ * Those places that change perf_event::ctx will hold both -+ * perf_event_ctx::mutex of the 'old' and 'new' ctx value. -+ * -+ * Lock ordering is by mutex address. There is one other site where -+ * perf_event_context::mutex nests and that is put_event(). But remember that -+ * that is a parent<->child context relation, and migration does not affect -+ * children, therefore these two orderings should not interact. -+ * -+ * The change in perf_event::ctx does not affect children (as claimed above) -+ * because the sys_perf_event_open() case will install a new event and break -+ * the ctx parent<->child relation, and perf_pmu_migrate_context() is only -+ * concerned with cpuctx and that doesn't have children. -+ * -+ * The places that change perf_event::ctx will issue: -+ * -+ * perf_remove_from_context(); -+ * synchronize_rcu(); -+ * perf_install_in_context(); -+ * -+ * to affect the change. The remove_from_context() + synchronize_rcu() should -+ * quiesce the event, after which we can install it in the new location. This -+ * means that only external vectors (perf_fops, prctl) can perturb the event -+ * while in transit. Therefore all such accessors should also acquire -+ * perf_event_context::mutex to serialize against this. -+ * -+ * However; because event->ctx can change while we're waiting to acquire -+ * ctx->mutex we must be careful and use the below perf_event_ctx_lock() -+ * function. -+ * -+ * Lock order: -+ * task_struct::perf_event_mutex -+ * perf_event_context::mutex -+ * perf_event_context::lock -+ * perf_event::child_mutex; -+ * perf_event::mmap_mutex -+ * mmap_sem -+ */ -+static struct perf_event_context *perf_event_ctx_lock(struct perf_event *event) -+{ -+ struct perf_event_context *ctx; -+ -+again: -+ rcu_read_lock(); -+ ctx = ACCESS_ONCE(event->ctx); -+ if (!atomic_inc_not_zero(&ctx->refcount)) { -+ rcu_read_unlock(); -+ goto again; -+ } -+ rcu_read_unlock(); -+ -+ mutex_lock(&ctx->mutex); -+ if (event->ctx != ctx) { -+ mutex_unlock(&ctx->mutex); -+ put_ctx(ctx); -+ goto again; -+ } -+ -+ return ctx; -+} -+ -+static void perf_event_ctx_unlock(struct perf_event *event, -+ struct perf_event_context *ctx) -+{ -+ mutex_unlock(&ctx->mutex); -+ put_ctx(ctx); -+} -+ -+/* - * This must be done under the ctx->lock, such as to serialize against - * context_equiv(), therefore we cannot call put_ctx() since that might end up - * calling scheduler related locks and ctx->lock nests inside those. -@@ -1666,7 +1737,7 @@ int __perf_event_disable(void *info) - * is the current context on this CPU and preemption is disabled, - * hence we can't get into perf_event_task_sched_out for this context. - */ --void perf_event_disable(struct perf_event *event) -+static void _perf_event_disable(struct perf_event *event) - { - struct perf_event_context *ctx = event->ctx; - struct task_struct *task = ctx->task; -@@ -1707,6 +1778,19 @@ retry: - } - raw_spin_unlock_irq(&ctx->lock); - } -+ -+/* -+ * Strictly speaking kernel users cannot create groups and therefore this -+ * interface does not need the perf_event_ctx_lock() magic. -+ */ -+void perf_event_disable(struct perf_event *event) -+{ -+ struct perf_event_context *ctx; -+ -+ ctx = perf_event_ctx_lock(event); -+ _perf_event_disable(event); -+ perf_event_ctx_unlock(event, ctx); -+} - EXPORT_SYMBOL_GPL(perf_event_disable); - - static void perf_set_shadow_time(struct perf_event *event, -@@ -2170,7 +2254,7 @@ unlock: - * perf_event_for_each_child or perf_event_for_each as described - * for perf_event_disable. - */ --void perf_event_enable(struct perf_event *event) -+static void _perf_event_enable(struct perf_event *event) - { - struct perf_event_context *ctx = event->ctx; - struct task_struct *task = ctx->task; -@@ -2226,9 +2310,21 @@ retry: - out: - raw_spin_unlock_irq(&ctx->lock); - } -+ -+/* -+ * See perf_event_disable(); -+ */ -+void perf_event_enable(struct perf_event *event) -+{ -+ struct perf_event_context *ctx; -+ -+ ctx = perf_event_ctx_lock(event); -+ _perf_event_enable(event); -+ perf_event_ctx_unlock(event, ctx); -+} - EXPORT_SYMBOL_GPL(perf_event_enable); - --int perf_event_refresh(struct perf_event *event, int refresh) -+static int _perf_event_refresh(struct perf_event *event, int refresh) - { - /* - * not supported on inherited events -@@ -2237,10 +2333,25 @@ int perf_event_refresh(struct perf_event *event, int refresh) - return -EINVAL; - - atomic_add(refresh, &event->event_limit); -- perf_event_enable(event); -+ _perf_event_enable(event); - - return 0; - } -+ -+/* -+ * See perf_event_disable() -+ */ -+int perf_event_refresh(struct perf_event *event, int refresh) -+{ -+ struct perf_event_context *ctx; -+ int ret; -+ -+ ctx = perf_event_ctx_lock(event); -+ ret = _perf_event_refresh(event, refresh); -+ perf_event_ctx_unlock(event, ctx); -+ -+ return ret; -+} - EXPORT_SYMBOL_GPL(perf_event_refresh); - - static void ctx_sched_out(struct perf_event_context *ctx, -@@ -3433,7 +3544,16 @@ static void perf_remove_from_owner(struct perf_event *event) - rcu_read_unlock(); - - if (owner) { -- mutex_lock(&owner->perf_event_mutex); -+ /* -+ * If we're here through perf_event_exit_task() we're already -+ * holding ctx->mutex which would be an inversion wrt. the -+ * normal lock order. -+ * -+ * However we can safely take this lock because its the child -+ * ctx->mutex. -+ */ -+ mutex_lock_nested(&owner->perf_event_mutex, SINGLE_DEPTH_NESTING); -+ - /* - * We have to re-check the event->owner field, if it is cleared - * we raced with perf_event_exit_task(), acquiring the mutex -@@ -3559,12 +3679,13 @@ static int perf_event_read_group(struct perf_event *event, - u64 read_format, char __user *buf) - { - struct perf_event *leader = event->group_leader, *sub; -- int n = 0, size = 0, ret = -EFAULT; - struct perf_event_context *ctx = leader->ctx; -- u64 values[5]; -+ int n = 0, size = 0, ret; - u64 count, enabled, running; -+ u64 values[5]; -+ -+ lockdep_assert_held(&ctx->mutex); - -- mutex_lock(&ctx->mutex); - count = perf_event_read_value(leader, &enabled, &running); - - values[n++] = 1 + leader->nr_siblings; -@@ -3579,7 +3700,7 @@ static int perf_event_read_group(struct perf_event *event, - size = n * sizeof(u64); - - if (copy_to_user(buf, values, size)) -- goto unlock; -+ return -EFAULT; - - ret = size; - -@@ -3593,14 +3714,11 @@ static int perf_event_read_group(struct perf_event *event, - size = n * sizeof(u64); - - if (copy_to_user(buf + ret, values, size)) { -- ret = -EFAULT; -- goto unlock; -+ return -EFAULT; - } - - ret += size; - } --unlock: -- mutex_unlock(&ctx->mutex); - - return ret; - } -@@ -3672,8 +3790,14 @@ static ssize_t - perf_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) - { - struct perf_event *event = file->private_data; -+ struct perf_event_context *ctx; -+ int ret; - -- return perf_read_hw(event, buf, count); -+ ctx = perf_event_ctx_lock(event); -+ ret = perf_read_hw(event, buf, count); -+ perf_event_ctx_unlock(event, ctx); -+ -+ return ret; - } - - static unsigned int perf_poll(struct file *file, poll_table *wait) -@@ -3699,7 +3823,7 @@ static unsigned int perf_poll(struct file *file, poll_table *wait) - return events; - } - --static void perf_event_reset(struct perf_event *event) -+static void _perf_event_reset(struct perf_event *event) - { - (void)perf_event_read(event); - local64_set(&event->count, 0); -@@ -3718,6 +3842,7 @@ static void perf_event_for_each_child(struct perf_event *event, - struct perf_event *child; - - WARN_ON_ONCE(event->ctx->parent_ctx); -+ - mutex_lock(&event->child_mutex); - func(event); - list_for_each_entry(child, &event->child_list, child_list) -@@ -3731,14 +3856,13 @@ static void perf_event_for_each(struct perf_event *event, - struct perf_event_context *ctx = event->ctx; - struct perf_event *sibling; - -- WARN_ON_ONCE(ctx->parent_ctx); -- mutex_lock(&ctx->mutex); -+ lockdep_assert_held(&ctx->mutex); -+ - event = event->group_leader; - - perf_event_for_each_child(event, func); - list_for_each_entry(sibling, &event->sibling_list, group_entry) - perf_event_for_each_child(sibling, func); -- mutex_unlock(&ctx->mutex); - } - - static int perf_event_period(struct perf_event *event, u64 __user *arg) -@@ -3808,25 +3932,24 @@ static int perf_event_set_output(struct perf_event *event, - struct perf_event *output_event); - static int perf_event_set_filter(struct perf_event *event, void __user *arg); - --static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) -+static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg) - { -- struct perf_event *event = file->private_data; - void (*func)(struct perf_event *); - u32 flags = arg; - - switch (cmd) { - case PERF_EVENT_IOC_ENABLE: -- func = perf_event_enable; -+ func = _perf_event_enable; - break; - case PERF_EVENT_IOC_DISABLE: -- func = perf_event_disable; -+ func = _perf_event_disable; - break; - case PERF_EVENT_IOC_RESET: -- func = perf_event_reset; -+ func = _perf_event_reset; - break; - - case PERF_EVENT_IOC_REFRESH: -- return perf_event_refresh(event, arg); -+ return _perf_event_refresh(event, arg); - - case PERF_EVENT_IOC_PERIOD: - return perf_event_period(event, (u64 __user *)arg); -@@ -3873,6 +3996,19 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - return 0; - } - -+static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) -+{ -+ struct perf_event *event = file->private_data; -+ struct perf_event_context *ctx; -+ long ret; -+ -+ ctx = perf_event_ctx_lock(event); -+ ret = _perf_ioctl(event, cmd, arg); -+ perf_event_ctx_unlock(event, ctx); -+ -+ return ret; -+} -+ - #ifdef CONFIG_COMPAT - static long perf_compat_ioctl(struct file *file, unsigned int cmd, - unsigned long arg) -@@ -3895,11 +4031,15 @@ static long perf_compat_ioctl(struct file *file, unsigned int cmd, - - int perf_event_task_enable(void) - { -+ struct perf_event_context *ctx; - struct perf_event *event; - - mutex_lock(¤t->perf_event_mutex); -- list_for_each_entry(event, ¤t->perf_event_list, owner_entry) -- perf_event_for_each_child(event, perf_event_enable); -+ list_for_each_entry(event, ¤t->perf_event_list, owner_entry) { -+ ctx = perf_event_ctx_lock(event); -+ perf_event_for_each_child(event, _perf_event_enable); -+ perf_event_ctx_unlock(event, ctx); -+ } - mutex_unlock(¤t->perf_event_mutex); - - return 0; -@@ -3907,11 +4047,15 @@ int perf_event_task_enable(void) - - int perf_event_task_disable(void) - { -+ struct perf_event_context *ctx; - struct perf_event *event; - - mutex_lock(¤t->perf_event_mutex); -- list_for_each_entry(event, ¤t->perf_event_list, owner_entry) -- perf_event_for_each_child(event, perf_event_disable); -+ list_for_each_entry(event, ¤t->perf_event_list, owner_entry) { -+ ctx = perf_event_ctx_lock(event); -+ perf_event_for_each_child(event, _perf_event_disable); -+ perf_event_ctx_unlock(event, ctx); -+ } - mutex_unlock(¤t->perf_event_mutex); - - return 0; -@@ -7269,6 +7413,15 @@ out: - return ret; - } - -+static void mutex_lock_double(struct mutex *a, struct mutex *b) -+{ -+ if (b < a) -+ swap(a, b); -+ -+ mutex_lock(a); -+ mutex_lock_nested(b, SINGLE_DEPTH_NESTING); -+} -+ - /** - * sys_perf_event_open - open a performance event, associate it to a task/cpu - * -@@ -7284,7 +7437,7 @@ SYSCALL_DEFINE5(perf_event_open, - struct perf_event *group_leader = NULL, *output_event = NULL; - struct perf_event *event, *sibling; - struct perf_event_attr attr; -- struct perf_event_context *ctx; -+ struct perf_event_context *ctx, *uninitialized_var(gctx); - struct file *event_file = NULL; - struct fd group = {NULL, 0}; - struct task_struct *task = NULL; -@@ -7482,9 +7635,14 @@ SYSCALL_DEFINE5(perf_event_open, - } - - if (move_group) { -- struct perf_event_context *gctx = group_leader->ctx; -+ gctx = group_leader->ctx; -+ -+ /* -+ * See perf_event_ctx_lock() for comments on the details -+ * of swizzling perf_event::ctx. -+ */ -+ mutex_lock_double(&gctx->mutex, &ctx->mutex); - -- mutex_lock(&gctx->mutex); - perf_remove_from_context(group_leader, false); - - /* -@@ -7499,15 +7657,19 @@ SYSCALL_DEFINE5(perf_event_open, - perf_event__state_init(sibling); - put_ctx(gctx); - } -- mutex_unlock(&gctx->mutex); -- put_ctx(gctx); -+ } else { -+ mutex_lock(&ctx->mutex); - } - - WARN_ON_ONCE(ctx->parent_ctx); -- mutex_lock(&ctx->mutex); - - if (move_group) { -+ /* -+ * Wait for everybody to stop referencing the events through -+ * the old lists, before installing it on new lists. -+ */ - synchronize_rcu(); -+ - perf_install_in_context(ctx, group_leader, group_leader->cpu); - get_ctx(ctx); - list_for_each_entry(sibling, &group_leader->sibling_list, -@@ -7519,6 +7681,11 @@ SYSCALL_DEFINE5(perf_event_open, - - perf_install_in_context(ctx, event, event->cpu); - perf_unpin_context(ctx); -+ -+ if (move_group) { -+ mutex_unlock(&gctx->mutex); -+ put_ctx(gctx); -+ } - mutex_unlock(&ctx->mutex); - - put_online_cpus(); -@@ -7626,7 +7793,11 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) - src_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, src_cpu)->ctx; - dst_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, dst_cpu)->ctx; - -- mutex_lock(&src_ctx->mutex); -+ /* -+ * See perf_event_ctx_lock() for comments on the details -+ * of swizzling perf_event::ctx. -+ */ -+ mutex_lock_double(&src_ctx->mutex, &dst_ctx->mutex); - list_for_each_entry_safe(event, tmp, &src_ctx->event_list, - event_entry) { - perf_remove_from_context(event, false); -@@ -7634,11 +7805,9 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) - put_ctx(src_ctx); - list_add(&event->migrate_entry, &events); - } -- mutex_unlock(&src_ctx->mutex); - - synchronize_rcu(); - -- mutex_lock(&dst_ctx->mutex); - list_for_each_entry_safe(event, tmp, &events, migrate_entry) { - list_del(&event->migrate_entry); - if (event->state >= PERF_EVENT_STATE_OFF) -@@ -7648,6 +7817,7 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) - get_ctx(dst_ctx); - } - mutex_unlock(&dst_ctx->mutex); -+ mutex_unlock(&src_ctx->mutex); - } - EXPORT_SYMBOL_GPL(perf_pmu_migrate_context); - --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-8391/0.patch b/Patches/Linux_CVEs/CVE-2016-8391/0.patch deleted file mode 100644 index 01fe5416..00000000 --- a/Patches/Linux_CVEs/CVE-2016-8391/0.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 62580295210b6c0bd809cde7088b45ebb65ace79 Mon Sep 17 00:00:00 2001 -From: Walter Yang -Date: Wed, 28 Sep 2016 20:11:23 +0800 -Subject: ASoC: msm: lock read/write when add/free audio ion memory - -As read/write get access to ion memory region as well, it's -necessary to lock them when ion memory is about to be added/freed -to avoid racing cases. - -CRs-Fixed: 1071809 -Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a -Signed-off-by: Walter Yang ---- - drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -index 8041111..7a4bae3 100644 ---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -@@ -1,6 +1,6 @@ - /* Copyright (C) 2008 Google, Inc. - * Copyright (C) 2008 HTC Corporation -- * Copyright (c) 2009-2014, The Linux Foundation. All rights reserved. -+ * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved. - * - * This software is licensed under the terms of the GNU General Public - * License version 2, as published by the Free Software Foundation, and -@@ -570,6 +570,8 @@ int audio_aio_release(struct inode *inode, struct file *file) - struct q6audio_aio *audio = file->private_data; - pr_debug("%s[%p]\n", __func__, audio); - mutex_lock(&audio->lock); -+ mutex_lock(&audio->read_lock); -+ mutex_lock(&audio->write_lock); - audio->wflush = 1; - if (audio->enabled) - audio_aio_flush(audio); -@@ -584,6 +586,8 @@ int audio_aio_release(struct inode *inode, struct file *file) - wake_up(&audio->event_wait); - audio_aio_reset_event_queue(audio); - q6asm_audio_client_free(audio->ac); -+ mutex_unlock(&audio->write_lock); -+ mutex_unlock(&audio->read_lock); - mutex_unlock(&audio->lock); - mutex_destroy(&audio->lock); - mutex_destroy(&audio->read_lock); -@@ -1679,7 +1683,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd, - __func__); - rc = -EFAULT; - } else { -+ mutex_lock(&audio->read_lock); -+ mutex_lock(&audio->write_lock); - rc = audio_aio_ion_add(audio, &info); -+ mutex_unlock(&audio->write_lock); -+ mutex_unlock(&audio->read_lock); - } - mutex_unlock(&audio->lock); - break; -@@ -1694,7 +1702,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd, - __func__); - rc = -EFAULT; - } else { -+ mutex_lock(&audio->read_lock); -+ mutex_lock(&audio->write_lock); - rc = audio_aio_ion_remove(audio, &info); -+ mutex_unlock(&audio->write_lock); -+ mutex_unlock(&audio->read_lock); - } - mutex_unlock(&audio->lock); - break; -@@ -1996,7 +2008,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd, - } else { - info.fd = info_32.fd; - info.vaddr = compat_ptr(info_32.vaddr); -+ mutex_lock(&audio->read_lock); -+ mutex_lock(&audio->write_lock); - rc = audio_aio_ion_add(audio, &info); -+ mutex_unlock(&audio->write_lock); -+ mutex_unlock(&audio->read_lock); - } - mutex_unlock(&audio->lock); - break; -@@ -2013,7 +2029,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd, - } else { - info.fd = info_32.fd; - info.vaddr = compat_ptr(info_32.vaddr); -+ mutex_lock(&audio->read_lock); -+ mutex_lock(&audio->write_lock); - rc = audio_aio_ion_remove(audio, &info); -+ mutex_unlock(&audio->write_lock); -+ mutex_unlock(&audio->read_lock); - } - mutex_unlock(&audio->lock); - break; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2016-8393/0.patch b/Patches/Linux_CVEs/CVE-2016-8393/0.patch deleted file mode 100644 index e2c7abee..00000000 --- a/Patches/Linux_CVEs/CVE-2016-8393/0.patch +++ /dev/null @@ -1,444 +0,0 @@ -From 9397e20764da2fdffdfe20e35cb78211753b83cc Mon Sep 17 00:00:00 2001 -From: Andrew Chant -Date: Wed, 14 Sep 2016 17:21:48 -0700 -Subject: [PATCH] input: synaptics: prevent sysfs races - -concurrent sysfs calls on the fw updater can cause -ugly race conditions. Return EBUSY on concurrent sysfs calls. - -For sysfs calls which generate deferred work, prevent -the deferred work from running concurrently with other -sysfs calls. - -Change-Id: Ie33add946fbcca8309998e4cb7cb01525c667c7e -Signed-off-by: Andrew Chant -Bug: 31252388 ---- - drivers/input/touchscreen/synaptics_fw_update.c | 144 ++++++++++++++++++------ - 1 file changed, 109 insertions(+), 35 deletions(-) - -diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c -index 79b3a780550b8..ffa992b829a5a 100644 ---- a/drivers/input/touchscreen/synaptics_fw_update.c -+++ b/drivers/input/touchscreen/synaptics_fw_update.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -296,6 +297,7 @@ struct synaptics_rmi4_fwu_handle { - static struct synaptics_rmi4_fwu_handle *fwu; - - DECLARE_COMPLETION(fwu_remove_complete); -+DEFINE_MUTEX(fwu_sysfs_mutex); - - static unsigned int extract_uint(const unsigned char *ptr) - { -@@ -1713,34 +1715,47 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file, - char *buf, loff_t pos, size_t count) - { - struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data; -+ ssize_t retval; -+ -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; - - if (count < fwu->config_size) { - dev_err(&rmi4_data->i2c_client->dev, - "%s: Not enough space (%zu bytes) in buffer\n", - __func__, count); -- return -EINVAL; -+ retval = -EINVAL; -+ goto show_image_exit; - } - - memcpy(buf, fwu->read_config_buf, fwu->config_size); -- -- return fwu->config_size; -+ retval = fwu->config_size; -+show_image_exit: -+ mutex_unlock(&fwu_sysfs_mutex); -+ return retval; - } - - static ssize_t fwu_sysfs_store_image(struct file *data_file, - struct kobject *kobj, struct bin_attribute *attributes, - char *buf, loff_t pos, size_t count) - { -+ ssize_t retval; -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; -+ - if (!fwu->ext_data_source) { - dev_err(&fwu->rmi4_data->i2c_client->dev, - "Cannot use this without setting imagesize!