While processing a packet containing command request, buffer size
need to be checked against size of the command structures that is
being parsed to prevent possible out of bound access.
CRs-Fixed: 2432633
Change-Id: I048bdbd0c096a6d03501bdd5b1d2d4bb50d45dd6
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Prevent possible out of bound access due to missing length check
while extracting dci packet response by adding proper checks.
CRs-Fixed: 2434571
Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Initialization of channel's local state is not done at the time of
fetching context from list of channels. This leads to race condition
if remote close happens during this time. Remote close will check if
local state is not open then delete channel from list. This leads to
use after free scenerio.
Initialize local state at the time of fetching channel context from
list of channels.
CRs-Fixed: 2155992
Change-Id: If113daba129191bd67ef2460eb4e87c2d5614403
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Check the size of ADSP payload before accessing it.
CRs-Fixed: 2380694
Change-Id: Icdc19a85b39a397ba6d7177f42ece4626b901832
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
If video state set to DEINIT before processing all frame done
packets in the list may create video failures as explained below,
the client communication to video hardware will fail because of
DEINIT state and client will close the session upon failure which
will happen in parallel to response thread processing the response
packets in the list. It may happen that client already free'd the
buffer references and response thread might access the same buffer
reference and results in use-after-free memory fault. So In case
of sys error from video hardware, set video state to DEINIT after
processing all packets in the list to avoid use-after-free failure
Change-Id: I688c3ec3feb2b5621d75c4da93ee9870aa0e6dfe
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Currently, if processing an SG table consumes more memory
than can fit in the pre-allocated buffer, then calls to
hyp_assign_table() will fail as if there were not enough
memory available to process the request.
Instead, for every call to hyp assign, allocate enough
memory to process the maximum batch size, and process large
SG tables in pieces, using this memory. This avoids failures
due to large SG tables. Also, since the memory for handling
these requests is now allocated per hyp_assign_table() call,
we can drop the pre-allocated buffer, as it is no longer in
use.
Change-Id: Ie9899a5e2c8de6127707609101f5fb557e3f0533
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
No need to process response messages from video hardware
after device went into invalid state. Processing responses
may result in use-after-free memory fault because client
might free all the resources after error.
Change-Id: I3bfb26e5aa52aba33b7b62cda7820dcbc5fe033f
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
If video state set to DEINIT before processing all frame done
packets in the list may create video failures as explained below,
the client communication to video hardware will fail because of
DEINIT state and client will close the session upon failure which
will happen in parallel to response thread processing the response
packets in the list. It may happen that client already free'd the
buffer references and response thread might access the same buffer
reference and results in use-after-free memory fault. So In case
of sys error from video hardware, set video state to DEINIT after
processing all packets in the list to avoid use-after-free failure
Change-Id: I688c3ec3feb2b5621d75c4da93ee9870aa0e6dfe
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Payload size validity is not checked before using it in array index.
Check payload size to avoid out-of-boundary memory.
Change-Id: Ic0b06bb331fc1753ff7543bb218ab12d6a4a3ca8
Signed-off-by: kunleiz <kunleiz@codeaurora.org>
As per regulatory master sheet, JM maps to FCC13 for 5GHz. For FCC13,
there is no radar detect pattern. Therefore, Remove DFS flag for JM.
CRs-Fixed: 2177739
Change-Id: I2dee046369ea4c3bd8feffbf97dbf40bea2137b6
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Initialization of channel's local state is not done at the time of
fetching context from list of channels. This leads to race condition
if remote close happens during this time. Remote close will check if
local state is not open then delete channel from list. This leads to
use after free scenerio.
Initialize local state at the time of fetching channel context from
list of channels.
CRs-Fixed: 2155992
Change-Id: If113daba129191bd67ef2460eb4e87c2d5614403
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.
Bug: 114041685
Change-Id: I3c22a5b3375b970ff6b1c6de983dd5833f4e11d0
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
For production, we shouldn't have any trace_printk entries
Change-Id: I48e9fabdbbb8da595db350630463bb065a8a6ff7
(cherry picked from commit 99bb9adb91b350bd7ec09c9018eb0901687d85a4)
Signed-off-by: celtare21 <celtare21@gmail.com>
Payload size is not checked before payload access. Check it
to avoid out-of-boundary memory access.
