DivestOS/Patches/Linux_CVEs/CVE-2016-5340/ANY/0.patch

From 06e51489061e5473b4e2035c79dcf7c27a6f75a6 Mon Sep 17 00:00:00 2001
From: Sunil Khatri <sunilkh@codeaurora.org>
Date: Wed, 22 Jun 2016 14:45:31 +0530
Subject: ashmem: Validate ashmem memory with fops pointer

Validate the ashmem memory entry against f_op pointer
rather then comparing its name with path of the dentry.

This is to avoid any invalid access to ashmem area in cases
where some one deliberately set the dentry name to /ashmem.

Change-Id: I74e50cd244f68cb13009cf2355e528485f4de34b
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
---
 drivers/staging/android/ashmem.c | 42 +++++++++++++++++++---------------------
 1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 808acd4..ee79ac8 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -766,11 +766,28 @@ static long compat_ashmem_ioctl(struct file *file, unsigned int cmd, unsigned lo
 }
 #endif
 
+static const struct file_operations ashmem_fops = {
+	.owner = THIS_MODULE,
+	.open = ashmem_open,
+	.release = ashmem_release,
+	.read = ashmem_read,
+	.llseek = ashmem_llseek,
+	.mmap = ashmem_mmap,
+	.unlocked_ioctl = ashmem_ioctl,
+#ifdef CONFIG_COMPAT
+	.compat_ioctl = compat_ashmem_ioctl,
+#endif
+};
+
+static struct miscdevice ashmem_misc = {
+	.minor = MISC_DYNAMIC_MINOR,
+	.name = "ashmem",
+	.fops = &ashmem_fops,
+};
+
 static int is_ashmem_file(struct file *file)
 {
-	char fname[256], *name;
-	name = dentry_path(file->f_dentry, fname, 256);
-	return strcmp(name, "/ashmem") ? 0 : 1;
+	return (file->f_op == &ashmem_fops);
 }
 
 int get_ashmem_file(int fd, struct file **filp, struct file **vm_file,
@@ -819,25 +836,6 @@ void put_ashmem_file(struct file *file)
 }
 EXPORT_SYMBOL(put_ashmem_file);
 
-static const struct file_operations ashmem_fops = {
-	.owner = THIS_MODULE,
-	.open = ashmem_open,
-	.release = ashmem_release,
-	.read = ashmem_read,
-	.llseek = ashmem_llseek,
-	.mmap = ashmem_mmap,
-	.unlocked_ioctl = ashmem_ioctl,
-#ifdef CONFIG_COMPAT
-	.compat_ioctl = compat_ashmem_ioctl,
-#endif
-};
-
-static struct miscdevice ashmem_misc = {
-	.minor = MISC_DYNAMIC_MINOR,
-	.name = "ashmem",
-	.fops = &ashmem_fops,
-};
-
 static int __init ashmem_init(void)
 {
 	int ret;
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 06e51489061e5473b4e2035c79dcf7c27a6f75a6 Mon Sep 17 00:00:00 2001`
			`From: Sunil Khatri <sunilkh@codeaurora.org>`
			`Date: Wed, 22 Jun 2016 14:45:31 +0530`
			`Subject: ashmem: Validate ashmem memory with fops pointer`

			`Validate the ashmem memory entry against f_op pointer`
			`rather then comparing its name with path of the dentry.`

			`This is to avoid any invalid access to ashmem area in cases`
			`where some one deliberately set the dentry name to /ashmem.`

			`Change-Id: I74e50cd244f68cb13009cf2355e528485f4de34b`
			`Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>`
			`---`
			`drivers/staging/android/ashmem.c \| 42 +++++++++++++++++++---------------------`
			`1 file changed, 20 insertions(+), 22 deletions(-)`

			`diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c`
			`index 808acd4..ee79ac8 100644`
			`--- a/drivers/staging/android/ashmem.c`
			`+++ b/drivers/staging/android/ashmem.c`
			`@@ -766,11 +766,28 @@ static long compat_ashmem_ioctl(struct file *file, unsigned int cmd, unsigned lo`
			`}`
			`#endif`

			`+static const struct file_operations ashmem_fops = {`
			`+ .owner = THIS_MODULE,`
			`+ .open = ashmem_open,`
			`+ .release = ashmem_release,`
			`+ .read = ashmem_read,`
			`+ .llseek = ashmem_llseek,`
			`+ .mmap = ashmem_mmap,`
			`+ .unlocked_ioctl = ashmem_ioctl,`
			`+#ifdef CONFIG_COMPAT`
			`+ .compat_ioctl = compat_ashmem_ioctl,`
			`+#endif`
			`+};`
			`+`
			`+static struct miscdevice ashmem_misc = {`
			`+ .minor = MISC_DYNAMIC_MINOR,`
			`+ .name = "ashmem",`
			`+ .fops = &ashmem_fops,`
			`+};`
			`+`
			`static int is_ashmem_file(struct file *file)`
			`{`
			`- char fname[256], *name;`
			`- name = dentry_path(file->f_dentry, fname, 256);`
			`- return strcmp(name, "/ashmem") ? 0 : 1;`
			`+ return (file->f_op == &ashmem_fops);`
			`}`

			`int get_ashmem_file(int fd, struct file filp, struct file vm_file,`
			`@@ -819,25 +836,6 @@ void put_ashmem_file(struct file *file)`
			`}`
			`EXPORT_SYMBOL(put_ashmem_file);`

			`-static const struct file_operations ashmem_fops = {`
			`- .owner = THIS_MODULE,`
			`- .open = ashmem_open,`
			`- .release = ashmem_release,`
			`- .read = ashmem_read,`
			`- .llseek = ashmem_llseek,`
			`- .mmap = ashmem_mmap,`
			`- .unlocked_ioctl = ashmem_ioctl,`
			`-#ifdef CONFIG_COMPAT`
			`- .compat_ioctl = compat_ashmem_ioctl,`
			`-#endif`
			`-};`
			`-`
			`-static struct miscdevice ashmem_misc = {`
			`- .minor = MISC_DYNAMIC_MINOR,`
			`- .name = "ashmem",`
			`- .fops = &ashmem_fops,`
			`-};`
			`-`
			`static int __init ashmem_init(void)`
			`{`
			`int ret;`
			`--`
			`cgit v1.1`