\n"); -- return -EAGAIN; -+ retval = -EAGAIN; -+ goto store_image_exit; - } - - if (count > fwu->image_size - fwu->data_pos) { - dev_err(&fwu->rmi4_data->i2c_client->dev, - "%s: Not enough space in buffer\n", - __func__); -- return -EINVAL; -+ retval = -EINVAL; -+ goto store_image_exit; - } - - memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]), -@@ -1749,8 +1764,11 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file, - - fwu->data_buffer = fwu->ext_data_source; - fwu->data_pos += count; -+ retval = count; - -- return count; -+store_image_exit: -+ mutex_unlock(&fwu_sysfs_mutex); -+ return retval; - } - - static ssize_t fwu_sysfs_image_name_store(struct device *dev, -@@ -1758,11 +1776,15 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev, - { - struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data; - char *strptr; -+ ssize_t retval; -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; - - if (count >= NAME_BUFFER_SIZE) { - dev_err(&rmi4_data->i2c_client->dev, - "Input over %d characters long\n", NAME_BUFFER_SIZE); -- return -EINVAL; -+ retval = -EINVAL; -+ goto image_name_store_exit; - } - - strptr = strnstr(buf, ".img", -@@ -1770,21 +1792,32 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev, - if (!strptr) { - dev_err(&rmi4_data->i2c_client->dev, - "Input is not valid .img file\n"); -- return -EINVAL; -+ retval = -EINVAL; -+ goto image_name_store_exit; - } - - strlcpy(rmi4_data->fw_image_name, buf, count); -- return count; -+ retval = count; -+ -+image_name_store_exit: -+ mutex_unlock(&fwu_sysfs_mutex); -+ return retval; - } - - static ssize_t fwu_sysfs_image_name_show(struct device *dev, - struct device_attribute *attr, char *buf) - { -+ ssize_t retval; -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; - if (strnlen(fwu->rmi4_data->fw_image_name, NAME_BUFFER_SIZE) > 0) -- return snprintf(buf, PAGE_SIZE, "%s\n", -+ retval = snprintf(buf, PAGE_SIZE, "%s\n", - fwu->rmi4_data->fw_image_name); - else -- return snprintf(buf, PAGE_SIZE, "No firmware name given\n"); -+ retval = snprintf(buf, PAGE_SIZE, "No firmware name given\n"); -+ -+ mutex_unlock(&fwu_sysfs_mutex); -+ return retval; - } - - static ssize_t fwu_sysfs_force_reflash_store(struct device *dev, -@@ -1794,14 +1827,17 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev, - unsigned int input; - struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data; - -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; -+ - if (sscanf(buf, "%u", &input) != 1) { - retval = -EINVAL; -- goto exit; -+ goto force_reflash_store_exit; - } - - if (input != 1) { - retval = -EINVAL; -- goto exit; -+ goto force_reflash_store_exit; - } - if (LOCKDOWN) - fwu->do_lockdown = true; -@@ -1812,16 +1848,18 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev, - dev_err(&rmi4_data->i2c_client->dev, - "%s: Failed to do reflash\n", - __func__); -- goto exit; -+ goto force_reflash_store_free_exit; - } - - retval = count; - --exit: -+force_reflash_store_free_exit: - kfree(fwu->ext_data_source); - fwu->ext_data_source = NULL; - fwu->force_update = FORCE_UPDATE; - fwu->do_lockdown = rmi4_data->board->do_lockdown; -+force_reflash_store_exit: -+ mutex_unlock(&fwu_sysfs_mutex); - return retval; - } - -@@ -1832,9 +1870,12 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev, - unsigned int input; - struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data; - -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; -+ - if (sscanf(buf, "%u", &input) != 1) { - retval = -EINVAL; -- goto exit; -+ goto reflash_store_exit; - } - - if (input & LOCKDOWN) { -@@ -1844,7 +1885,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev, - - if ((input != NORMAL) && (input != FORCE)) { - retval = -EINVAL; -- goto exit; -+ goto reflash_store_exit; - } - - if (input == FORCE) -@@ -1855,16 +1896,18 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev, - dev_err(&rmi4_data->i2c_client->dev, - "%s: Failed to do reflash\n", - __func__); -- goto exit; -+ goto reflash_store_free_exit; - } - - retval = count; - --exit: -+reflash_store_free_exit: - kfree(fwu->ext_data_source); - fwu->ext_data_source = NULL; - fwu->force_update = FORCE_UPDATE; - fwu->do_lockdown = rmi4_data->board->do_lockdown; -+reflash_store_exit: -+ mutex_unlock(&fwu_sysfs_mutex); - return retval; - } - -@@ -1875,26 +1918,31 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev, - unsigned int input; - struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data; - -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; -+ - if (sscanf(buf, "%u", &input) != 1) { - retval = -EINVAL; -- goto exit; -+ goto lockdown_store_exit; - } - - if (input != 1) { - retval = -EINVAL; -- goto exit; -+ goto lockdown_store_exit; - } - - if (!fwu->ext_data_source) { - dev_err(&fwu->rmi4_data->i2c_client->dev, - "Cannot use this without loading image in manual way!\n"); -- return -EAGAIN; -+ retval = -EAGAIN; -+ goto lockdown_store_exit; - } - - if (fwu->rmi4_data->suspended == true) { - dev_err(&fwu->rmi4_data->i2c_client->dev, - "Cannot lockdown while device is in suspend\n"); -- return -EBUSY; -+ retval = -EBUSY; -+ goto lockdown_store_exit; - } - - retval = fwu_start_write_lockdown(); -@@ -1902,16 +1950,18 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev, - dev_err(&rmi4_data->i2c_client->dev, - "%s: Failed to write lockdown block\n", - __func__); -- goto exit; -+ goto lockdown_store_free_exit; - } - - retval = count; - --exit: -+lockdown_store_free_exit: - kfree(fwu->ext_data_source); - fwu->ext_data_source = NULL; - fwu->force_update = FORCE_UPDATE; - fwu->do_lockdown = rmi4_data->board->do_lockdown; -+lockdown_store_exit: -+ mutex_unlock(&fwu_sysfs_mutex); - return retval; - } - -@@ -1920,6 +1970,8 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev, - { - unsigned int input = 0; - -+ /* Takes fwu_sysfs_mutex in the deferred work function. */ -+ - if (sscanf(buf, "%u", &input) != 1) - return -EINVAL; - -@@ -1942,26 +1994,31 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev, - unsigned int input; - struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data; - -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; -+ - if (sscanf(buf, "%u", &input) != 1) { - retval = -EINVAL; -- goto exit; -+ goto write_config_store_exit; - } - - if (input != 1) { - retval = -EINVAL; -- goto exit; -+ goto write_config_store_exit; - } - - if (!fwu->ext_data_source) { - dev_err(&fwu->rmi4_data->i2c_client->dev, - "Cannot use this without loading image in manual way!\n"); -- return -EAGAIN; -+ retval = -EAGAIN; -+ goto write_config_store_exit; - } - - if (fwu->rmi4_data->suspended == true) { - dev_err(&fwu->rmi4_data->i2c_client->dev, - "Cannot write config while device is in suspend\n"); -- return -EBUSY; -+ retval = -EBUSY; -+ goto write_config_store_exit; - } - - retval = fwu_start_write_config(); -@@ -1969,14 +2026,16 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev, - dev_err(&rmi4_data->i2c_client->dev, - "%s: Failed to write config\n", - __func__); -- goto exit; -+ goto write_config_store_free_exit; - } - - retval = count; - --exit: -+write_config_store_free_exit: - kfree(fwu->ext_data_source); - fwu->ext_data_source = NULL; -+write_config_store_exit: -+ mutex_unlock(&fwu_sysfs_mutex); - return retval; - } - -@@ -1999,7 +2058,11 @@ static ssize_t fwu_sysfs_read_config_store(struct device *dev, - return -EBUSY; - } - -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; - retval = fwu_do_read_config(); -+ mutex_unlock(&fwu_sysfs_mutex); -+ - if (retval < 0) { - dev_err(&rmi4_data->i2c_client->dev, - "%s: Failed to read config\n", -@@ -2028,7 +2091,10 @@ static ssize_t fwu_sysfs_config_area_store(struct device *dev, - return -EINVAL; - } - -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; - fwu->config_area = config_area; -+ mutex_unlock(&fwu_sysfs_mutex); - - return count; - } -@@ -2039,10 +2105,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev, - int retval; - unsigned long size; - struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data; -+ if (!mutex_trylock(&fwu_sysfs_mutex)) -+ return -EBUSY; - - retval = kstrtoul(buf, 10, &size); - if (retval) -- return retval; -+ goto image_size_store_exit; - - fwu->image_size = size; - fwu->data_pos = 0; -@@ -2053,10 +2121,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev, - dev_err(&rmi4_data->i2c_client->dev, - "%s: Failed to alloc mem for image data\n", - __func__); -- return -ENOMEM; -+ retval = -ENOMEM; - } - -- return count; -+image_size_store_exit: -+ mutex_unlock(&fwu_sysfs_mutex); -+ return retval; - } - - static ssize_t fwu_sysfs_block_size_show(struct device *dev, -@@ -2241,6 +2311,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work) - container_of(to_delayed_work(work), - struct synaptics_rmi4_fwu_handle, fwu_work); - -+ mutex_lock(&fwu_sysfs_mutex); -+ - if (fwu->fn_ptr->enable) - fwu->fn_ptr->enable(fwu->rmi4_data, false); - -@@ -2248,6 +2320,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work) - - if (fwu->fn_ptr->enable) - fwu->fn_ptr->enable(fwu->rmi4_data, true); -+ -+ mutex_unlock(&fwu_sysfs_mutex); - } - - static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) -@@ -2338,7 +2412,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work); - #endif - -- retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj, -+ retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj, - &dev_attr_data); - if (retval < 0) { - dev_err(&rmi4_data->i2c_client->dev, diff --git a/Patches/Linux_CVEs/CVE-2016-8474/0.patch b/Patches/Linux_CVEs/CVE-2016-8474/0.patch deleted file mode 100644 index 8acfa4c8..00000000 --- a/Patches/Linux_CVEs/CVE-2016-8474/0.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 900b8b72c57cefebb39c150dfddfdd493a1cea79 Mon Sep 17 00:00:00 2001 -From: Steve Pfetsch -Date: Mon, 7 Nov 2016 16:20:11 -0800 -Subject: [PATCH] input: ldaf: Initialize buffers before use. - -Prevent writing uninitialized stack data to calibration files by -zeroing out buffers upon creation. - -Bug: 31799972 -Bug: 31795790 -Change-Id: Ic848d4d1e181818f461e4b61ad73ada28a474bd1 ---- - drivers/input/misc/vl6180/stmvl6180_module.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/input/misc/vl6180/stmvl6180_module.c b/drivers/input/misc/vl6180/stmvl6180_module.c -index c61cc0f063424..78bc7f6844c33 100755 ---- a/drivers/input/misc/vl6180/stmvl6180_module.c -+++ b/drivers/input/misc/vl6180/stmvl6180_module.c -@@ -107,7 +107,7 @@ static int stmvl6180_stop(struct stmvl6180_data *data); - static void stmvl6180_read_calibration_file(void) - { - struct file *f; -- char buf[8]; -+ char buf[8] = {0}; - mm_segment_t fs; - int i, is_sign = 0; - -@@ -184,7 +184,7 @@ static void stmvl6180_read_calibration_file(void) - static void stmvl6180_write_offset_calibration_file(void) - { - struct file *f = NULL; -- char buf[8]; -+ char buf[8] = {0}; - mm_segment_t fs; - - f = filp_open(CAL_FILE_OFFSET, O_CREAT | O_TRUNC | O_RDWR, -@@ -207,7 +207,7 @@ static void stmvl6180_write_offset_calibration_file(void) - static void stmvl6180_write_xtalk_calibration_file(void) - { - struct file *f = NULL; -- char buf[8]; -+ char buf[8] = {0}; - mm_segment_t fs; - - f = filp_open(CAL_FILE_XTALK, O_CREAT | O_TRUNC | O_RDWR, diff --git a/Patches/Linux_CVEs/CVE-2016-8478/0.patch b/Patches/Linux_CVEs/CVE-2016-8478/0.patch deleted file mode 100644 index b08ceefb..00000000 --- a/Patches/Linux_CVEs/CVE-2016-8478/0.patch +++ /dev/null @@ -1,73 +0,0 @@ -From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001 -From: Benet Clark -Date: Thu, 10 Nov 2016 17:49:09 -0800 -Subject: msm: mdss: Clear compat structures before copying to user - -In the compat layer, the temporary structures used to convert -data from 32bit to 64bit structures need to be set to 0 before -being assigned values. - -CRs-Fixed: 1088206 -Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723 -Signed-off-by: Benet Clark ---- - drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c -index 5ad51dd..a9ab5c1 100644 ---- a/drivers/video/msm/mdss/mdss_compat_utils.c -+++ b/drivers/video/msm/mdss/mdss_compat_utils.c -@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17( - return -EFAULT; - } - -+ memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload)); - pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b; - pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g; - pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c; -@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17( - pr_err("failed to copy payload from user for igc\n"); - return -EFAULT; - } -+ -+ memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload)); - igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data); - igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data); - igc_cfg_payload.len = igc_cfg_payload_32.len; -@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7( - pr_err("failed to copy from user the pgc32 payload\n"); - return -EFAULT; - } -+ memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload)); - pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data); - pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data); - pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data); -@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7( - return -EFAULT; - } - -+ memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload)); - hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len; - hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data); - -@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7( - return -EFAULT; - } - -+ memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload)); - pa_cfg_payload.mode = pa_cfg_payload32.mode; - pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj; - pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj; -@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17( - pr_err("failed to copy the gamut payload from userspace\n"); - return -EFAULT; - } -+ -+ memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload)); - gamut_cfg_payload.mode = gamut_cfg_payload32.mode; - for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) { - gamut_cfg_payload.tbl_size[i] = --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0435/0.patch b/Patches/Linux_CVEs/CVE-2017-0435/0.patch deleted file mode 100644 index 5651b6b3..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0435/0.patch +++ /dev/null @@ -1,185 +0,0 @@ -From ce9db0874906f6aedd80bb28d457eadfe38bdd02 Mon Sep 17 00:00:00 2001 -From: Sudheer Papothi -Date: Wed, 26 Oct 2016 01:07:04 +0530 -Subject: drivers: qcom: ultrasound: Lock async driver calls - -Adds lock to ioctl and other external calls to driver. -Adds missing null check in __usf_set_stream_param. - -Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad -Signed-off-by: Sudheer Papothi ---- - drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++---- - 1 file changed, 59 insertions(+), 7 deletions(-) - -diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c -index d535ccb..9270dbc 100644 ---- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c -+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - #include "q6usm.h" -@@ -128,6 +129,8 @@ struct usf_type { - uint16_t conflicting_event_filters; - /* The requested buttons bitmap */ - uint16_t req_buttons_bitmap; -+ /* Mutex for exclusive operations (all public APIs) */ -+ struct mutex mutex; - }; - - struct usf_input_dev_type { -@@ -1376,9 +1379,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx, - int dir) - { - struct us_client *usc = usf_xx->usc; -- struct us_port_data *port = &usc->port[dir]; -+ struct us_port_data *port; - int rc = 0; - -+ if (usc == NULL) { -+ pr_err("%s: usc is null\n", -+ __func__); -+ return -EFAULT; -+ } -+ -+ port = &usc->port[dir]; -+ if (port == NULL) { -+ pr_err("%s: port is null\n", -+ __func__); -+ return -EFAULT; -+ } -+ - if (port->param_buf == NULL) { - pr_err("%s: parameter buffer is null\n", - __func__); -@@ -1503,10 +1519,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx, - return __usf_get_stream_param(usf_xx, &get_stream_param, dir); - } /* usf_get_stream_param */ - --static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) -+static long __usf_ioctl(struct usf_type *usf, -+ unsigned int cmd, -+ unsigned long arg) - { -+ - int rc = 0; -- struct usf_type *usf = file->private_data; - struct usf_xx_type *usf_xx = NULL; - - switch (cmd) { -@@ -1669,6 +1687,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - release_xx(usf_xx); - - return rc; -+} /* __usf_ioctl */ -+ -+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) -+{ -+ struct usf_type *usf = file->private_data; -+ int rc = 0; -+ -+ mutex_lock(&usf->mutex); -+ rc = __usf_ioctl(usf, cmd, arg); -+ mutex_unlock(&usf->mutex); -+ -+ return rc; - } /* usf_ioctl */ - - #ifdef CONFIG_COMPAT -@@ -2106,12 +2136,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx, - return __usf_get_stream_param(usf_xx, &get_stream_param, dir); - } /* usf_get_stream_param32 */ - --static long usf_compat_ioctl(struct file *file, -+static long __usf_compat_ioctl(struct usf_type *usf, - unsigned int cmd, - unsigned long arg) - { - int rc = 0; -- struct usf_type *usf = file->private_data; - struct usf_xx_type *usf_xx = NULL; - - switch (cmd) { -@@ -2119,7 +2148,7 @@ static long usf_compat_ioctl(struct file *file, - case US_START_RX: - case US_STOP_TX: - case US_STOP_RX: { -- return usf_ioctl(file, cmd, arg); -+ return __usf_ioctl(usf, cmd, arg); - } - - case US_SET_TX_INFO32: { -@@ -2228,6 +2257,20 @@ static long usf_compat_ioctl(struct file *file, - release_xx(usf_xx); - - return rc; -+} /* __usf_compat_ioctl */ -+ -+static long usf_compat_ioctl(struct file *file, -+ unsigned int cmd, -+ unsigned long arg) -+{ -+ struct usf_type *usf = file->private_data; -+ int rc = 0; -+ -+ mutex_lock(&usf->mutex); -+ rc = __usf_compat_ioctl(usf, cmd, arg); -+ mutex_unlock(&usf->mutex); -+ -+ return rc; - } /* usf_compat_ioctl */ - #endif /* CONFIG_COMPAT */ - -@@ -2236,13 +2279,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms) - struct usf_type *usf = file->private_data; - int dir = OUT; - struct usf_xx_type *usf_xx = &usf->usf_tx; -+ int rc = 0; - -+ mutex_lock(&usf->mutex); - if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */ - dir = IN; - usf_xx = &usf->usf_rx; - } -+ rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms); -+ mutex_unlock(&usf->mutex); - -- return q6usm_get_virtual_address(dir, usf_xx->usc, vms); -+ return rc; - } - - static uint16_t add_opened_dev(int minor) -@@ -2294,6 +2341,8 @@ static int usf_open(struct inode *inode, struct file *file) - usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF; - usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF; - -+ mutex_init(&usf->mutex); -+ - pr_debug("%s:usf in open\n", __func__); - return 0; - } -@@ -2304,6 +2353,7 @@ static int usf_release(struct inode *inode, struct file *file) - - pr_debug("%s: release entry\n", __func__); - -+ mutex_lock(&usf->mutex); - usf_release_input(usf); - - usf_disable(&usf->usf_tx); -@@ -2311,6 +2361,8 @@ static int usf_release(struct inode *inode, struct file *file) - - s_opened_devs[usf->dev_ind] = 0; - -+ mutex_unlock(&usf->mutex); -+ mutex_destroy(&usf->mutex); - kfree(usf); - pr_debug("%s: release exit\n", __func__); - return 0; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0435/1.patch b/Patches/Linux_CVEs/CVE-2017-0435/1.patch deleted file mode 100644 index ab99a331..