Change-Id: Iaa39ee4ea5489bb5579e7b7d5dfada12d88c5809
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
The QMI TLV value for strings in a lot of qmi element info structures
account for null terminated strings with MAX_LEN + 1. If a string is
actually MAX_LEN + 1 length, this will cause an out of bounds access
when the NULL character is appended in decoding.
CR-Fixed: 2359244
Change-Id: I4d789bc6017ff58458f77fe875ca4e175a4f1357
Signed-off-by: Chris Lew <clew@codeaurora.org>
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
Validate buffer index obtained from ADSP token before using it.
CRs-Fixed: 2372302
Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
Token from DSP might be invalid for array index. Validate the
token before being used as array index.
Change-Id: I9f47e1328d75d9f9acf7e85ddb452019b6eced0a
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
There can be many ice instances present in dtsi file but
not all of them will be initialized by storage driver.
Check if crypto instance is initialized before setting
it up for data encryption/decryption usage.
Change-Id: I7c9227007474052513b277dec5963a973781c524
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
Payload size is not checked before payload access. Check size
to avoid out-of-boundary memory access.
Change-Id: Iaa39ee4ea5489bb5579e7b7d5dfada12d88c5809
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
kgsl_context_init() prints error message continuously if a process
tries to create more number of contexts that KGSL supports.
This hogs CPU and might lead to watchdog timeout.
Reduce this log frequency by using KGSL_DRV_ERR_RATELIMIT().
Change-Id: I7e3a5d3db41ab0c60d1b6b620cbcdef96d5c21a9
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Check size of payload before access in q6usm_mmapcallback.
Change-Id: Iff0672532c2ea40e7129237a92d8365d6b554cf2
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Opening of multiple instance of voice_svc user space from app will
lead to pointer deference of private data within apr callback. As
multi-instance not supported added check to deny open() from user
space if previous instance hasn't been closed.
Change-Id: Ia5ef16c69a517760fc9d45530a8a41a333fa2a21
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
Check size of payload array before access in q6usm_callback.
Change-Id: Id0c85209a053f9dfdb53133aeb6b2510ecf18eb8
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
The current design of hrtimers migrates the pinned timers to a
different CPU upon its hotplug. However, perf-core needs to
maintain the mux-hrtimers on a per CPU basis. That is, each
hrtimer carries the context for that particular CPU and would
lose this context if it gets migrated to a different CPU. As a
result, cancel the hrtimer for the CPU that's about to go down
and restart it (if required) when the perf-events are being created.
Change-Id: I7a1d0456208855e3a99a7d49e59c6dae811d146e
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
[mojha@codeaurora.org: Resolved merge conflict and added missing
`cpuctx` variable to avoid build failure]
Signed-off-by: Mukesh Ojha <mojha@codeaurora.org>
Payload length must exceed structure size. Otherwise, it may
lead to out-of-boundary memory access.
Change-Id: I090de5116ab04a4ca2b9c485e17617fe9e861ad5
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Check buffer size in qdsp_cvs_callback before access in
ul_pkt.
Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.
If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().
The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and bail out of binder_alloc_free_page() if it
has changed to NULL.
Change-Id: I9ea0558a57635a747d7a48ed35991d39b860abf6
Signed-off-by: Todd Kjos <tkjos@google.com>
(cherry picked from commit 7257eac9401f989a62503b6c12a47af1b10591d1)
commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream
Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.
This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.
Bug: 116855682
Change-Id: I0b38089f6fdb1adbf7e1102747e4119c9a05b191
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c3d21ec4d4fb68baf47248dfe0e0ce0080fd7bcc)
commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.
If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block. The reason why we use the verified flag is to avoid
constantly reverifying the block. However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[Backported to 4.4: adjust context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I06728150aefd0fffbdb6bd7cbce0858221ff6f74
(cherry picked from commit 62a28a64d87fbdce5c0a988b440a4ae6dd37b41e)
