evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Tomi Valkeinen 937b51457b fbdev/omapfb: fix omapfb_memory_read infoleak 
commit 1bafcbf59fed92af58955024452f45430d3898c5 upstream.

OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:

- The user provided width and height could be large enough to overflow
  the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
  which might contain sensitive kernel information.

Fix these by limiting the width & height parameters, and only copying
the amount of data that we actually received from the LCD.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-13 09:11:31 +02:00
..
accessibility
acpi ACPI / PM: save NVS memory for ASUS 1025C laptop 2018-08-22 07:48:37 +02:00
amba ARM: amba: Don't read past the end of sysfs "driver_override" buffer 2018-05-02 07:53:42 -07:00
android binder: add missing binder_unlock() 2018-02-28 10:17:23 +01:00
ata ata: libahci: Correct setting of DEVSLP register 2018-09-19 22:48:58 +02:00
atm atm: zatm: Fix potential Spectre v1 2018-07-22 14:25:52 +02:00
auxdisplay
base x86/speculation/l1tf: Add sysfs reporting for l1tf 2018-08-15 17:42:09 +02:00
bcma
block floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl 2018-10-10 08:52:07 +02:00
bluetooth Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 2018-10-10 08:52:04 +02:00
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status 2018-09-05 09:18:41 +02:00
char tpm: fix race condition in tpm_common_write() 2018-08-15 17:42:04 +02:00
clk clk: imx6ul: fix missing of_node_put() 2018-09-26 08:35:05 +02:00
clocksource clocksource/drivers/fsl_ftm_timer: Fix error return checking 2018-05-30 07:49:01 +02:00
connector
cpufreq cpufreq: Fix new policy initialization during limits updates via sysfs 2018-07-03 11:21:26 +02:00
cpuidle cpuidle: powernv: Fix promotion from snooze if next state disabled 2018-07-03 11:21:29 +02:00
crypto crypto: mxs-dcp - Fix wait logic on chan threads 2018-10-10 08:52:13 +02:00
dca
devfreq
dio
dma dmaengine: pl330: fix irq race with terminate_all 2018-09-26 08:35:05 +02:00
dma-buf
edac EDAC, i7core: Fix memleaks and use-after-free on probe and remove 2018-10-10 08:52:06 +02:00
eisa
extcon
firewire firewire-ohci: work around oversized DMA reads on JMicron controllers 2018-05-30 07:48:52 +02:00
firmware firmware: dmi_scan: Fix handling of empty DMI strings 2018-05-30 07:48:56 +02:00
fmc
fpga
gpio gpio: adp5588: Fix sleep-in-atomic-context bug 2018-10-10 08:52:10 +02:00
gpu drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS 2018-10-10 08:52:12 +02:00
hid HID: hid-ntrig: add error handling for sysfs_create_group 2018-10-10 08:52:06 +02:00
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv Drivers: hv: vmbus: fix build warning 2018-02-25 11:03:46 +01:00
hwmon hwmon: (adt7475) Make adt7475_read_word() return errors 2018-10-10 08:52:09 +02:00
hwspinlock
hwtracing coresight: tpiu: Fix disabling timeouts 2018-09-26 08:35:09 +02:00
i2c i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP 2018-10-10 08:52:11 +02:00
ide cdrom: do not call check_disk_change() inside cdrom_open() 2018-05-30 07:49:13 +02:00
idle idle: i7300: add PCI dependency 2018-02-25 11:03:51 +01:00
iio iio: ad9523: Fix return value for ad952x_store() 2018-09-09 20:04:33 +02:00
infiniband RDMA/ucma: check fd type in ucma_migrate_id() 2018-10-10 08:52:12 +02:00
input Input: elantech - enable middle button of touchpad on ThinkPad P72 2018-10-10 08:52:08 +02:00
iommu iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register 2018-09-26 08:35:04 +02:00
ipack
irqchip irqchip/gic: Make interrupt ID 1020 invalid 2018-09-15 09:40:41 +02:00
isdn isdn: Disable IIOCDBGVAR 2018-08-22 07:48:38 +02:00
leds leds: pca955x: Correct I2C Functionality 2018-04-13 19:50:09 +02:00
lguest
lightnvm
macintosh macintosh/via-pmu: Add missing mmio accessors 2018-09-19 22:48:57 +02:00
mailbox
mcb
md dm thin metadata: fix __udivdi3 undefined on 32-bit 2018-10-10 08:52:13 +02:00