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0435/1.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 831da5d113d214db6894e9fd0ce98762ee8a544a Mon Sep 17 00:00:00 2001 -From: Nick Desaulniers -Date: Tue, 6 Dec 2016 09:57:57 -0800 -Subject: [PATCH] Kconfig: msm: disable ultrasound driver - -Bug: 31906415 -Bug: 31906657 -Bug: 32553868 -Change-Id: Iab736a5d5622098c89c76dbe6b0b395652bbae57 -Signed-off-by: Nick Desaulniers ---- - sound/soc/msm/Kconfig | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/sound/soc/msm/Kconfig b/sound/soc/msm/Kconfig -index 6eb168e4d10d5..2e6f642241ef3 100644 ---- a/sound/soc/msm/Kconfig -+++ b/sound/soc/msm/Kconfig -@@ -267,7 +267,6 @@ config SND_SOC_MSM8994 - select SND_SOC_MSM_HDMI_CODEC_RX - select QTI_PP - select SND_SOC_CPE -- select MSM_ULTRASOUND - select SND_HWDEP - help - To add support for SoC audio on MSM8994. diff --git a/Patches/Linux_CVEs/CVE-2017-0436/0.patch b/Patches/Linux_CVEs/CVE-2017-0436/0.patch deleted file mode 100644 index 5651b6b3..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0436/0.patch +++ /dev/null @@ -1,185 +0,0 @@ -From ce9db0874906f6aedd80bb28d457eadfe38bdd02 Mon Sep 17 00:00:00 2001 -From: Sudheer Papothi -Date: Wed, 26 Oct 2016 01:07:04 +0530 -Subject: drivers: qcom: ultrasound: Lock async driver calls - -Adds lock to ioctl and other external calls to driver. -Adds missing null check in __usf_set_stream_param. - -Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad -Signed-off-by: Sudheer Papothi ---- - drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++---- - 1 file changed, 59 insertions(+), 7 deletions(-) - -diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c -index d535ccb..9270dbc 100644 ---- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c -+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - #include "q6usm.h" -@@ -128,6 +129,8 @@ struct usf_type { - uint16_t conflicting_event_filters; - /* The requested buttons bitmap */ - uint16_t req_buttons_bitmap; -+ /* Mutex for exclusive operations (all public APIs) */ -+ struct mutex mutex; - }; - - struct usf_input_dev_type { -@@ -1376,9 +1379,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx, - int dir) - { - struct us_client *usc = usf_xx->usc; -- struct us_port_data *port = &usc->port[dir]; -+ struct us_port_data *port; - int rc = 0; - -+ if (usc == NULL) { -+ pr_err("%s: usc is null\n", -+ __func__); -+ return -EFAULT; -+ } -+ -+ port = &usc->port[dir]; -+ if (port == NULL) { -+ pr_err("%s: port is null\n", -+ __func__); -+ return -EFAULT; -+ } -+ - if (port->param_buf == NULL) { - pr_err("%s: parameter buffer is null\n", - __func__); -@@ -1503,10 +1519,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx, - return __usf_get_stream_param(usf_xx, &get_stream_param, dir); - } /* usf_get_stream_param */ - --static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) -+static long __usf_ioctl(struct usf_type *usf, -+ unsigned int cmd, -+ unsigned long arg) - { -+ - int rc = 0; -- struct usf_type *usf = file->private_data; - struct usf_xx_type *usf_xx = NULL; - - switch (cmd) { -@@ -1669,6 +1687,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - release_xx(usf_xx); - - return rc; -+} /* __usf_ioctl */ -+ -+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) -+{ -+ struct usf_type *usf = file->private_data; -+ int rc = 0; -+ -+ mutex_lock(&usf->mutex); -+ rc = __usf_ioctl(usf, cmd, arg); -+ mutex_unlock(&usf->mutex); -+ -+ return rc; - } /* usf_ioctl */ - - #ifdef CONFIG_COMPAT -@@ -2106,12 +2136,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx, - return __usf_get_stream_param(usf_xx, &get_stream_param, dir); - } /* usf_get_stream_param32 */ - --static long usf_compat_ioctl(struct file *file, -+static long __usf_compat_ioctl(struct usf_type *usf, - unsigned int cmd, - unsigned long arg) - { - int rc = 0; -- struct usf_type *usf = file->private_data; - struct usf_xx_type *usf_xx = NULL; - - switch (cmd) { -@@ -2119,7 +2148,7 @@ static long usf_compat_ioctl(struct file *file, - case US_START_RX: - case US_STOP_TX: - case US_STOP_RX: { -- return usf_ioctl(file, cmd, arg); -+ return __usf_ioctl(usf, cmd, arg); - } - - case US_SET_TX_INFO32: { -@@ -2228,6 +2257,20 @@ static long usf_compat_ioctl(struct file *file, - release_xx(usf_xx); - - return rc; -+} /* __usf_compat_ioctl */ -+ -+static long usf_compat_ioctl(struct file *file, -+ unsigned int cmd, -+ unsigned long arg) -+{ -+ struct usf_type *usf = file->private_data; -+ int rc = 0; -+ -+ mutex_lock(&usf->mutex); -+ rc = __usf_compat_ioctl(usf, cmd, arg); -+ mutex_unlock(&usf->mutex); -+ -+ return rc; - } /* usf_compat_ioctl */ - #endif /* CONFIG_COMPAT */ - -@@ -2236,13 +2279,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms) - struct usf_type *usf = file->private_data; - int dir = OUT; - struct usf_xx_type *usf_xx = &usf->usf_tx; -+ int rc = 0; - -+ mutex_lock(&usf->mutex); - if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */ - dir = IN; - usf_xx = &usf->usf_rx; - } -+ rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms); -+ mutex_unlock(&usf->mutex); - -- return q6usm_get_virtual_address(dir, usf_xx->usc, vms); -+ return rc; - } - - static uint16_t add_opened_dev(int minor) -@@ -2294,6 +2341,8 @@ static int usf_open(struct inode *inode, struct file *file) - usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF; - usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF; - -+ mutex_init(&usf->mutex); -+ - pr_debug("%s:usf in open\n", __func__); - return 0; - } -@@ -2304,6 +2353,7 @@ static int usf_release(struct inode *inode, struct file *file) - - pr_debug("%s: release entry\n", __func__); - -+ mutex_lock(&usf->mutex); - usf_release_input(usf); - - usf_disable(&usf->usf_tx); -@@ -2311,6 +2361,8 @@ static int usf_release(struct inode *inode, struct file *file) - - s_opened_devs[usf->dev_ind] = 0; - -+ mutex_unlock(&usf->mutex); -+ mutex_destroy(&usf->mutex); - kfree(usf); - pr_debug("%s: release exit\n", __func__); - return 0; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0438/0.patch b/Patches/Linux_CVEs/CVE-2017-0438/0.patch deleted file mode 100644 index 3e7bc3db..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0438/0.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001 -From: Jeff Johnson -Date: Mon, 28 Nov 2016 09:19:02 -0800 -Subject: qcacld-2.0: Avoid overflow of roam subcmd params - -Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor -command, for the following roam commands there are input validation -issues: - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID - -Both of these commands have a "number of BSSIDs" attribute as well as a -list of BSSIDs. However there is no validation that the number of -BSSIDs provided won't overflow the destination buffer. In addition -there is no validation that the number of BSSIDs actually provided -matches the number of BSSIDs expected. - -To address these issues, for the above mentioned commands: -* Verify that the expected number of BSSIDs doesn't exceed the maximum - allowed number of BSSIDs -* Verify that the actual number of BSSIDs supplied doesn't exceed the - expected number of BSSIDs -* Only process the actual number of supplied BSSIDs if it is less than - the expected number of BSSIDs. - -Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 -CRs-Fixed: 1092497 ---- - CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------ - 1 file changed, 37 insertions(+), 6 deletions(-) - -diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c -index b3c265c..800d123 100644 ---- a/CORE/HDD/src/wlan_hdd_cfg80211.c -+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c -@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; - int rem, i; - uint32_t buf_len = 0; -+ uint32_t count; - int ret; - - if (VOS_FTM_MODE == hdd_get_conparam()) { -@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of preferred bssid failed")); - goto fail; - } -- roam_params.num_bssid_favored = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); -+ if (count > MAX_BSSID_FAVORED) { -+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_FAVORED); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of Preferred BSSID (%d)"), -- roam_params.num_bssid_favored); -+ FL("Num of Preferred BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_favored_factor[i]); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Preferred BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_favored = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_FAVORED_BSSID); - break; -@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of blacklist bssid failed")); - goto fail; - } -- roam_params.num_bssid_avoid_list = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); -+ if (count > MAX_BSSID_AVOID_LIST) { -+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_AVOID_LIST); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of blacklist BSSID (%d)"), -- roam_params.num_bssid_avoid_list); -+ FL("Num of blacklist BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_avoid_list[i])); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Blacklist BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_avoid_list = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); - break; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0438/1.patch b/Patches/Linux_CVEs/CVE-2017-0438/1.patch deleted file mode 100644 index acb3c306..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0438/1.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001 -From: Srinivas Girigowda -Date: Mon, 28 Nov 2016 20:47:30 -0800 -Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params - -Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor -command, for the following roam commands there are input validation -issues: - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID - -Both of these commands have a "number of BSSIDs" attribute as well as a -list of BSSIDs. However there is no validation that the number of -BSSIDs provided won't overflow the destination buffer. In addition -there is no validation that the number of BSSIDs actually provided -matches the number of BSSIDs expected. - -To address these issues, for the above mentioned commands: -* Verify that the expected number of BSSIDs doesn't exceed the maximum - allowed number of BSSIDs -* Verify that the actual number of BSSIDs supplied doesn't exceed the - expected number of BSSIDs -* Only process the actual number of supplied BSSIDs if it is less than - the expected number of BSSIDs. - -Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 -CRs-Fixed: 1092497 -Bug: 32402310 32402604 32871330 -Signed-off-by: Srinivas Girigowda ---- - .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++--- - 1 file changed, 37 insertions(+), 6 deletions(-) - -diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -index 89dba5d54b627..fd23a304b93bd 100644 ---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; - int rem, i; - uint32_t buf_len = 0; -+ uint32_t count; - int ret; - - if (VOS_FTM_MODE == hdd_get_conparam()) { -@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of preferred bssid failed")); - goto fail; - } -- roam_params.num_bssid_favored = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); -+ if (count > MAX_BSSID_FAVORED) { -+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_FAVORED); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of Preferred BSSID (%d)"), -- roam_params.num_bssid_favored); -+ FL("Num of Preferred BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_favored_factor[i]); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Preferred BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_favored = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_FAVORED_BSSID); - break; -@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of blacklist bssid failed")); - goto fail; - } -- roam_params.num_bssid_avoid_list = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); -+ if (count > MAX_BSSID_AVOID_LIST) { -+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_AVOID_LIST); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of blacklist BSSID (%d)"), -- roam_params.num_bssid_avoid_list); -+ FL("Num of blacklist BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_avoid_list[i])); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Blacklist BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_avoid_list = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); - break; diff --git a/Patches/Linux_CVEs/CVE-2017-0442/0.patch b/Patches/Linux_CVEs/CVE-2017-0442/0.patch deleted file mode 100644 index 3e7bc3db..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0442/0.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001 -From: Jeff Johnson -Date: Mon, 28 Nov 2016 09:19:02 -0800 -Subject: qcacld-2.0: Avoid overflow of roam subcmd params - -Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor -command, for the following roam commands there are input validation -issues: - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID - -Both of these commands have a "number of BSSIDs" attribute as well as a -list of BSSIDs. However there is no validation that the number of -BSSIDs provided won't overflow the destination buffer. In addition -there is no validation that the number of BSSIDs actually provided -matches the number of BSSIDs expected. - -To address these issues, for the above mentioned commands: -* Verify that the expected number of BSSIDs doesn't exceed the maximum - allowed number of BSSIDs -* Verify that the actual number of BSSIDs supplied doesn't exceed the - expected number of BSSIDs -* Only process the actual number of supplied BSSIDs if it is less than - the expected number of BSSIDs. - -Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 -CRs-Fixed: 1092497 ---- - CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------ - 1 file changed, 37 insertions(+), 6 deletions(-) - -diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c -index b3c265c..800d123 100644 ---- a/CORE/HDD/src/wlan_hdd_cfg80211.c -+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c -@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; - int rem, i; - uint32_t buf_len = 0; -+ uint32_t count; - int ret; - - if (VOS_FTM_MODE == hdd_get_conparam()) { -@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of preferred bssid failed")); - goto fail; - } -- roam_params.num_bssid_favored = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); -+ if (count > MAX_BSSID_FAVORED) { -+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_FAVORED); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of Preferred BSSID (%d)"), -- roam_params.num_bssid_favored); -+ FL("Num of Preferred BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_favored_factor[i]); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Preferred BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_favored = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_FAVORED_BSSID); - break; -@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of blacklist bssid failed")); - goto fail; - } -- roam_params.num_bssid_avoid_list = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); -+ if (count > MAX_BSSID_AVOID_LIST) { -+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_AVOID_LIST); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of blacklist BSSID (%d)"), -- roam_params.num_bssid_avoid_list); -+ FL("Num of blacklist BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_avoid_list[i])); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Blacklist BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_avoid_list = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); - break; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0442/1.patch b/Patches/Linux_CVEs/CVE-2017-0442/1.patch deleted file mode 100644 index acb3c306..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0442/1.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001 -From: Srinivas Girigowda -Date: Mon, 28 Nov 2016 20:47:30 -0800 -Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params - -Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor -command, for the following roam commands there are input validation -issues: - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID - -Both of these commands have a "number of BSSIDs" attribute as well as a -list of BSSIDs. However there is no validation that the number of -BSSIDs provided won't overflow the destination buffer. In addition -there is no validation that the number of BSSIDs actually provided -matches the number of BSSIDs expected. - -To address these issues, for the above mentioned commands: -* Verify that the expected number of BSSIDs doesn't exceed the maximum - allowed number of BSSIDs -* Verify that the actual number of BSSIDs supplied doesn't exceed the - expected number of BSSIDs -* Only process the actual number of supplied BSSIDs if it is less than - the expected number of BSSIDs. - -Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 -CRs-Fixed: 1092497 -Bug: 32402310 32402604 32871330 -Signed-off-by: Srinivas Girigowda ---- - .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++--- - 1 file changed, 37 insertions(+), 6 deletions(-) - -diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -index 89dba5d54b627..fd23a304b93bd 100644 ---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; - int rem, i; - uint32_t buf_len = 0; -+ uint32_t count; - int ret; - - if (VOS_FTM_MODE == hdd_get_conparam()) { -@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of preferred bssid failed")); - goto fail; - } -- roam_params.num_bssid_favored = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); -+ if (count > MAX_BSSID_FAVORED) { -+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_FAVORED); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of Preferred BSSID (%d)"), -- roam_params.num_bssid_favored); -+ FL("Num of Preferred BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_favored_factor[i]); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Preferred BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_favored = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_FAVORED_BSSID); - break; -@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of blacklist bssid failed")); - goto fail; - } -- roam_params.num_bssid_avoid_list = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); -+ if (count > MAX_BSSID_AVOID_LIST) { -+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_AVOID_LIST); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of blacklist BSSID (%d)"), -- roam_params.num_bssid_avoid_list); -+ FL("Num of blacklist BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_avoid_list[i])); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Blacklist BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_avoid_list = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); - break; diff --git a/Patches/Linux_CVEs/CVE-2017-0443/0.patch b/Patches/Linux_CVEs/CVE-2017-0443/0.patch deleted file mode 100644 index 3e7bc3db..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0443/0.