commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Change-Id: Icedffeb8d406351675f5195fdd9000a644d07b95
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
These contribute to a great amount of idle drain.
Tests: 30 minutes of playing Spotify with the screen off, unplugged.
Change-Id: Ibe62c631fd93de99d71d56ee6cb2387571f71d34
Signed-off-by: Tyler Nijmeh <tylernij@gmail.com>
currently only NULL pointer check is used to validate the return
value from clkget this change to handle all the failures.
Change-Id: I275cb4717c675baf528e05c50058f2c6b0025011
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421611
Change-Id: Ifed71c506a26105eac3db9ee35f086d7dbf5a3a3
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
When processing WAN_IOC_SEND_LAN_CLIENT_MSG ioctl there is a possibility
of message_type being invalid and this can lead to out of buffer error.
Make a change to validate the ioctl params before processing.
Change-Id: If7955f77863b772ae1c8feda5ca0145c822403b9
Signed-off-by: Chaitanya Pratapa <cpratapa@codeaurora.org>
Proper buffer length checks are missing in diagchar_write
handlers for userspace data while processing the same buffer.
Change-Id: I5b8095766e09c22f164398089505fe827fee8b54
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Disconnect or deauthenticate when the owning socket is closed if this
flag is supplied to CMD_CONNECT or CMD_ASSOCIATE. This may be used
to ensure userspace daemon doesn't leave an unmanaged connection behind.
In some situations it would be possible to account for that, to some
degree, in the deamon restart code or in the up/down scripts without
the use of this attribute. But there will be systems where the daemon
can go away for varying periods without a warning due to local resource
management.
Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 36a554cec119bbd20c4ec0cb96bd4712d124bfea
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
Change-Id: Ic09ee323fc6215059d5c2572ba3e77c56addad32
CRs-Fixed: 2468738
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
The region index for bivcm is not validated against the region size.
This causes out-of-bound read on the KASAN kernel.
Add restriction that region index smaller than region size.
CRs-Fixed: 2379514
Change-Id: I72c4a41a4b41c8fa70c174ffd3215a81eaa14355
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Add check for minimum length before typecasting to build mask
structure to prevent out of bound access.
CRs-Fixed: 2431005
Change-Id: I97b439ead62c8a67869c9209442ef771308f2d3f
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421602
Change-Id: I947ed5b0fe5705e5223d75b0ea8aafb36113ca5a
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
Since DSP is not supposed to modify the base pointer rpra of the
input/output arguments offloaded to DSP, maintain a local copy of
the pointer and use it after receiving interrupt from DSP.
Change-Id: I4afade7184cb2aca148060fb0cda06c6174f3b55
Acked-by: Maitreyi Gupta <maitreyi@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
* This change makes WiFi report invalid signal strength.
This reverts commit be468730d315e973e9936da275b06600d0ce276c.
Change-Id: I01094049520ea706c27e00f316539f9d9d53bbc7
* Makes the device get stuck on splash screen
when booting in offline charging mode.
This reverts commit b03b261cfc.
Change-Id: I79fc04a43a7995c1015464b2d3c481200ddcaf8d
Add proper check for validating the IP type while
sending request for ul-filter-rule install.
Change-Id: I170230310884f176cf41d5ae20287f6d74a4bc29
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
Add support for 16ch playback and record usecase support
for primary and quaternary TDM ports.
Add mixer controls to set slot width, slot mapping and
calculate bit clock dynamically. Set bit clock for all
TDM ports dynamically.
Change-Id: I9d356d61f29ba18dd77138bd895139042a3c01f6
Signed-off-by: Dhanalakshmi Siddani <dsiddani@codeaurora.org>
Update max channels supported for TDM ports from 8 to 16.
Update pcm driver to support 32 channels and 32bit format.
Change-Id: I3d3b42983fff22e0102b9eb2aaca1a5698820605
Signed-off-by: Dhanalakshmi Siddani <dsiddani@codeaurora.org>