media media: v4l: event: Prevent freeing event subscriptions while accessed 2018-10-10 08:52:10 +02:00
memory memory: tegra: Apply interrupts mask per SoC 2018-08-06 16:24:38 +02:00
memstick
message scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30 07:48:58 +02:00
mfd mfd: ti_am335x_tscadc: Fix struct clk memory leak 2018-09-19 22:48:59 +02:00
misc vmci: type promotion bug in qp_host_get_user_memory() 2018-10-10 08:52:03 +02:00
mmc mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register 2018-05-30 07:48:51 +02:00
mtd mtdchar: fix overflows in adjustment of count 2018-09-26 08:35:08 +02:00
net r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED 2018-10-10 08:52:12 +02:00
nfc NFC: nfcmrvl: double free on error path 2018-03-22 09:23:23 +01:00
ntb ntb_transport: Fix bug with max_mw_size parameter 2018-05-30 07:48:55 +02:00
nubus
nvdimm linvdimm, pmem: Preserve read-only setting for pmem devices 2018-07-03 11:21:31 +02:00
nvme nvme-pci: initialize queue memory before interrupts 2018-07-11 16:03:47 +02:00
nvmem
of of: unittest: for strings, account for trailing \0 in property length field 2018-07-03 11:21:29 +02:00
oprofile
parisc parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode 2018-05-30 07:49:10 +02:00
parport parport: sunbpp: fix error return code 2018-09-26 08:35:09 +02:00
pci PCI: mvebu: Fix I/O space end address calculation 2018-09-15 09:40:39 +02:00
pcmcia
perf drivers/perf: arm_pmu: handle no platform_device 2018-03-22 09:23:26 +01:00
phy
pinctrl pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant 2018-09-26 08:35:10 +02:00
platform platform/x86: alienware-wmi: Correct a memory leak 2018-09-29 03:08:51 -07:00
pnp
power power: vexpress: fix corruption in notifier registration 2018-10-10 08:52:04 +02:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps
ps3
ptp ptp: fix missing break in switch 2018-07-25 10:18:17 +02:00
pwm pwm: tiehrpwm: Fix disabling of output of PWMs 2018-09-09 20:04:35 +02:00
rapidio
ras
regulator regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops 2018-08-06 16:24:35 +02:00
remoteproc
reset
rpmsg
rtc rtc: bq4802: add error handling for devm_ioremap 2018-09-26 08:35:09 +02:00
s390 s390/qeth: don't dump past end of unknown HW header 2018-10-10 08:52:12 +02:00
sbus
scsi scsi: bnx2i: add error handling for ioremap_nocache 2018-10-10 08:52:06 +02:00
sfi
sh
sn
soc
spi spi: rspi: Fix interrupted DMA transfers 2018-10-10 08:52:07 +02:00
spmi
ssb
staging staging: android: ashmem: Fix mmap size validation 2018-10-10 08:52:06 +02:00
target scsi: target: iscsi: Use bin2hex instead of a re-implementation 2018-10-10 08:52:08 +02:00
tc
thermal thermal: of-thermal: disable passive polling when thermal zone is disabled 2018-10-10 08:52:08 +02:00
thunderbolt thunderbolt: Resume control channel after hibernation image is created 2018-04-24 09:32:07 +02:00
tty serial: imx: restore handshaking irq for imx1 2018-10-10 08:52:08 +02:00
uio uio: potential double frees if __uio_register_device() fails 2018-09-19 22:48:57 +02:00
usb USB: yurex: Check for truncation in yurex_read() 2018-10-10 08:52:12 +02:00
uwb uwb: hwa-rc: fix memory leak at probe 2018-10-10 08:52:04 +02:00
vfio vfio/pci: Virtualize Maximum Read Request Size 2018-04-24 09:32:09 +02:00
vhost vhost_net: validate sock before trying to put its fd 2018-07-22 14:25:53 +02:00
video fbdev/omapfb: fix omapfb_memory_read infoleak 2018-10-13 09:11:31 +02:00
virt
virtio virtio_balloon: fix another race between migration and ballooning 2018-08-06 16:24:42 +02:00
vlynq
vme
w1 1wire: family module autoload fails because of upper/lower case mismatch. 2018-07-03 11:21:27 +02:00
watchdog watchdog: f71808e_wdt: Fix magic close handling 2018-05-30 07:49:03 +02:00
xen xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage 2018-10-10 08:52:13 +02:00
zorro zorro: Set up z->dev.dma_mask for the DMA API 2018-05-30 07:49:11 +02:00
Kconfig
Makefile