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001 -From: Jeff Johnson -Date: Mon, 28 Nov 2016 09:19:02 -0800 -Subject: qcacld-2.0: Avoid overflow of roam subcmd params - -Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor -command, for the following roam commands there are input validation -issues: - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID - -Both of these commands have a "number of BSSIDs" attribute as well as a -list of BSSIDs. However there is no validation that the number of -BSSIDs provided won't overflow the destination buffer. In addition -there is no validation that the number of BSSIDs actually provided -matches the number of BSSIDs expected. - -To address these issues, for the above mentioned commands: -* Verify that the expected number of BSSIDs doesn't exceed the maximum - allowed number of BSSIDs -* Verify that the actual number of BSSIDs supplied doesn't exceed the - expected number of BSSIDs -* Only process the actual number of supplied BSSIDs if it is less than - the expected number of BSSIDs. - -Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 -CRs-Fixed: 1092497 ---- - CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------ - 1 file changed, 37 insertions(+), 6 deletions(-) - -diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c -index b3c265c..800d123 100644 ---- a/CORE/HDD/src/wlan_hdd_cfg80211.c -+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c -@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; - int rem, i; - uint32_t buf_len = 0; -+ uint32_t count; - int ret; - - if (VOS_FTM_MODE == hdd_get_conparam()) { -@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of preferred bssid failed")); - goto fail; - } -- roam_params.num_bssid_favored = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); -+ if (count > MAX_BSSID_FAVORED) { -+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_FAVORED); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of Preferred BSSID (%d)"), -- roam_params.num_bssid_favored); -+ FL("Num of Preferred BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_favored_factor[i]); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Preferred BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_favored = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_FAVORED_BSSID); - break; -@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of blacklist bssid failed")); - goto fail; - } -- roam_params.num_bssid_avoid_list = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); -+ if (count > MAX_BSSID_AVOID_LIST) { -+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_AVOID_LIST); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of blacklist BSSID (%d)"), -- roam_params.num_bssid_avoid_list); -+ FL("Num of blacklist BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_avoid_list[i])); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Blacklist BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_avoid_list = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); - break; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0443/1.patch b/Patches/Linux_CVEs/CVE-2017-0443/1.patch deleted file mode 100644 index acb3c306..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0443/1.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001 -From: Srinivas Girigowda -Date: Mon, 28 Nov 2016 20:47:30 -0800 -Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params - -Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor -command, for the following roam commands there are input validation -issues: - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS - QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID - -Both of these commands have a "number of BSSIDs" attribute as well as a -list of BSSIDs. However there is no validation that the number of -BSSIDs provided won't overflow the destination buffer. In addition -there is no validation that the number of BSSIDs actually provided -matches the number of BSSIDs expected. - -To address these issues, for the above mentioned commands: -* Verify that the expected number of BSSIDs doesn't exceed the maximum - allowed number of BSSIDs -* Verify that the actual number of BSSIDs supplied doesn't exceed the - expected number of BSSIDs -* Only process the actual number of supplied BSSIDs if it is less than - the expected number of BSSIDs. - -Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 -CRs-Fixed: 1092497 -Bug: 32402310 32402604 32871330 -Signed-off-by: Srinivas Girigowda ---- - .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++--- - 1 file changed, 37 insertions(+), 6 deletions(-) - -diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -index 89dba5d54b627..fd23a304b93bd 100644 ---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c -@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; - int rem, i; - uint32_t buf_len = 0; -+ uint32_t count; - int ret; - - if (VOS_FTM_MODE == hdd_get_conparam()) { -@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of preferred bssid failed")); - goto fail; - } -- roam_params.num_bssid_favored = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); -+ if (count > MAX_BSSID_FAVORED) { -+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_FAVORED); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of Preferred BSSID (%d)"), -- roam_params.num_bssid_favored); -+ FL("Num of Preferred BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_favored_factor[i]); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Preferred BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_favored = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_FAVORED_BSSID); - break; -@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - hddLog(LOGE, FL("attr num of blacklist bssid failed")); - goto fail; - } -- roam_params.num_bssid_avoid_list = nla_get_u32( -+ count = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); -+ if (count > MAX_BSSID_AVOID_LIST) { -+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"), -+ count, MAX_BSSID_AVOID_LIST); -+ goto fail; -+ } - hddLog(VOS_TRACE_LEVEL_DEBUG, -- FL("Num of blacklist BSSID (%d)"), -- roam_params.num_bssid_avoid_list); -+ FL("Num of blacklist BSSID: %d"), count); - i = 0; - nla_for_each_nested(curr_attr, - tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], - rem) { -+ -+ if (i == count) { -+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID")); -+ break; -+ } -+ - if (nla_parse(tb2, - QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, - nla_data(curr_attr), nla_len(curr_attr), -@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, - roam_params.bssid_avoid_list[i])); - i++; - } -+ if (i < count) -+ hddLog(LOGW, -+ FL("Num Blacklist BSSID %u less than expected %u"), -+ i, count); -+ roam_params.num_bssid_avoid_list = i; - sme_update_roam_params(pHddCtx->hHal, session_id, - roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); - break; diff --git a/Patches/Linux_CVEs/CVE-2017-0445/2.patch b/Patches/Linux_CVEs/CVE-2017-0445/2.patch deleted file mode 100644 index c2e986ef..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0445/2.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 2615c5f302441568e6dd20007bc5246d72837e80 Mon Sep 17 00:00:00 2001 -From: Andrew Chant -Date: Tue, 6 Dec 2016 19:19:26 -0800 -Subject: [PATCH] input: synaptics_dsx: remove update sysfs entries - -Remove sysfs entrypoints to fw_update module. - -BUG: 32769717 -Change-Id: I425761af84ed5c31cc5902b4f49c4981a49f3af0 -Signed-off-by: Andrew Chant ---- - drivers/input/touchscreen/synaptics_dsx25/Kconfig | 10 ++++++++ - .../synaptics_dsx25/synaptics_dsx_fw_update.c | 27 ++++++++++++++++++++-- - 2 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/drivers/input/touchscreen/synaptics_dsx25/Kconfig b/drivers/input/touchscreen/synaptics_dsx25/Kconfig -index 36661fc9d6a2d..218a6c3c96467 100644 ---- a/drivers/input/touchscreen/synaptics_dsx25/Kconfig -+++ b/drivers/input/touchscreen/synaptics_dsx25/Kconfig -@@ -59,6 +59,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE - To compile this driver as a module, choose M here: the - module will be called synaptics_dsx_fw_update. - -+config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS -+ bool "Synaptics DSX firmware update sysfs attributes" -+ depends on TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE -+ help -+ Say Y here to enable support for sysfs attributes for -+ performing firmware update in a development environment. -+ This does not affect the core or other subsystem attributes. -+ -+ If unsure, say N. -+ - config TOUCHSCREEN_SYNAPTICS_DSX25_ACTIVE_PEN - tristate "Synaptics DSX active pen module" - depends on TOUCHSCREEN_SYNAPTICS25_DSX_CORE -diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c -index 323f65891b458..8cad4d3b3a9d9 100755 ---- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c -+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c -@@ -105,6 +105,7 @@ static int fwu_do_reflash(void); - - static int fwu_recovery_check_status(void); - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - static ssize_t fwu_sysfs_show_image(struct file *data_file, - struct kobject *kobj, struct bin_attribute *attributes, - char *buf, loff_t pos, size_t count); -@@ -157,6 +158,7 @@ static ssize_t fwu_sysfs_guest_code_block_count_show(struct device *dev, - - static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev, - struct device_attribute *attr, const char *buf, size_t count); -+#endif - - enum f34_version { - F34_V0 = 0, -@@ -595,6 +597,7 @@ struct synaptics_rmi4_fwu_handle { - struct work_struct fwu_work; - }; - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - static struct bin_attribute dev_attr_data = { - .attr = { - .name = "data", -@@ -652,12 +655,14 @@ static struct device_attribute attrs[] = { - synaptics_rmi4_show_error, - fwu_sysfs_write_guest_code_store), - }; -+#endif - - static struct synaptics_rmi4_fwu_handle *fwu; - - DECLARE_COMPLETION(dsx_fwu_remove_complete); -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - DEFINE_MUTEX(fwu_sysfs_mutex); -- -+#endif - static bool tp_2k_panel = false; - /** - * early_param: Parse system early startup parameters. -@@ -3057,6 +3062,7 @@ static int fwu_do_reflash(void) - return retval; - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - static int fwu_do_read_config(void) - { - int retval; -@@ -3136,6 +3142,7 @@ static int fwu_do_read_config(void) - - return retval; - } -+#endif - - static int fwu_do_lockdown(void) - { -@@ -3173,6 +3180,7 @@ static int fwu_do_lockdown(void) - return retval; - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - static int fwu_start_write_guest_code(void) - { - int retval; -@@ -3348,6 +3356,7 @@ static int fwu_start_write_config(void) - - return retval; - } -+#endif - - static void synaptics_refresh_configid(void) - { -@@ -3584,6 +3593,7 @@ static int fwu_recovery_check_status(void) - return 0; - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - static int fwu_recovery_erase_all(void) - { - int retval; -@@ -3778,6 +3788,7 @@ static int fwu_start_recovery(void) - - return retval; - } -+#endif - - int synaptics_dsx25_fw_updater(const unsigned char *fw_data) - { -@@ -3838,6 +3849,7 @@ static void fwu_startup_fw_update_work(struct work_struct *work) - } - #endif - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - static ssize_t fwu_sysfs_show_image(struct file *data_file, - struct kobject *kobj, struct bin_attribute *attributes, - char *buf, loff_t pos, size_t count) -@@ -4236,6 +4248,7 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev, - mutex_unlock(&fwu_sysfs_mutex); - return retval; - } -+#endif - - static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data, - unsigned char intr_mask) -@@ -4252,7 +4265,9 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data, - static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - { - int retval; -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - unsigned char attr_count; -+#endif - struct pdt_properties pdt_props; - - if (fwu) { -@@ -4319,6 +4334,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - &fwu->fwu_work); - #endif - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj, - &dev_attr_data); - if (retval < 0) { -@@ -4339,9 +4355,11 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - goto exit_remove_attrs; - } - } -+#endif - - return 0; - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - exit_remove_attrs: - for (attr_count--; attr_count >= 0; attr_count--) { - sysfs_remove_file(&rmi4_data->input_dev->dev.kobj, -@@ -4349,8 +4367,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - } - - sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data); -- - exit_destroy_work: -+#endif -+ - #ifdef DO_STARTUP_FW_UPDATE - cancel_work_sync(&fwu->fwu_work); - flush_workqueue(fwu->fwu_workqueue); -@@ -4370,7 +4389,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - - static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data) - { -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - unsigned char attr_count; -+#endif - - if (!fwu) - goto exit; -@@ -4381,12 +4402,14 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data) - destroy_workqueue(fwu->fwu_workqueue); - #endif - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS - for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) { - sysfs_remove_file(&rmi4_data->input_dev->dev.kobj, - &attrs[attr_count].attr); - } - - sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data); -+#endif - - kfree(fwu->read_config_buf); - kfree(fwu->image_name); diff --git a/Patches/Linux_CVEs/CVE-2017-0445/3.patch b/Patches/Linux_CVEs/CVE-2017-0445/3.patch deleted file mode 100644 index ed4d450e..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0445/3.patch +++ /dev/null @@ -1,181 +0,0 @@ -From fe160e51f02ee5db529c2e84ac8364c89cce005e Mon Sep 17 00:00:00 2001 -From: Andrew Chant -Date: Tue, 6 Dec 2016 20:59:01 -0800 -Subject: [PATCH] input: synaptics_dsx: remove some sysfs nodes. - -Remove most sysfs entrypoints to fw_update module. -Retains check_fw, which is triggered from an -init script. - -BUG: 32769717 -Change-Id: I710cb37a8b5382dce7aa6a1d8748be5853a18a7a -Signed-off-by: Andrew Chant ---- - drivers/input/touchscreen/Kconfig | 10 ++++++++++ - drivers/input/touchscreen/synaptics_fw_update.c | 20 ++++++++++++++++++++ - 2 files changed, 30 insertions(+) - -diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig -index a42fea5862af2..64266998c2290 100644 ---- a/drivers/input/touchscreen/Kconfig -+++ b/drivers/input/touchscreen/Kconfig -@@ -1019,6 +1019,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE - To compile this driver as a module, choose M here: the - module will be called synaptics_dsx_fw_update. - -+config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS -+ bool "Synaptics DSX firmware update extra sysfs attributes" -+ depends on TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE -+ help -+ Say Y here to enable support for extra sysfs attributes -+ supporting firmware update in a development environment. -+ This does not affect the core or other subsystem attributes. -+ -+ If unsure, say N. -+ - config SECURE_TOUCH - bool "Secure Touch" - depends on (TOUCHSCREEN_ATMEL_MXT || TOUCHSCREEN_SYNAPTICS_I2C_RMI4 || \ -diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c -index 8891f1c836684..360e455a5a51b 100644 ---- a/drivers/input/touchscreen/synaptics_fw_update.c -+++ b/drivers/input/touchscreen/synaptics_fw_update.c -@@ -1331,6 +1331,7 @@ static int fwu_do_write_config(void) - return retval; - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - static int fwu_start_write_config(void) - { - int retval; -@@ -1383,6 +1384,7 @@ static int fwu_start_write_config(void) - - return retval; - } -+#endif - - static int fwu_do_write_lockdown(bool reset) - { -@@ -1430,6 +1432,7 @@ static int fwu_do_write_lockdown(bool reset) - return retval; - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - static int fwu_start_write_lockdown(void) - { - if (parse_header()) -@@ -1533,6 +1536,7 @@ static int fwu_do_read_config(void) - exit: - return retval; - } -+#endif - - static int fwu_do_reflash(void) - { -@@ -1767,6 +1771,7 @@ int synaptics_fw_updater(void) - } - EXPORT_SYMBOL(synaptics_fw_updater); - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - static ssize_t fwu_sysfs_show_image(struct file *data_file, - struct kobject *kobj, struct bin_attribute *attributes, - char *buf, loff_t pos, size_t count) -@@ -2021,6 +2026,7 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev, - mutex_unlock(&fwu_sysfs_mutex); - return retval; - } -+#endif - - static ssize_t fwu_sysfs_check_fw_store(struct device *dev, - struct device_attribute *attr, const char *buf, size_t count) -@@ -2044,6 +2050,7 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev, - return count; - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - static ssize_t fwu_sysfs_write_config_store(struct device *dev, - struct device_attribute *attr, const char *buf, size_t count) - { -@@ -2265,6 +2272,7 @@ static ssize_t fwu_sysfs_package_id_show(struct device *dev, - (pkg_id[1] << 8) | pkg_id[0], - (pkg_id[3] << 8) | pkg_id[2]); - } -+#endif - - static int synaptics_rmi4_debug_dump_info(struct seq_file *m, void *v) - { -@@ -2298,6 +2306,7 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data, - return; - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - static struct bin_attribute dev_attr_data = { - .attr = { - .name = "data", -@@ -2307,8 +2316,10 @@ static struct bin_attribute dev_attr_data = { - .read = fwu_sysfs_show_image, - .write = fwu_sysfs_store_image, - }; -+#endif - - static struct device_attribute attrs[] = { -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - __ATTR(fw_name, S_IRUGO | S_IWUSR | S_IWGRP, - fwu_sysfs_image_name_show, - fwu_sysfs_image_name_store), -@@ -2318,9 +2329,11 @@ static struct device_attribute attrs[] = { - __ATTR(update_fw, S_IWUSR | S_IWGRP, - NULL, - fwu_sysfs_do_reflash_store), -+#endif - __ATTR(check_fw, S_IWUSR | S_IWGRP, - NULL, - fwu_sysfs_check_fw_store), -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - __ATTR(writeconfig, S_IWUSR | S_IWGRP, - NULL, - fwu_sysfs_write_config_store), -@@ -2360,6 +2373,7 @@ static struct device_attribute attrs[] = { - __ATTR(package_id, S_IRUGO, - fwu_sysfs_package_id_show, - synaptics_rmi4_store_error), -+#endif - }; - - -@@ -2470,6 +2484,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work); - #endif - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj, - &dev_attr_data); - if (retval < 0) { -@@ -2478,6 +2493,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - __func__); - goto exit_free_mem; - } -+#endif - - for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) { - retval = sysfs_create_file(&rmi4_data->i2c_client->dev.kobj, -@@ -2511,7 +2527,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data) - &attrs[attr_count].attr); - } - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data); -+#endif - - exit_free_mem: - kfree(fwu->fn_ptr); -@@ -2528,7 +2546,9 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data) - { - unsigned char attr_count; - -+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS - sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data); -+#endif - - for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) { - sysfs_remove_file(&rmi4_data->input_dev->dev.kobj, diff --git a/Patches/Linux_CVEs/CVE-2017-0446/0.patch b/Patches/Linux_CVEs/CVE-2017-0446/0.patch deleted file mode 100644 index 0a9424c6..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0446/0.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 773179468893965c2b81aa7ffe3722b6868ef749 Mon Sep 17 00:00:00 2001 -From: Andrew Chant -Date: Fri, 2 Dec 2016 21:56:40 -0800 -Subject: [PATCH] input: touchscreen: disable generic update i/f - -Disable the generic touchscreen firmware update hook. -The generic touchscreen firmware update driver has -security flaws and is not necessary for Marlin touchscreen -firmware updates. - -synaptics_dsx_htc_2.6 still attempts firmware updates -via request_firmware on boot with this disabled. - -BUG: 32917445 -BUG: 32919560 -BUG: 32769717 -Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43 -Signed-off-by: Andrew Chant ---- - drivers/input/touchscreen/Kconfig | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig -index b633d17ea8b18..1e7ce91810f41 100644 ---- a/drivers/input/touchscreen/Kconfig -+++ b/drivers/input/touchscreen/Kconfig -@@ -1020,7 +1020,6 @@ config SECURE_TOUCH - - config TOUCHSCREEN_TOUCH_FW_UPDATE - tristate "Touchscreen firmware update" -- default y - help - Say Y here to support touch firmware update - diff --git a/Patches/Linux_CVEs/CVE-2017-0447/0.patch b/Patches/Linux_CVEs/CVE-2017-0447/0.patch deleted file mode 100644 index 0a9424c6..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0447/0.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 773179468893965c2b81aa7ffe3722b6868ef749 Mon Sep 17 00:00:00 2001 -From: Andrew Chant -Date: Fri, 2 Dec 2016 21:56:40 -0800 -Subject: [PATCH] input: touchscreen: disable generic update i/f - -Disable the generic touchscreen firmware update hook. -The generic touchscreen firmware update driver has -security flaws and is not necessary for Marlin touchscreen -firmware updates. - -synaptics_dsx_htc_2.6 still attempts firmware updates -via request_firmware on boot with this disabled. - -BUG: 32917445 -BUG: 32919560 -BUG: 32769717 -Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43 -Signed-off-by: Andrew Chant ---- - drivers/input/touchscreen/Kconfig | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig -index b633d17ea8b18..1e7ce91810f41 100644 ---- a/drivers/input/touchscreen/Kconfig -+++ b/drivers/input/touchscreen/Kconfig -@@ -1020,7 +1020,6 @@ config SECURE_TOUCH - - config TOUCHSCREEN_TOUCH_FW_UPDATE - tristate "Touchscreen firmware update" -- default y - help - Say Y here to support touch firmware update - diff --git a/Patches/Linux_CVEs/CVE-2017-0533/0.patch b/Patches/Linux_CVEs/CVE-2017-0533/0.patch deleted file mode 100644 index b08ceefb..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0533/0.patch +++ /dev/null @@ -1,73 +0,0 @@ -From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001 -From: Benet Clark -Date: Thu, 10 Nov 2016 17:49:09 -0800 -Subject: msm: mdss: Clear compat structures before copying to user - -In the compat layer, the temporary structures used to convert -data from 32bit to 64bit structures need to be set to 0 before -being assigned values. - -CRs-Fixed: 1088206 -Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723 -Signed-off-by: Benet Clark ---- - drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c -index 5ad51dd..a9ab5c1 100644 ---- a/drivers/video/msm/mdss/mdss_compat_utils.c -+++ b/drivers/video/msm/mdss/mdss_compat_utils.c -@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17( - return -EFAULT; - } - -+ memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload)); - pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b; - pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g; - pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c; -@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17( - pr_err("failed to copy payload from user for igc\n"); - return -EFAULT; - } -+ -+ memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload)); - igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data); - igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data); - igc_cfg_payload.len = igc_cfg_payload_32.len; -@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7( - pr_err("failed to copy from user the pgc32 payload\n"); - return -EFAULT; - } -+ memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload)); - pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data); - pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data); - pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data); -@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7( - return -EFAULT; - } - -+ memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload)); - hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len; - hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data); - -@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7( - return -EFAULT; - } - -+ memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload)); - pa_cfg_payload.mode = pa_cfg_payload32.mode; - pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj; - pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj; -@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17( - pr_err("failed to copy the gamut payload from userspace\n"); - return -EFAULT; - } -+ -+ memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload)); - gamut_cfg_payload.mode = gamut_cfg_payload32.mode; - for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) { - gamut_cfg_payload.tbl_size[i] = --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0534/0.patch b/Patches/Linux_CVEs/CVE-2017-0534/0.patch deleted file mode 100644 index b08ceefb..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0534/0.patch +++ /dev/null @@ -1,73 +0,0 @@ -From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001 -From: Benet Clark -Date: Thu, 10 Nov 2016 17:49:09 -0800 -Subject: msm: mdss: Clear compat structures before copying to user - -In the compat layer, the temporary structures used to convert -data from 32bit to 64bit structures need to be set to 0 before -being assigned values. - -CRs-Fixed: 1088206 -Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723 -Signed-off-by: Benet Clark ---- - drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c -index 5ad51dd..a9ab5c1 100644 ---- a/drivers/video/msm/mdss/mdss_compat_utils.c -+++ b/drivers/video/msm/mdss/mdss_compat_utils.c -@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17( - return -EFAULT; - } - -+ memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload)); - pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b; - pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g; - pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c; -@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17( - pr_err("failed to copy payload from user for igc\n"); - return -EFAULT; - } -+ -+ memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload)); - igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data); - igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data); - igc_cfg_payload.len = igc_cfg_payload_32.len; -@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7( - pr_err("failed to copy from user the pgc32 payload\n"); - return -EFAULT; - } -+ memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload)); - pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data); - pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data); - pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data); -@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7( - return -EFAULT; - } - -+ memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload)); - hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len; - hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data); - -@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7( - return -EFAULT; - } - -+ memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload)); - pa_cfg_payload.mode = pa_cfg_payload32.mode; - pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj; - pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj; -@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17( - pr_err("failed to copy the gamut payload from userspace\n"); - return -EFAULT; - } -+ -+ memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload)); - gamut_cfg_payload.mode = gamut_cfg_payload32.mode; - for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) { - gamut_cfg_payload.tbl_size[i] = --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0536/0.patch b/Patches/Linux_CVEs/CVE-2017-0536/0.patch deleted file mode 100644 index 24e8b2ed..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0536/0.patch +++ /dev/null @@ -1,91 +0,0 @@ -From e6430a4da1fb0212a546379eadbe986f629c3ae9 Mon Sep 17 00:00:00 2001 -From: Andrew Chant -Date: Fri, 13 Jan 2017 11:41:03 -0800 -Subject: [PATCH] input: synaptics_dsx: protect tmpbuf allocation. - -Protect tmpbuf from concurrent access by mutex. - -BUG: 33555878 -BUG: 33002026 -Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4 -Signed-off-by: Andrew Chant ---- - .../synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c | 36 ++++++++++++++-------- - 1 file changed, 24 insertions(+), 12 deletions(-) - -diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c -index e699dfea50c81..6878b71da9be0 100644 ---- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c -+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c -@@ -565,18 +565,24 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, - return -EBADF; - } - -- if (count == 0) -- return 0; -+ mutex_lock(&(dev_data->file_mutex)); -+ -+ if (*f_pos > REG_ADDR_LIMIT) { -+ retval = -EFAULT; -+ goto clean_up; -+ } - - if (count > (REG_ADDR_LIMIT - *f_pos)) - count = REG_ADDR_LIMIT - *f_pos; - -+ if (count == 0) { -+ retval = 0; -+ goto clean_up; -+ } - address = (unsigned short)(*f_pos); - - rmidev_allocate_buffer(count); - -- mutex_lock(&(dev_data->file_mutex)); -- - retval = synaptics_rmi4_reg_read(rmidev->rmi4_data, - *f_pos, - rmidev->tmpbuf, -@@ -636,19 +642,25 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, - return -EBADF; - } - -- if (count == 0) -- return 0; -+ mutex_lock(&(dev_data->file_mutex)); - -+ if (*f_pos > REG_ADDR_LIMIT) { -+ retval = -EFAULT; -+ goto unlock; -+ } - if (count > (REG_ADDR_LIMIT - *f_pos)) - count = REG_ADDR_LIMIT - *f_pos; -+ if (count == 0) { -+ retval = 0; -+ goto unlock; -+ } - - rmidev_allocate_buffer(count); - -- if (copy_from_user(rmidev->tmpbuf, buf, count)) -- return -EFAULT; -- -- mutex_lock(&(dev_data->file_mutex)); -- -+ if (copy_from_user(rmidev->tmpbuf, buf, count)) { -+ retval = -EFAULT; -+ goto unlock; -+ } - retval = synaptics_rmi4_reg_write(rmidev->rmi4_data, - *f_pos, - rmidev->tmpbuf, -@@ -656,8 +668,8 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, - if (retval >= 0) - *f_pos += retval; - -+unlock: - mutex_unlock(&(dev_data->file_mutex)); -- - return retval; - } - diff --git a/Patches/Linux_CVEs/CVE-2017-0569/0.patch b/Patches/Linux_CVEs/CVE-2017-0569/0.patch deleted file mode 100644 index 6cc32e48..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0569/0.patch +++ /dev/null @@ -1,79 +0,0 @@ -From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001 -From: Sudhir Kohalli -Date: Fri, 20 Jan 2017 17:32:53 -0800 -Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan. - -1) The default_chan_list buffer overflow is avoided by checking -n_nodfs index does not exceed num_chans, which is the length -of default_chan_list buffer. -2) The SSID length check 32(max limit) is done and then the SSID -name copied in extra buffer is null terminated. The extra buffer -is allocated a length of of 33 in wl_iw_ioctl.c. -3) Issue of chances of cumulative results->pkt_count length -exceeding allocated memory length of results->total_count is -avoided in this fix. change_array is the destination array -whose length is allocated to results->total_count. - -Signed-off-by: Sudhir Kohalli - -Bug: 34197514 -Bug: 34199963 -Bug: 34198729 - -Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3 ---- - drivers/net/wireless/bcmdhd/dhd_pno.c | 12 +++++++++++- - drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 ++++++++- - 2 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c -index ec2c347ca6219..95bfe2729855f 100644 ---- a/drivers/net/wireless/bcmdhd/dhd_pno.c -+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c -@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_ - } - - change_array = ¶ms->change_array[params->results_rxed_so_far]; -- memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count); -+ if ((params->results_rxed_so_far + results->pkt_count) > -+ results->total_count) { -+ DHD_ERROR(("Error: Invalid data reset the counters!!\n")); -+ *send_evt_bytes = 0; -+ kfree(params->change_array); -+ params->change_array = NULL; -+ return ptr; -+ } -+ -+ memcpy(change_array, results->list, -+ sizeof(wl_pfn_significant_net_t) * results->pkt_count); - params->results_rxed_so_far += results->pkt_count; - - if (params->results_rxed_so_far == results->total_count) { -diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c -index 6cadcb56582be..063d49015e5a6 100644 ---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c -+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c -@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev, - /* allows only supported channel on - * current reguatory - */ -+ if (n_nodfs >= num_chans) -+ break; -+ - if (channel == (dtoh32(list->element[j]))) - default_chan_list[n_nodfs++] = - channel; -@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev, - struct wiphy *wiphy = bcmcfg_to_wiphy(cfg); - #endif /* GSCAN_SUPPORT */ - -- WL_ERR((">>> PNO Event\n")); -+ if (!data) { -+ WL_ERR(("Data is NULL!\n")); -+ return 0; -+ } - -+ WL_DBG((">>> PNO Event\n")); - ndev = cfgdev_to_wlc_ndev(cfgdev, cfg); - - #ifdef GSCAN_SUPPORT diff --git a/Patches/Linux_CVEs/CVE-2017-0570/0.patch b/Patches/Linux_CVEs/CVE-2017-0570/0.patch deleted file mode 100644 index 6cc32e48..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0570/0.patch +++ /dev/null @@ -1,79 +0,0 @@ -From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001 -From: Sudhir Kohalli -Date: Fri, 20 Jan 2017 17:32:53 -0800 -Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan. - -1) The default_chan_list buffer overflow is avoided by checking -n_nodfs index does not exceed num_chans, which is the length -of default_chan_list buffer. -2) The SSID length check 32(max limit) is done and then the SSID -name copied in extra buffer is null terminated. The extra buffer -is allocated a length of of 33 in wl_iw_ioctl.c. -3) Issue of chances of cumulative results->pkt_count length -exceeding allocated memory length of results->total_count is -avoided in this fix. change_array is the destination array -whose length is allocated to results->total_count. - -Signed-off-by: Sudhir Kohalli - -Bug: 34197514 -Bug: 34199963 -Bug: 34198729 - -Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3 ---- - drivers/net/wireless/bcmdhd/dhd_pno.c | 12 +++++++++++- - drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 ++++++++- - 2 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c -index ec2c347ca6219..95bfe2729855f 100644 ---- a/drivers/net/wireless/bcmdhd/dhd_pno.c -+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c -@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_ - } - - change_array = ¶ms->change_array[params->results_rxed_so_far]; -- memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count); -+ if ((params->results_rxed_so_far + results->pkt_count) > -+ results->total_count) { -+ DHD_ERROR(("Error: Invalid data reset the counters!!\n")); -+ *send_evt_bytes = 0; -+ kfree(params->change_array); -+ params->change_array = NULL; -+ return ptr; -+ } -+ -+ memcpy(change_array, results->list, -+ sizeof(wl_pfn_significant_net_t) * results->pkt_count); - params->results_rxed_so_far += results->pkt_count; - - if (params->results_rxed_so_far == results->total_count) { -diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c -index 6cadcb56582be..063d49015e5a6 100644 ---- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c -+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c -@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev, - /* allows only supported channel on - * current reguatory - */ -+ if (n_nodfs >= num_chans) -+ break; -+ - if (channel == (dtoh32(list->element[j]))) - default_chan_list[n_nodfs++] = - channel; -@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev, - struct wiphy *wiphy = bcmcfg_to_wiphy(cfg); - #endif /* GSCAN_SUPPORT */ - -- WL_ERR((">>> PNO Event\n")); -+ if (!data) { -+ WL_ERR(("Data is NULL!\n")); -+ return 0; -+ } - -+ WL_DBG((">>> PNO Event\n")); - ndev = cfgdev_to_wlc_ndev(cfgdev, cfg); - - #ifdef GSCAN_SUPPORT diff --git a/Patches/Linux_CVEs/CVE-2017-0628/0.patch b/Patches/Linux_CVEs/CVE-2017-0628/0.patch deleted file mode 100644 index 2635e7bc..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0628/0.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 012e37bf91490c5b59ba2ab68a4d214b632b613f Mon Sep 17 00:00:00 2001 -From: Rajesh Bondugula -Date: Tue, 8 Nov 2016 11:52:55 -0800 -Subject: msm: camera: sensor: Validate i2c_frq_mode in msm_cci_get_clk_rates - -i2c_freq_mode in msm_cci_get_clk_rates is populated from userspace. -Validate to make sure it has valid values. If a large number is sent -from userspace to avoid a buffer over read. - -Crs-Fixed: 1086833 -Change-Id: I237f60dca3e3dbad4e6188bf047cf7ec5163d159 -Signed-off-by: Rajesh Bondugula ---- - drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c -index b1c2382..f113bdc 100644 ---- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c -+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c -@@ -115,15 +115,16 @@ static int32_t msm_cci_set_clk_param(struct cci_device *cci_dev, - enum cci_i2c_master_t master = c_ctrl->cci_info->cci_i2c_master; - enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode; - -- clk_params = &cci_dev->cci_clk_params[i2c_freq_mode]; -- - if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) { - pr_err("%s:%d invalid i2c_freq_mode = %d", - __func__, __LINE__, i2c_freq_mode); - return -EINVAL; - } -+ - if (cci_dev->i2c_freq_mode[master] == i2c_freq_mode) - return 0; -+ -+ clk_params = &cci_dev->cci_clk_params[i2c_freq_mode]; - if (MASTER_0 == master) { - msm_camera_io_w_mb(clk_params->hw_thigh << 16 | - clk_params->hw_tlow, -@@ -1196,6 +1197,13 @@ static uint32_t *msm_cci_get_clk_rates(struct cci_device *cci_dev, - struct msm_cci_clk_params_t *clk_params = NULL; - enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode; - struct device_node *of_node = cci_dev->pdev->dev.of_node; -+ -+ if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) { -+ pr_err("%s:%d invalid i2c_freq_mode %d\n", -+ __func__, __LINE__, i2c_freq_mode); -+ return NULL; -+ } -+ - clk_params = &cci_dev->cci_clk_params[i2c_freq_mode]; - cci_clk_src = clk_params->cci_clk_src; - --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-0788/0.patch b/Patches/Linux_CVEs/CVE-2017-0788/0.patch deleted file mode 100644 index 8acfe027..00000000 --- a/Patches/Linux_CVEs/CVE-2017-0788/0.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 Mon Sep 17 00:00:00 2001 -From: Insun Song -Date: Mon, 5 Jun 2017 14:39:26 -0700 -Subject: net: wireless: bcmdhd: adding boundary check for pfn events - -adding boundary check for bssid count in dhd_pno_process_epno_result -and dhd_handle_hotlist_scan_evt function to prevent heap overflow. - -Signed-off-by: Insun Song -Bug: 37722328 -Bug: 37722970 -Change-Id: I1f0bc25ef4e7f5ba8f1aa9d9271919ee84d780a1 ---- - drivers/net/wireless/bcmdhd/dhd_pno.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c -index 8ebdf53..1a8e4ee 100644 ---- a/drivers/net/wireless/bcmdhd/dhd_pno.c -+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c -@@ -92,6 +92,11 @@ - #define ENTRY_OVERHEAD strlen("bssid=\nssid=\nfreq=\nlevel=\nage=\ndist=\ndistSd=\n====") - #define TIME_MIN_DIFF 5 - -+#define EVENT_DATABUF_MAXLEN (512 - sizeof(bcm_event_t)) -+#define EVENT_MAX_NETCNT \ -+ ((EVENT_DATABUF_MAXLEN - sizeof(wl_pfn_scanresults_t)) \ -+ / sizeof(wl_pfn_net_info_t) + 1) -+ - #ifdef GSCAN_SUPPORT - static int _dhd_pno_flush_ssid(dhd_pub_t *dhd); - static wl_pfn_gscan_ch_bucket_cfg_t * -@@ -3575,7 +3580,12 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int - if (event == WLC_E_PFN_NET_FOUND || event == WLC_E_PFN_NET_LOST) { - wl_pfn_scanresults_t *pfn_result = (wl_pfn_scanresults_t *)data; - wl_pfn_net_info_t *net; -- -+ if ((pfn_result->count == 0) || -+ (pfn_result->count > EVENT_MAX_NETCNT)) { -+ DHD_ERROR(("%s event %d: incorrect results count:%d\n", -+ __FUNCTION__, event, pfn_result->count)); -+ return NULL; -+ } - if (pfn_result->version != PFN_SCANRESULT_VERSION) { - DHD_ERROR(("%s event %d: Incorrect version %d %d\n", __FUNCTION__, event, - pfn_result->version, PFN_SCANRESULT_VERSION)); -@@ -3690,7 +3700,9 @@ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *s - - gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan); - -- if (!results->count) { -+ if ((results->count == 0) || (results->count > EVENT_MAX_NETCNT)) { -+ DHD_ERROR(("%s: wrong count:%d\n", __FUNCTION__, -+ results->count)); - *send_evt_bytes = 0; - return ptr; - } --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-10998/1.patch b/Patches/Linux_CVEs/CVE-2017-10998/1.patch deleted file mode 100644 index 9d70672c..00000000 --- a/Patches/Linux_CVEs/CVE-2017-10998/1.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 208e72e59c8411e75d4118b48648a5b7d42b1682 Mon Sep 17 00:00:00 2001 -From: Siena Richard -Date: Wed, 11 Jan 2017 11:09:24 -0800 -Subject: ASoC: msm: qdsp6v2: extend validation of virtual address - -Validate a buffer virtual address is fully within the region before -returning the region to ensure functionality for an extended edge -case. - -Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654 -Signed-off-by: Siena Richard -CRs-fixed: 1108461 ---- - drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -index 9ade557..c12f791 100644 ---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c -@@ -1,6 +1,6 @@ - /* Copyright (C) 2008 Google, Inc. - * Copyright (C) 2008 HTC Corporation -- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved. -+ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved. - * - * This software is licensed under the terms of the GNU General Public - * License version 2, as published by the Free Software Foundation, and -@@ -119,7 +119,10 @@ static int audio_aio_ion_lookup_vaddr(struct q6audio_aio *audio, void *addr, - list_for_each_entry(region_elt, &audio->ion_region_queue, list) { - if (addr >= region_elt->vaddr && - addr < region_elt->vaddr + region_elt->len && -- addr + len <= region_elt->vaddr + region_elt->len) { -+ addr + len <= region_elt->vaddr + region_elt->len && -+ addr + len > addr) { -+ /* to avoid integer addition overflow */ -+ - /* offset since we could pass vaddr inside a registerd - * ion buffer - */ --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-5669/1.patch b/Patches/Linux_CVEs/CVE-2017-5669/1.patch deleted file mode 100644 index 151b9470..00000000 --- a/Patches/Linux_CVEs/CVE-2017-5669/1.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 Mon Sep 17 00:00:00 2001 -From: Davidlohr Bueso -Date: Mon, 27 Feb 2017 14:28:24 -0800 -Subject: ipc/shm: Fix shmat mmap nil-page protection - -The issue is described here, with a nice testcase: - - https://bugzilla.kernel.org/show_bug.cgi?id=192931 - -The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and -the address rounded down to 0. For the regular mmap case, the -protection mentioned above is that the kernel gets to generate the -address -- arch_get_unmapped_area() will always check for MAP_FIXED and -return that address. So by the time we do security_mmap_addr(0) things -get funky for shmat(). - -The testcase itself shows that while a regular user crashes, root will -not have a problem attaching a nil-page. There are two possible fixes -to this. The first, and which this patch does, is to simply allow root -to crash as well -- this is also regular mmap behavior, ie when hacking -up the testcase and adding mmap(... |MAP_FIXED). While this approach -is the safer option, the second alternative is to ignore SHM_RND if the -rounded address is 0, thus only having MAP_SHARED flags. This makes the -behavior of shmat() identical to the mmap() case. The downside of this -is obviously user visible, but does make sense in that it maintains -semantics after the round-down wrt 0 address and mmap. - -Passes shm related ltp tests. - -Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net -Signed-off-by: Davidlohr Bueso -Reported-by: Gareth Evans -Cc: Manfred Spraul -Cc: Michael Kerrisk -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - ipc/shm.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/ipc/shm.c b/ipc/shm.c -index d7805ac..06ea9ef 100644 ---- a/ipc/shm.c -+++ b/ipc/shm.c -@@ -1091,8 +1091,8 @@ out_unlock1: - * "raddr" thing points to kernel space, and there has to be a wrapper around - * this. - */ --long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, -- unsigned long shmlba) -+long do_shmat(int shmid, char __user *shmaddr, int shmflg, -+ ulong *raddr, unsigned long shmlba) - { - struct shmid_kernel *shp; - unsigned long addr; -@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, - goto out; - else if ((addr = (ulong)shmaddr)) { - if (addr & (shmlba - 1)) { -- if (shmflg & SHM_RND) -- addr &= ~(shmlba - 1); /* round down */ -+ /* -+ * Round down to the nearest multiple of shmlba. -+ * For sane do_mmap_pgoff() parameters, avoid -+ * round downs that trigger nil-page and MAP_FIXED. -+ */ -+ if ((shmflg & SHM_RND) && addr >= shmlba) -+ addr &= ~(shmlba - 1); - else - #ifndef __ARCH_FORCE_SHMLBA - if (addr & ~PAGE_MASK) --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-6074/1.patch b/Patches/Linux_CVEs/CVE-2017-6074/1.patch deleted file mode 100644 index 79c6a180..00000000 --- a/Patches/Linux_CVEs/CVE-2017-6074/1.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov -Date: Thu, 16 Feb 2017 17:22:46 +0100 -Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO - -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet -is forcibly freed via __kfree_skb in dccp_rcv_state_process if -dccp_v6_conn_request successfully returns. - -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb -is saved to ireq->pktopts and the ref count for skb is incremented in -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed -in dccp_rcv_state_process. - -Fix by calling consume_skb instead of doing goto discard and therefore -calling __kfree_skb. - -Similar fixes for TCP: - -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now -simply consumed - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/dccp/input.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/dccp/input.c b/net/dccp/input.c -index ba34718..8fedc2d 100644 ---- a/net/dccp/input.c -+++ b/net/dccp/input.c -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, - if (inet_csk(sk)->icsk_af_ops->conn_request(sk, - skb) < 0) - return 1; -- goto discard; -+ consume_skb(skb); -+ return 0; - } - if (dh->dccph_type == DCCP_PKT_RESET) - goto discard; --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-7369/1.patch b/Patches/Linux_CVEs/CVE-2017-7369/1.patch deleted file mode 100644 index 2af50f01..00000000 --- a/Patches/Linux_CVEs/CVE-2017-7369/1.patch +++ /dev/null @@ -1,50 +0,0 @@ -From ae8f1d5f60644983aba7fbab469d0e542a187c6e Mon Sep 17 00:00:00 2001 -From: Walter Yang -Date: Thu, 2 Mar 2017 12:13:34 +0800 -Subject: ASoC: Add backend user count checking - -Add backend user count checking to protect the index -boundary. - -Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd -CRs-Fixed: 2009216 -Signed-off-by: Walter Yang ---- - sound/soc/soc-compress.c | 5 +++++ - sound/soc/soc-pcm.c | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c -index 832f221f..a56e2e5 100644 ---- a/sound/soc/soc-compress.c -+++ b/sound/soc/soc-compress.c -@@ -533,6 +533,11 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream, - cstream, &async_domain); - } else { - be_list[j++] = be; -+ if (j == DPCM_MAX_BE_USERS) { -+ dev_dbg(fe->dev, -+ "ASoC: MAX backend users!\n"); -+ break; -+ } - } - } - for (i = 0; i < j; i++) { -diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c -index 6c44757..e6de6ad 100644 ---- a/sound/soc/soc-pcm.c -+++ b/sound/soc/soc-pcm.c -@@ -2320,6 +2320,10 @@ void dpcm_be_dai_prepare_async(struct snd_soc_pcm_runtime *fe, int stream, - dpcm, domain); - } else { - dpcm_async[i++] = dpcm; -+ if (i == DPCM_MAX_BE_USERS) { -+ dev_dbg(fe->dev, "ASoC: MAX backend users!\n"); -+ break; -+ } - } - } - --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-7371/1.patch b/Patches/Linux_CVEs/CVE-2017-7371/1.patch deleted file mode 100644 index 19b01e18..00000000 --- a/Patches/Linux_CVEs/CVE-2017-7371/1.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b Mon Sep 17 00:00:00 2001 -From: Sungjun Park -Date: Mon, 23 Jan 2017 13:28:44 -0800 -Subject: bluetooth: Fix free data pointer routine - -Data pointer has been reused after freed it. So, -it has been moved to after using the data pointer -to clean up resource and freed it. - -Change-Id: Ibc94e092134ff1f36e896c679ade7f639254a24d -Signed-off-by: Sungjun Park ---- - drivers/bluetooth/btfm_slim.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/bluetooth/btfm_slim.c b/drivers/bluetooth/btfm_slim.c -index 5fb00b9..1c6e256 100644 ---- a/drivers/bluetooth/btfm_slim.c -+++ b/drivers/bluetooth/btfm_slim.c -@@ -1,4 +1,4 @@ --/* Copyright (c) 2016, The Linux Foundation. All rights reserved. -+/* Copyright (c) 2017, The Linux Foundation. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 and -@@ -509,7 +509,6 @@ static int btfm_slim_remove(struct slim_device *slim) - BTFMSLIM_DBG(""); - mutex_destroy(&btfm_slim->io_lock); - mutex_destroy(&btfm_slim->xfer_lock); -- kfree(btfm_slim); - snd_soc_unregister_codec(&slim->dev); - - BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_ifd"); -@@ -517,6 +516,8 @@ static int btfm_slim_remove(struct slim_device *slim) - - BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_pgd"); - slim_remove_device(slim); -+ -+ kfree(btfm_slim); - return 0; - } - --- -cgit v1.1 - diff --git a/Patches/Linux_CVEs/CVE-2017-7618/1.patch b/Patches/Linux_CVEs/CVE-2017-7618/1.patch deleted file mode 100644 index 85373076..00000000 --- a/Patches/Linux_CVEs/CVE-2017-7618/1.patch +++ /dev/null @@ -1 +0,0 @@ -Not Found \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-9077/0.patch b/Patches/Linux_CVEs/CVE-2017-9077/0.patch deleted file mode 100644 index 828a8905..00000000 --- a/Patches/Linux_CVEs/CVE-2017-9077/0.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 83eaddab4378db256d00d295bda6ca997cd13a52 Mon Sep 17 00:00:00 2001 -From: WANG Cong -Date: Tue, 9 May 2017 16:59:54 -0700 -Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent - -Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") -we should clear ipv6_mc_list etc. for IPv6 sockets too. - -Cc: Eric Dumazet -Signed-off-by: Cong Wang -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/dccp/ipv6.c | 6 ++++++ - net/ipv6/tcp_ipv6.c | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c -index d9b6a4e..b6bbb71 100644 ---- a/net/dccp/ipv6.c -+++ b/net/dccp/ipv6.c -@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, - newsk->sk_backlog_rcv = dccp_v4_do_rcv; - newnp->pktoptions = NULL; - newnp->opt = NULL; -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - newnp->mcast_oif = inet6_iif(skb); - newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; - -@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, - /* Clone RX bits */ - newnp->rxopt.all = np->rxopt.all; - -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - newnp->pktoptions = NULL; - newnp->opt = NULL; - newnp->mcast_oif = inet6_iif(skb); -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index aeb9497..df5a9ff 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - newtp->af_specific = &tcp_sock_ipv6_mapped_specific; - #endif - -+ newnp->ipv6_mc_list = NULL; - newnp->ipv6_ac_list = NULL; - newnp->ipv6_fl_list = NULL; - newnp->pktoptions = NULL; -@@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - First: no IPv4 options. - */ - newinet->inet_opt = NULL; -+ newnp->ipv6_mc_list = NULL; - newnp->ipv6_ac_list = NULL; - newnp->ipv6_fl_list = NULL; - --- -cgit v1.1 - diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh index f4face00..a94b12d0 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh @@ -1,49 +1,50 @@ #!/bin/bash cd $base"kernel/amazon/hdx-common" -git apply $cvePatches"CVE-2012-6704"/*.patch && echo 'Applied fix for CVE-2012-6704' -git apply $cvePatches"CVE-2014-1739"/*.patch && echo 'Applied fix for CVE-2014-1739' -git apply $cvePatches"CVE-2014-4656"/*.patch && echo 'Applied fix for CVE-2014-4656' -git apply $cvePatches"CVE-2014-7822"/*.patch && echo 'Applied fix for CVE-2014-7822' -git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420' -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2014-9880"/*.patch && echo 'Applied fix for CVE-2014-9880' -git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593' -git apply $cvePatches"CVE-2016-10230"/*.patch && echo 'Applied fix for CVE-2016-10230' -git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185' -git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186' -git apply $cvePatches"CVE-2016-2488"/*.patch && echo 'Applied fix for CVE-2016-2488' -git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3893"/*.patch && echo 'Applied fix for CVE-2016-3893' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2016-6751"/*.patch && echo 'Applied fix for CVE-2016-6751' -git apply $cvePatches"CVE-2016-6753"/*.patch && echo 'Applied fix for CVE-2016-6753' -git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404' -git apply $cvePatches"CVE-2016-8417"/*.patch && echo 'Applied fix for CVE-2016-8417' -git apply $cvePatches"CVE-2016-8444"/*.patch && echo 'Applied fix for CVE-2016-8444' -git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2016-9793"/*.patch && echo 'Applied fix for CVE-2016-9793' -git apply $cvePatches"CVE-2017-0403"/*.patch && echo 'Applied fix for CVE-2017-0403' -git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404' -git apply $cvePatches"CVE-2017-0611"/*.patch && echo 'Applied fix for CVE-2017-0611' -git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751' -git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-10662"/*.patch && echo 'Applied fix for CVE-2017-10662' -git apply $cvePatches"CVE-2017-11000"/*.patch && echo 'Applied fix for CVE-2017-11000' -git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970' -git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' -git apply $cvePatches"CVE-2017-9706"/*.patch && echo 'Applied fix for CVE-2017-9706' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2012-6704/0.patch +git apply $cvePatches/CVE-2014-1739/0.patch +git apply $cvePatches/CVE-2014-4656/0.patch +git apply $cvePatches/CVE-2014-7822/0.patch +git apply $cvePatches/CVE-2014-9420/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2014-9880/0.patch +git apply $cvePatches/CVE-2015-1593/0.patch +git apply $cvePatches/CVE-2016-10230/0.patch +git apply $cvePatches/CVE-2016-2185/0.patch +git apply $cvePatches/CVE-2016-2186/0.patch +git apply $cvePatches/CVE-2016-2488/0.patch +git apply $cvePatches/CVE-2016-2544/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3893/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2016-6751/0.patch +git apply $cvePatches/CVE-2016-6753/0.patch +git apply $cvePatches/CVE-2016-8404/0.patch +git apply $cvePatches/CVE-2016-8417/0.patch +git apply $cvePatches/CVE-2016-8444/0.patch +git apply $cvePatches/CVE-2016-8650/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2016-9793/0.patch +git apply $cvePatches/CVE-2017-0403/0.patch +git apply $cvePatches/CVE-2017-0404/0.patch +git apply $cvePatches/CVE-2017-0611/0.patch +git apply $cvePatches/CVE-2017-0751/0.patch +git apply $cvePatches/CVE-2017-0786/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-10662/0.patch +git apply $cvePatches/CVE-2017-11000/0.patch +git apply $cvePatches/CVE-2017-11059/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5970/0.patch +git apply $cvePatches/CVE-2017-6074/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-8247/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch +git apply $cvePatches/CVE-2017-9706/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_asus_msm8916.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_asus_msm8916.sh index 1e4a8d27..9a2a3f81 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_asus_msm8916.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_asus_msm8916.sh @@ -1,8 +1,9 @@ #!/bin/bash cd $base"kernel/asus/msm8916" -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2016-8394"/*.patch && echo 'Applied fix for CVE-2016-8394' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2016-8394/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh index c3a640e6..befbc55d 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh @@ -1,12 +1,13 @@ #!/bin/bash cd $base"kernel/fairphone/msm8974" -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672' -git apply $cvePatches"CVE-2017-0430"/*.patch && echo 'Applied fix for CVE-2017-0430' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786' -git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3672/0.patch +git apply $cvePatches/CVE-2017-0430/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0786/0.patch +git apply $cvePatches/CVE-2017-11059/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_marlin.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_marlin.sh index 83128839..7e1012c4 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_marlin.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_marlin.sh @@ -1,69 +1,72 @@ #!/bin/bash cd $base"kernel/google/marlin" -git apply $cvePatches"CVE-2014-9900"/*.patch && echo 'Applied fix for CVE-2014-9900' -git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041' -git apply $cvePatches"CVE-2015-8966"/*.patch && echo 'Applied fix for CVE-2015-8966' -git apply $cvePatches"CVE-2016-10044"/*.patch && echo 'Applied fix for CVE-2016-10044' -git apply $cvePatches"CVE-2016-10088"/*.patch && echo 'Applied fix for CVE-2016-10088' -git apply $cvePatches"CVE-2016-10153"/*.patch && echo 'Applied fix for CVE-2016-10153' -git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187' -git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544' -git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549' -git apply $cvePatches"CVE-2016-2847"/*.patch && echo 'Applied fix for CVE-2016-2847' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136' -git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137' -git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140' -git apply $cvePatches"CVE-2016-3156"/*.patch && echo 'Applied fix for CVE-2016-3156' -git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865' -git apply $cvePatches"CVE-2016-3906"/*.patch && echo 'Applied fix for CVE-2016-3906' -git apply $cvePatches"CVE-2016-5342"/*.patch && echo 'Applied fix for CVE-2016-5342' -git apply $cvePatches"CVE-2016-5345"/*.patch && echo 'Applied fix for CVE-2016-5345' -git apply $cvePatches"CVE-2016-5854"/*.patch && echo 'Applied fix for CVE-2016-5854' -git apply $cvePatches"CVE-2016-5856"/*.patch && echo 'Applied fix for CVE-2016-5856' -git apply $cvePatches"CVE-2016-5857"/*.patch && echo 'Applied fix for CVE-2016-5857' -git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867' -git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2016-7042"/*.patch && echo 'Applied fix for CVE-2016-7042' -git apply $cvePatches"CVE-2016-8418"/*.patch && echo 'Applied fix for CVE-2016-8418' -git apply $cvePatches"CVE-2016-9191"/*.patch && echo 'Applied fix for CVE-2016-9191' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537' -git apply $cvePatches"CVE-2017-0622"/*.patch && echo 'Applied fix for CVE-2017-0622' -git apply $cvePatches"CVE-2017-0627"/*.patch && echo 'Applied fix for CVE-2017-0627' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-10998"/*.patch && echo 'Applied fix for CVE-2017-10998' -git apply $cvePatches"CVE-2017-11001"/*.patch && echo 'Applied fix for CVE-2017-11001' -git apply $cvePatches"CVE-2017-11002"/*.patch && echo 'Applied fix for CVE-2017-11002' -git apply $cvePatches"CVE-2017-11046"/*.patch && echo 'Applied fix for CVE-2017-11046' -git apply $cvePatches"CVE-2017-11048"/*.patch && echo 'Applied fix for CVE-2017-11048' -git apply $cvePatches"CVE-2017-11057"/*.patch && echo 'Applied fix for CVE-2017-11057' -git apply $cvePatches"CVE-2017-11600"/*.patch && echo 'Applied fix for CVE-2017-11600' -git apply $cvePatches"CVE-2017-12146"/*.patch && echo 'Applied fix for CVE-2017-12146' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669' -git apply $cvePatches"CVE-2017-5986"/*.patch && echo 'Applied fix for CVE-2017-5986' -git apply $cvePatches"CVE-2017-6001"/*.patch && echo 'Applied fix for CVE-2017-6001' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6353"/*.patch && echo 'Applied fix for CVE-2017-6353' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7371"/*.patch && echo 'Applied fix for CVE-2017-7371' -git apply $cvePatches"CVE-2017-7372"/*.patch && echo 'Applied fix for CVE-2017-7372' -git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-7616"/*.patch && echo 'Applied fix for CVE-2017-7616' -git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247' -git apply $cvePatches"CVE-2017-8251"/*.patch && echo 'Applied fix for CVE-2017-8251' -git apply $cvePatches"CVE-2017-8280"/*.patch && echo 'Applied fix for CVE-2017-8280' -git apply $cvePatches"CVE-2017-9075"/*.patch && echo 'Applied fix for CVE-2017-9075' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' -git apply $cvePatches"CVE-2017-9686"/*.patch && echo 'Applied fix for CVE-2017-9686' -git apply $cvePatches"CVE-2017-9687"/*.patch && echo 'Applied fix for CVE-2017-9687' -git apply $cvePatches"CVE-2017-9697"/*.patch && echo 'Applied fix for CVE-2017-9697' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9900/0.patch +git apply $cvePatches/CVE-2015-2041/0.patch +git apply $cvePatches/CVE-2015-8966/0.patch +git apply $cvePatches/CVE-2016-10044/0.patch +git apply $cvePatches/CVE-2016-10088/0.patch +git apply $cvePatches/CVE-2016-10153/0.patch +git apply $cvePatches/CVE-2016-2187/1.patch +git apply $cvePatches/CVE-2016-2544/0.patch +git apply $cvePatches/CVE-2016-2549/0.patch +git apply $cvePatches/CVE-2016-2847/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3136/0.patch +git apply $cvePatches/CVE-2016-3137/0.patch +git apply $cvePatches/CVE-2016-3140/0.patch +git apply $cvePatches/CVE-2016-3156/0.patch +git apply $cvePatches/CVE-2016-3865/0.patch +git apply $cvePatches/CVE-2016-3865/1.patch +git apply $cvePatches/CVE-2016-3906/0.patch +git apply $cvePatches/CVE-2016-5342/0.patch +git apply $cvePatches/CVE-2016-5345/0.patch +git apply $cvePatches/CVE-2016-5854/0.patch +git apply $cvePatches/CVE-2016-5856/0.patch +git apply $cvePatches/CVE-2016-5857/0.patch +git apply $cvePatches/CVE-2016-5867/0.patch +git apply $cvePatches/CVE-2016-5870/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2016-7042/0.patch +git apply $cvePatches/CVE-2016-8418/0.patch +git apply $cvePatches/CVE-2016-9191/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0537/0.patch +git apply $cvePatches/CVE-2017-0622/0.patch +git apply $cvePatches/CVE-2017-0627/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-10998/0.patch +git apply $cvePatches/CVE-2017-11001/0.patch +git apply $cvePatches/CVE-2017-11002/0.patch +git apply $cvePatches/CVE-2017-11046/0.patch +git apply $cvePatches/CVE-2017-11048/0.patch +git apply $cvePatches/CVE-2017-11057/0.patch +git apply $cvePatches/CVE-2017-11600/0.patch +git apply $cvePatches/CVE-2017-12146/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5669/0.patch +git apply $cvePatches/CVE-2017-5986/0.patch +git apply $cvePatches/CVE-2017-6001/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6353/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7371/0.patch +git apply $cvePatches/CVE-2017-7372/0.patch +git apply $cvePatches/CVE-2017-7472/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-7616/0.patch +git apply $cvePatches/CVE-2017-7618/0.patch +git apply $cvePatches/CVE-2017-8247/0.patch +git apply $cvePatches/CVE-2017-8251/0.patch +git apply $cvePatches/CVE-2017-8280/0.patch +git apply $cvePatches/CVE-2017-9075/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch +git apply $cvePatches/CVE-2017-9686/0.patch +git apply $cvePatches/CVE-2017-9687/0.patch +git apply $cvePatches/CVE-2017-9697/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh index 7eed3a9e..c243fe93 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh @@ -1,13 +1,14 @@ #!/bin/bash cd $base"kernel/google/msm" -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3859"/*.patch && echo 'Applied fix for CVE-2016-3859' -git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751' -git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2015-1593/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3859/0.patch +git apply $cvePatches/CVE-2016-8404/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0751/0.patch +git apply $cvePatches/CVE-2017-0786/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh index d91d7e20..452c20e5 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh @@ -1,28 +1,29 @@ #!/bin/bash cd $base"kernel/htc/flounder" -git apply $cvePatches"CVE-2014-9892"/*.patch && echo 'Applied fix for CVE-2014-9892' -git apply $cvePatches"CVE-2014-9900"/*.patch && echo 'Applied fix for CVE-2014-9900' -git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177' -git apply $cvePatches"CVE-2015-8944"/*.patch && echo 'Applied fix for CVE-2015-8944' -git apply $cvePatches"CVE-2016-0819"/*.patch && echo 'Applied fix for CVE-2016-0819' -git apply $cvePatches"CVE-2016-8453"/*.patch && echo 'Applied fix for CVE-2016-8453' -git apply $cvePatches"CVE-2016-8464"/*.patch && echo 'Applied fix for CVE-2016-8464' -git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0449"/*.patch && echo 'Applied fix for CVE-2017-0449' -git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0794"/*.patch && echo 'Applied fix for CVE-2017-0794' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-10996"/*.patch && echo 'Applied fix for CVE-2017-10996' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669' -git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9892/0.patch +git apply $cvePatches/CVE-2014-9900/0.patch +git apply $cvePatches/CVE-2015-4177/0.patch +git apply $cvePatches/CVE-2015-8944/0.patch +git apply $cvePatches/CVE-2016-0819/0.patch +git apply $cvePatches/CVE-2016-8453/0.patch +git apply $cvePatches/CVE-2016-8464/0.patch +git apply $cvePatches/CVE-2016-8650/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0449/0.patch +git apply $cvePatches/CVE-2017-0537/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0794/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-10996/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5669/0.patch +git apply $cvePatches/CVE-2017-5970/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7472/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_huawei_angler.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_huawei_angler.sh index d4b67008..bb459849 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_huawei_angler.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_huawei_angler.sh @@ -1,54 +1,54 @@ #!/bin/bash cd $base"kernel/huawei/angler" -git apply $cvePatches"CVE-2014-8173"/*.patch && echo 'Applied fix for CVE-2014-8173' -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041' -git apply $cvePatches"CVE-2015-4170"/*.patch && echo 'Applied fix for CVE-2015-4170' -git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177' -git apply $cvePatches"CVE-2015-7550"/*.patch && echo 'Applied fix for CVE-2015-7550' -git apply $cvePatches"CVE-2016-0805"/*.patch && echo 'Applied fix for CVE-2016-0805' -git apply $cvePatches"CVE-2016-2063"/*.patch && echo 'Applied fix for CVE-2016-2063' -git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185' -git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186' -git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187' -git apply $cvePatches"CVE-2016-2384"/*.patch && echo 'Applied fix for CVE-2016-2384' -git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544' -git apply $cvePatches"CVE-2016-2545"/*.patch && echo 'Applied fix for CVE-2016-2545' -git apply $cvePatches"CVE-2016-2547"/*.patch && echo 'Applied fix for CVE-2016-2547' -git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549' -git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136' -git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137' -git apply $cvePatches"CVE-2016-3138"/*.patch && echo 'Applied fix for CVE-2016-3138' -git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140' -git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672' -git apply $cvePatches"CVE-2016-3689"/*.patch && echo 'Applied fix for CVE-2016-3689' -git apply $cvePatches"CVE-2016-5342"/*.patch && echo 'Applied fix for CVE-2016-5342' -git apply $cvePatches"CVE-2016-5345"/*.patch && echo 'Applied fix for CVE-2016-5345' -git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859' -git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867' -git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0436"/*.patch && echo 'Applied fix for CVE-2017-0436' -git apply $cvePatches"CVE-2017-0516"/*.patch && echo 'Applied fix for CVE-2017-0516' -git apply $cvePatches"CVE-2017-0523"/*.patch && echo 'Applied fix for CVE-2017-0523' -git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537' -git apply $cvePatches"CVE-2017-0824"/*.patch && echo 'Applied fix for CVE-2017-0824' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669' -git apply $cvePatches"CVE-2017-6001"/*.patch && echo 'Applied fix for CVE-2017-6001' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-8280"/*.patch && echo 'Applied fix for CVE-2017-8280' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-8173/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2015-2041/0.patch +git apply $cvePatches/CVE-2015-4170/0.patch +git apply $cvePatches/CVE-2015-4177/0.patch +git apply $cvePatches/CVE-2015-7550/0.patch +git apply $cvePatches/CVE-2016-0805/0.patch +git apply $cvePatches/CVE-2016-2063/0.patch +git apply $cvePatches/CVE-2016-2185/0.patch +git apply $cvePatches/CVE-2016-2186/0.patch +git apply $cvePatches/CVE-2016-2187/1.patch +git apply $cvePatches/CVE-2016-2384/0.patch +git apply $cvePatches/CVE-2016-2544/0.patch +git apply $cvePatches/CVE-2016-2545/0.patch +git apply $cvePatches/CVE-2016-2547/0.patch +git apply $cvePatches/CVE-2016-2549/0.patch +git apply $cvePatches/CVE-2016-3070/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3136/0.patch +git apply $cvePatches/CVE-2016-3137/0.patch +git apply $cvePatches/CVE-2016-3138/0.patch +git apply $cvePatches/CVE-2016-3140/0.patch +git apply $cvePatches/CVE-2016-3672/0.patch +git apply $cvePatches/CVE-2016-3689/0.patch +git apply $cvePatches/CVE-2016-5342/0.patch +git apply $cvePatches/CVE-2016-5345/0.patch +git apply $cvePatches/CVE-2016-5859/0.patch +git apply $cvePatches/CVE-2016-5867/0.patch +git apply $cvePatches/CVE-2016-5870/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2016-8404/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0516/0.patch +git apply $cvePatches/CVE-2017-0523/0.patch +git apply $cvePatches/CVE-2017-0537/0.patch +git apply $cvePatches/CVE-2017-0824/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5669/0.patch +git apply $cvePatches/CVE-2017-6001/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7472/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-8280/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_bullhead.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_bullhead.sh index d4070c69..fdb0f295 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_bullhead.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_bullhead.sh @@ -1,49 +1,49 @@ #!/bin/bash cd $base"kernel/lge/bullhead" -git apply $cvePatches"CVE-2014-8173"/*.patch && echo 'Applied fix for CVE-2014-8173' -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041' -git apply $cvePatches"CVE-2015-4170"/*.patch && echo 'Applied fix for CVE-2015-4170' -git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177' -git apply $cvePatches"CVE-2015-7550"/*.patch && echo 'Applied fix for CVE-2015-7550' -git apply $cvePatches"CVE-2016-0805"/*.patch && echo 'Applied fix for CVE-2016-0805' -git apply $cvePatches"CVE-2016-2063"/*.patch && echo 'Applied fix for CVE-2016-2063' -git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185' -git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186' -git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187' -git apply $cvePatches"CVE-2016-2384"/*.patch && echo 'Applied fix for CVE-2016-2384' -git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544' -git apply $cvePatches"CVE-2016-2545"/*.patch && echo 'Applied fix for CVE-2016-2545' -git apply $cvePatches"CVE-2016-2547"/*.patch && echo 'Applied fix for CVE-2016-2547' -git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549' -git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136' -git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137' -git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140' -git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672' -git apply $cvePatches"CVE-2016-3689"/*.patch && echo 'Applied fix for CVE-2016-3689' -git apply $cvePatches"CVE-2016-5345"/*.patch && echo 'Applied fix for CVE-2016-5345' -git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859' -git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867' -git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870' -git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0436"/*.patch && echo 'Applied fix for CVE-2017-0436' -git apply $cvePatches"CVE-2017-0516"/*.patch && echo 'Applied fix for CVE-2017-0516' -git apply $cvePatches"CVE-2017-0523"/*.patch && echo 'Applied fix for CVE-2017-0523' -git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669' -git apply $cvePatches"CVE-2017-6001"/*.patch && echo 'Applied fix for CVE-2017-6001' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-8173/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2015-2041/0.patch +git apply $cvePatches/CVE-2015-4170/0.patch +git apply $cvePatches/CVE-2015-4177/0.patch +git apply $cvePatches/CVE-2015-7550/0.patch +git apply $cvePatches/CVE-2016-0805/0.patch +git apply $cvePatches/CVE-2016-2063/0.patch +git apply $cvePatches/CVE-2016-2185/0.patch +git apply $cvePatches/CVE-2016-2186/0.patch +git apply $cvePatches/CVE-2016-2187/1.patch +git apply $cvePatches/CVE-2016-2384/0.patch +git apply $cvePatches/CVE-2016-2544/0.patch +git apply $cvePatches/CVE-2016-2545/0.patch +git apply $cvePatches/CVE-2016-2547/0.patch +git apply $cvePatches/CVE-2016-2549/0.patch +git apply $cvePatches/CVE-2016-3070/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3136/0.patch +git apply $cvePatches/CVE-2016-3137/0.patch +git apply $cvePatches/CVE-2016-3140/0.patch +git apply $cvePatches/CVE-2016-3672/0.patch +git apply $cvePatches/CVE-2016-3689/0.patch +git apply $cvePatches/CVE-2016-5345/0.patch +git apply $cvePatches/CVE-2016-5859/0.patch +git apply $cvePatches/CVE-2016-5867/0.patch +git apply $cvePatches/CVE-2016-5870/0.patch +git apply $cvePatches/CVE-2016-8404/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0516/0.patch +git apply $cvePatches/CVE-2017-0523/0.patch +git apply $cvePatches/CVE-2017-0537/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5669/0.patch +git apply $cvePatches/CVE-2017-6001/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7472/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh index 92ac3b2b..983a3042 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh @@ -1,26 +1,27 @@ #!/bin/bash cd $base"kernel/lge/hammerhead" -git apply $cvePatches"CVE-2014-9881"/*.patch && echo 'Applied fix for CVE-2014-9881' -git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-5829"/*.patch && echo 'Applied fix for CVE-2016-5829' -git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0611"/*.patch && echo 'Applied fix for CVE-2017-0611' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751' -git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970' -git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9881/0.patch +git apply $cvePatches/CVE-2015-1593/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-5829/0.patch +git apply $cvePatches/CVE-2016-8650/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0611/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0751/0.patch +git apply $cvePatches/CVE-2017-0786/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5970/0.patch +git apply $cvePatches/CVE-2017-6074/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-8247/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_mako.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_mako.sh index c4da7796..349758c5 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_mako.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_mako.sh @@ -1,6 +1,7 @@ #!/bin/bash cd $base"kernel/lge/mako" -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404' -git apply $cvePatches"CVE-2016-9793"/*.patch && echo 'Applied fix for CVE-2016-9793' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-8404/0.patch +git apply $cvePatches/CVE-2016-9793/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_moto_shamu.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_moto_shamu.sh index d74e1e27..38705b58 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_moto_shamu.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_moto_shamu.sh @@ -1,56 +1,58 @@ #!/bin/bash cd $base"kernel/moto/shamu" -git apply $cvePatches"CVE-2014-8173"/*.patch && echo 'Applied fix for CVE-2014-8173' -git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420' -git apply $cvePatches"CVE-2014-9683"/*.patch && echo 'Applied fix for CVE-2014-9683' -git apply $cvePatches"CVE-2014-9715"/*.patch && echo 'Applied fix for CVE-2014-9715' -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2015-1420"/*.patch && echo 'Applied fix for CVE-2015-1420' -git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593' -git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041' -git apply $cvePatches"CVE-2015-4170"/*.patch && echo 'Applied fix for CVE-2015-4170' -git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177' -git apply $cvePatches"CVE-2015-7550"/*.patch && echo 'Applied fix for CVE-2015-7550' -git apply $cvePatches"CVE-2015-8967"/*.patch && echo 'Applied fix for CVE-2015-8967' -git apply $cvePatches"CVE-2016-0758"/*.patch && echo 'Applied fix for CVE-2016-0758' -git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185' -git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186' -git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187' -git apply $cvePatches"CVE-2016-2384"/*.patch && echo 'Applied fix for CVE-2016-2384' -git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544' -git apply $cvePatches"CVE-2016-2545"/*.patch && echo 'Applied fix for CVE-2016-2545' -git apply $cvePatches"CVE-2016-2547"/*.patch && echo 'Applied fix for CVE-2016-2547' -git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549' -git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136' -git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137' -git apply $cvePatches"CVE-2016-3138"/*.patch && echo 'Applied fix for CVE-2016-3138' -git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140' -git apply $cvePatches"CVE-2016-3689"/*.patch && echo 'Applied fix for CVE-2016-3689' -git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865' -git apply $cvePatches"CVE-2016-5342"/*.patch && echo 'Applied fix for CVE-2016-5342' -git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404' -git apply $cvePatches"CVE-2016-8464"/*.patch && echo 'Applied fix for CVE-2016-8464' -git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404' -git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537' -git apply $cvePatches"CVE-2017-0627"/*.patch && echo 'Applied fix for CVE-2017-0627' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0824"/*.patch && echo 'Applied fix for CVE-2017-0824' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-8269"/*.patch && echo 'Applied fix for CVE-2017-8269' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-8173/0.patch +git apply $cvePatches/CVE-2014-9420/0.patch +git apply $cvePatches/CVE-2014-9683/0.patch +git apply $cvePatches/CVE-2014-9715/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2015-1420/0.patch +git apply $cvePatches/CVE-2015-1593/0.patch +git apply $cvePatches/CVE-2015-2041/0.patch +git apply $cvePatches/CVE-2015-4170/0.patch +git apply $cvePatches/CVE-2015-4177/0.patch +git apply $cvePatches/CVE-2015-7550/0.patch +git apply $cvePatches/CVE-2015-8967/0.patch +git apply $cvePatches/CVE-2016-0758/0.patch +git apply $cvePatches/CVE-2016-2185/0.patch +git apply $cvePatches/CVE-2016-2186/0.patch +git apply $cvePatches/CVE-2016-2187/1.patch +git apply $cvePatches/CVE-2016-2384/0.patch +git apply $cvePatches/CVE-2016-2544/0.patch +git apply $cvePatches/CVE-2016-2545/0.patch +git apply $cvePatches/CVE-2016-2547/0.patch +git apply $cvePatches/CVE-2016-2549/0.patch +git apply $cvePatches/CVE-2016-3070/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3136/0.patch +git apply $cvePatches/CVE-2016-3137/0.patch +git apply $cvePatches/CVE-2016-3138/0.patch +git apply $cvePatches/CVE-2016-3140/0.patch +git apply $cvePatches/CVE-2016-3689/0.patch +git apply $cvePatches/CVE-2016-3865/0.patch +git apply $cvePatches/CVE-2016-3865/1.patch +git apply $cvePatches/CVE-2016-5342/0.patch +git apply $cvePatches/CVE-2016-5870/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2016-8404/0.patch +git apply $cvePatches/CVE-2016-8464/0.patch +git apply $cvePatches/CVE-2016-8650/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0404/0.patch +git apply $cvePatches/CVE-2017-0537/0.patch +git apply $cvePatches/CVE-2017-0627/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0824/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5669/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7472/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-8269/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh index 4281dc3a..0cce021c 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh @@ -1,22 +1,25 @@ #!/bin/bash cd $base"kernel/motorola/msm8916" -git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420' -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593' -git apply $cvePatches"CVE-2015-8967"/*.patch && echo 'Applied fix for CVE-2015-8967' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137' -git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672' -git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865' -git apply $cvePatches"CVE-2016-3902"/*.patch && echo 'Applied fix for CVE-2016-3902' -git apply $cvePatches"CVE-2016-5858"/*.patch && echo 'Applied fix for CVE-2016-5858' -git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859' -git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0794"/*.patch && echo 'Applied fix for CVE-2017-0794' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9420/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2015-1593/0.patch +git apply $cvePatches/CVE-2015-8967/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3137/0.patch +git apply $cvePatches/CVE-2016-3672/0.patch +git apply $cvePatches/CVE-2016-3865/0.patch +git apply $cvePatches/CVE-2016-3865/1.patch +git apply $cvePatches/CVE-2016-3902/0.patch +git apply $cvePatches/CVE-2016-5858/0.patch +git apply $cvePatches/CVE-2016-5858/1.patch +git apply $cvePatches/CVE-2016-5859/0.patch +git apply $cvePatches/CVE-2016-5867/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0794/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh index 76c32d42..14738f71 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh @@ -1,79 +1,81 @@ #!/bin/bash cd $base"kernel/motorola/msm8992" -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2016-0758"/*.patch && echo 'Applied fix for CVE-2016-0758' -git apply $cvePatches"CVE-2016-10200"/*.patch && echo 'Applied fix for CVE-2016-10200' -git apply $cvePatches"CVE-2016-10230"/*.patch && echo 'Applied fix for CVE-2016-10230' -git apply $cvePatches"CVE-2016-2063"/*.patch && echo 'Applied fix for CVE-2016-2063' -git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672' -git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865' -git apply $cvePatches"CVE-2016-3902"/*.patch && echo 'Applied fix for CVE-2016-3902' -git apply $cvePatches"CVE-2016-3907"/*.patch && echo 'Applied fix for CVE-2016-3907' -git apply $cvePatches"CVE-2016-5346"/*.patch && echo 'Applied fix for CVE-2016-5346' -git apply $cvePatches"CVE-2016-5347"/*.patch && echo 'Applied fix for CVE-2016-5347' -git apply $cvePatches"CVE-2016-5853"/*.patch && echo 'Applied fix for CVE-2016-5853' -git apply $cvePatches"CVE-2016-5858"/*.patch && echo 'Applied fix for CVE-2016-5858' -git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859' -git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2016-6681"/*.patch && echo 'Applied fix for CVE-2016-6681' -git apply $cvePatches"CVE-2016-6751"/*.patch && echo 'Applied fix for CVE-2016-6751' -git apply $cvePatches"CVE-2016-6753"/*.patch && echo 'Applied fix for CVE-2016-6753' -git apply $cvePatches"CVE-2016-8417"/*.patch && echo 'Applied fix for CVE-2016-8417' -git apply $cvePatches"CVE-2016-8444"/*.patch && echo 'Applied fix for CVE-2016-8444' -git apply $cvePatches"CVE-2016-8479"/*.patch && echo 'Applied fix for CVE-2016-8479' -git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404' -git apply $cvePatches"CVE-2017-0436"/*.patch && echo 'Applied fix for CVE-2017-0436' -git apply $cvePatches"CVE-2017-0452"/*.patch && echo 'Applied fix for CVE-2017-0452' -git apply $cvePatches"CVE-2017-0460"/*.patch && echo 'Applied fix for CVE-2017-0460' -git apply $cvePatches"CVE-2017-0463"/*.patch && echo 'Applied fix for CVE-2017-0463' -git apply $cvePatches"CVE-2017-0516"/*.patch && echo 'Applied fix for CVE-2017-0516' -git apply $cvePatches"CVE-2017-0523"/*.patch && echo 'Applied fix for CVE-2017-0523' -git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537' -git apply $cvePatches"CVE-2017-0604"/*.patch && echo 'Applied fix for CVE-2017-0604' -git apply $cvePatches"CVE-2017-0606"/*.patch && echo 'Applied fix for CVE-2017-0606' -git apply $cvePatches"CVE-2017-0611"/*.patch && echo 'Applied fix for CVE-2017-0611' -git apply $cvePatches"CVE-2017-0627"/*.patch && echo 'Applied fix for CVE-2017-0627' -git apply $cvePatches"CVE-2017-0631"/*.patch && echo 'Applied fix for CVE-2017-0631' -git apply $cvePatches"CVE-2017-0746"/*.patch && echo 'Applied fix for CVE-2017-0746' -git apply $cvePatches"CVE-2017-0748"/*.patch && echo 'Applied fix for CVE-2017-0748' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751' -git apply $cvePatches"CVE-2017-0794"/*.patch && echo 'Applied fix for CVE-2017-0794' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-10997"/*.patch && echo 'Applied fix for CVE-2017-10997' -git apply $cvePatches"CVE-2017-10998"/*.patch && echo 'Applied fix for CVE-2017-10998' -git apply $cvePatches"CVE-2017-11048"/*.patch && echo 'Applied fix for CVE-2017-11048' -git apply $cvePatches"CVE-2017-11056"/*.patch && echo 'Applied fix for CVE-2017-11056' -git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671' -git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669' -git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970' -git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951' -git apply $cvePatches"CVE-2017-7369"/*.patch && echo 'Applied fix for CVE-2017-7369' -git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-8242"/*.patch && echo 'Applied fix for CVE-2017-8242' -git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247' -git apply $cvePatches"CVE-2017-8251"/*.patch && echo 'Applied fix for CVE-2017-8251' -git apply $cvePatches"CVE-2017-8260"/*.patch && echo 'Applied fix for CVE-2017-8260' -git apply $cvePatches"CVE-2017-8265"/*.patch && echo 'Applied fix for CVE-2017-8265' -git apply $cvePatches"CVE-2017-8280"/*.patch && echo 'Applied fix for CVE-2017-8280' -git apply $cvePatches"CVE-2017-9075"/*.patch && echo 'Applied fix for CVE-2017-9075' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' -git apply $cvePatches"CVE-2017-9693"/*.patch && echo 'Applied fix for CVE-2017-9693' -git apply $cvePatches"CVE-2017-9694"/*.patch && echo 'Applied fix for CVE-2017-9694' -git apply $cvePatches"CVE-2017-9720"/*.patch && echo 'Applied fix for CVE-2017-9720' -git apply $cvePatches"CVE-2017-9724"/*.patch && echo 'Applied fix for CVE-2017-9724' -git apply $cvePatches"CVE-2017-9725"/*.patch && echo 'Applied fix for CVE-2017-9725' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2016-0758/0.patch +git apply $cvePatches/CVE-2016-10200/0.patch +git apply $cvePatches/CVE-2016-10230/0.patch +git apply $cvePatches/CVE-2016-2063/0.patch +git apply $cvePatches/CVE-2016-3070/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3672/0.patch +git apply $cvePatches/CVE-2016-3865/0.patch +git apply $cvePatches/CVE-2016-3865/1.patch +git apply $cvePatches/CVE-2016-3902/0.patch +git apply $cvePatches/CVE-2016-3907/0.patch +git apply $cvePatches/CVE-2016-5346/0.patch +git apply $cvePatches/CVE-2016-5347/0.patch +git apply $cvePatches/CVE-2016-5853/0.patch +git apply $cvePatches/CVE-2016-5858/0.patch +git apply $cvePatches/CVE-2016-5858/1.patch +git apply $cvePatches/CVE-2016-5859/0.patch +git apply $cvePatches/CVE-2016-5867/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2016-6682/0.patch +git apply $cvePatches/CVE-2016-6751/0.patch +git apply $cvePatches/CVE-2016-6753/0.patch +git apply $cvePatches/CVE-2016-8417/0.patch +git apply $cvePatches/CVE-2016-8444/0.patch +git apply $cvePatches/CVE-2016-8479/0.patch +git apply $cvePatches/CVE-2016-8650/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0404/0.patch +git apply $cvePatches/CVE-2017-0452/0.patch +git apply $cvePatches/CVE-2017-0460/0.patch +git apply $cvePatches/CVE-2017-0463/0.patch +git apply $cvePatches/CVE-2017-0516/0.patch +git apply $cvePatches/CVE-2017-0523/0.patch +git apply $cvePatches/CVE-2017-0537/0.patch +git apply $cvePatches/CVE-2017-0604/0.patch +git apply $cvePatches/CVE-2017-0606/0.patch +git apply $cvePatches/CVE-2017-0611/0.patch +git apply $cvePatches/CVE-2017-0627/0.patch +git apply $cvePatches/CVE-2017-0631/0.patch +git apply $cvePatches/CVE-2017-0746/0.patch +git apply $cvePatches/CVE-2017-0748/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0751/0.patch +git apply $cvePatches/CVE-2017-0794/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-10997/0.patch +git apply $cvePatches/CVE-2017-10998/0.patch +git apply $cvePatches/CVE-2017-11048/0.patch +git apply $cvePatches/CVE-2017-11056/0.patch +git apply $cvePatches/CVE-2017-11059/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-2671/0.patch +git apply $cvePatches/CVE-2017-5669/0.patch +git apply $cvePatches/CVE-2017-5970/0.patch +git apply $cvePatches/CVE-2017-6074/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-6951/0.patch +git apply $cvePatches/CVE-2017-7369/0.patch +git apply $cvePatches/CVE-2017-7472/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-8242/0.patch +git apply $cvePatches/CVE-2017-8247/0.patch +git apply $cvePatches/CVE-2017-8251/0.patch +git apply $cvePatches/CVE-2017-8260/0.patch +git apply $cvePatches/CVE-2017-8265/0.patch +git apply $cvePatches/CVE-2017-8280/0.patch +git apply $cvePatches/CVE-2017-9075/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch +git apply $cvePatches/CVE-2017-9693/0.patch +git apply $cvePatches/CVE-2017-9694/0.patch +git apply $cvePatches/CVE-2017-9720/0.patch +git apply $cvePatches/CVE-2017-9724/0.patch +git apply $cvePatches/CVE-2017-9725/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_nextbit_msm8992.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_nextbit_msm8992.sh index 61fdb67d..d3f578aa 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_nextbit_msm8992.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_nextbit_msm8992.sh @@ -1,8 +1,9 @@ #!/bin/bash cd $base"kernel/nextbit/msm8992" -git apply $cvePatches"CVE-2014-9904"/*.patch && echo 'Applied fix for CVE-2014-9904' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9904/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh index be5db34d..cfd99b51 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh @@ -1,23 +1,24 @@ #!/bin/bash cd $base"kernel/oneplus/msm8974" -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2014-9880"/*.patch && echo 'Applied fix for CVE-2014-9880' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672' -git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672' -git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404' -git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750' -git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751' -git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-11000"/*.patch && echo 'Applied fix for CVE-2017-11000' -git apply $cvePatches"CVE-2017-11048"/*.patch && echo 'Applied fix for CVE-2017-11048' -git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' -git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247' -git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242' -git apply $cvePatches"CVE-2017-9706"/*.patch && echo 'Applied fix for CVE-2017-9706' -git apply $cvePatches"CVE-2017-9725"/*.patch && echo 'Applied fix for CVE-2017-9725' +git apply $cvePatches/CVE-2012-6703/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2014-9880/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-3672/0.patch +git apply $cvePatches/CVE-2016-6672/0.patch +git apply $cvePatches/CVE-2016-8404/0.patch +git apply $cvePatches/CVE-2017-0750/0.patch +git apply $cvePatches/CVE-2017-0751/0.patch +git apply $cvePatches/CVE-2017-0786/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-11000/0.patch +git apply $cvePatches/CVE-2017-11048/0.patch +git apply $cvePatches/CVE-2017-11059/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch +git apply $cvePatches/CVE-2017-8247/0.patch +git apply $cvePatches/CVE-2017-9242/0.patch +git apply $cvePatches/CVE-2017-9706/0.patch +git apply $cvePatches/CVE-2017-9725/0.patch cd $base diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_smdk4412.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_smdk4412.sh index ca60881c..4f0d07b6 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_smdk4412.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_smdk4412.sh @@ -1,31 +1,31 @@ #!/bin/bash cd $base"kernel/samsung/smdk4412" -git apply $cvePatches"CVE-2014-1739"/*.patch && echo 'Applied fix for CVE-2014-1739' -git apply $cvePatches"CVE-2014-4656"/*.patch && echo 'Applied fix for CVE-2014-4656' -git apply $cvePatches"CVE-2014-7822"/*.patch && echo 'Applied fix for CVE-2014-7822' -git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420' -git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781' -git apply $cvePatches"CVE-2014-9870"/*.patch && echo 'Applied fix for CVE-2014-9870' -git apply $cvePatches"CVE-2014-9900"/*.patch && echo 'Applied fix for CVE-2014-9900' -git apply $cvePatches"CVE-2015-8944"/*.patch && echo 'Applied fix for CVE-2015-8944' -git apply $cvePatches"CVE-2016-0819"/*.patch && echo 'Applied fix for CVE-2016-0819' -git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185' -git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186' -git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544' -git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134' -git apply $cvePatches"CVE-2016-6753"/*.patch && echo 'Applied fix for CVE-2016-6753' -git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604' -git apply $cvePatches"CVE-2017-0403"/*.patch && echo 'Applied fix for CVE-2017-0403' -git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404' -git apply $cvePatches"CVE-2017-0430"/*.patch && echo 'Applied fix for CVE-2017-0430' -git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786' -git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365' -git apply $cvePatches"CVE-2017-10662"/*.patch && echo 'Applied fix for CVE-2017-10662' -git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153' -git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265' -git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618' -git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074' -git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345' -git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348' -git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487' +git apply $cvePatches/CVE-2014-1739/0.patch +git apply $cvePatches/CVE-2014-4656/0.patch +git apply $cvePatches/CVE-2014-7822/0.patch +git apply $cvePatches/CVE-2014-9420/0.patch +git apply $cvePatches/CVE-2014-9781/0.patch +git apply $cvePatches/CVE-2014-9870/0.patch +git apply $cvePatches/CVE-2014-9900/0.patch +git apply $cvePatches/CVE-2015-8944/0.patch +git apply $cvePatches/CVE-2016-0819/0.patch +git apply $cvePatches/CVE-2016-2185/0.patch +git apply $cvePatches/CVE-2016-2186/0.patch +git apply $cvePatches/CVE-2016-2544/0.patch +git apply $cvePatches/CVE-2016-3134/0.patch +git apply $cvePatches/CVE-2016-6753/0.patch +git apply $cvePatches/CVE-2016-9604/0.patch +git apply $cvePatches/CVE-2017-0403/0.patch +git apply $cvePatches/CVE-2017-0404/0.patch +git apply $cvePatches/CVE-2017-0430/0.patch +git apply $cvePatches/CVE-2017-0786/0.patch +git apply $cvePatches/CVE-2017-1000365/0.patch +git apply $cvePatches/CVE-2017-10662/0.patch +git apply $cvePatches/CVE-2017-12153/0.patch +git apply $cvePatches/CVE-2017-15265/0.patch +git apply $cvePatches/CVE-2017-2618/0.patch +git apply $cvePatches/CVE-2017-6074/0.patch +git apply $cvePatches/CVE-2017-6345/0.patch +git apply $cvePatches/CVE-2017-6348/0.patch +git apply $cvePatches/CVE-2017-7487/0.patch cd $base