DivestOS/Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch

From a599a7a83745820b3e1bee9d4b625bd54337e4d0 Mon Sep 17 00:00:00 2001
From: Kishor PK <kpbhat@codeaurora.org>
Date: Thu, 18 Feb 2016 15:26:50 +0530
Subject: msm: perf: validate input argument of ev_constraints functions

Validate input argument before writing into
pmu_constraints_codes array.

CRs-Fixed: 975404
Change-Id: Id68b1d2201ab1af783af2236833b1dc894e08cc7
Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
---
 arch/arm/mach-msm/perf_event_msm_krait_l2.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
index 65a5d2f..43233ab 100644
--- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c
+++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011,2012,2014 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011,2012,2014,2016 The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -18,13 +18,15 @@
 
 #include <mach/msm-krait-l2-accessors.h>
 
+#define PMU_CODES_SIZE 64
+
 /*
  * The L2 PMU is shared between all CPU's, so protect
  * its bitmap access.
  */
 struct pmu_constraints {
 	u64 pmu_bitmap;
-	u8 codes[64];
+	u8 codes[PMU_CODES_SIZE];
 	raw_spinlock_t lock;
 } l2_pmu_constraints = {
 	.pmu_bitmap = 0,
@@ -427,10 +429,9 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
 	u8 group = evt_type & 0x0000F;
 	u8 code = (evt_type & 0x00FF0) >> 4;
 	unsigned long flags;
-	u32 err = 0;
+	int err = 0;
 	u64 bitmap_t;
 	u32 shift_idx;
-
 	if (evt_prefix == L2_TRACECTR_PREFIX)
 		return err;
 	/*
@@ -444,6 +445,11 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
 
 	shift_idx = ((reg * 4) + group);
 
+	if (shift_idx >= PMU_CODES_SIZE) {
+		err =  -EINVAL;
+		goto out;
+	}
+
 	bitmap_t = 1 << shift_idx;
 
 	if (!(l2_pmu_constraints.pmu_bitmap & bitmap_t)) {
@@ -484,6 +490,7 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
 	unsigned long flags;
 	u64 bitmap_t;
 	u32 shift_idx;
+	int err = 1;
 
 	if (evt_prefix == L2_TRACECTR_PREFIX)
 		return 1;
@@ -491,6 +498,10 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
 
 	shift_idx = ((reg * 4) + group);
 
+	if (shift_idx >= PMU_CODES_SIZE) {
+		err = -EINVAL;
+		goto out;
+	}
 	bitmap_t = 1 << shift_idx;
 
 	/* Clear constraint bit. */
@@ -498,9 +509,9 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
 
 	/* Clear code. */
 	l2_pmu_constraints.codes[shift_idx] = -1;
-
+out:
 	raw_spin_unlock_irqrestore(&l2_pmu_constraints.lock, flags);
-	return 1;
+	return err;
 }
 
 int get_num_events(void)
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From a599a7a83745820b3e1bee9d4b625bd54337e4d0 Mon Sep 17 00:00:00 2001`
			`From: Kishor PK <kpbhat@codeaurora.org>`
			`Date: Thu, 18 Feb 2016 15:26:50 +0530`
			`Subject: msm: perf: validate input argument of ev_constraints functions`

			`Validate input argument before writing into`
			`pmu_constraints_codes array.`

			`CRs-Fixed: 975404`
			`Change-Id: Id68b1d2201ab1af783af2236833b1dc894e08cc7`
			`Signed-off-by: Kishor PK <kpbhat@codeaurora.org>`
			`---`
			`arch/arm/mach-msm/perf_event_msm_krait_l2.c \| 23 +++++++++++++++++------`
			`1 file changed, 17 insertions(+), 6 deletions(-)`

			`diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c`
			`index 65a5d2f..43233ab 100644`
			`--- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c`
			`+++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c`
			`@@ -1,5 +1,5 @@`
			`/*`
			`- * Copyright (c) 2011,2012,2014 The Linux Foundation. All rights reserved.`
			`+ * Copyright (c) 2011,2012,2014,2016 The Linux Foundation. All rights reserved.`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License version 2 and`
			`@@ -18,13 +18,15 @@`

			`#include <mach/msm-krait-l2-accessors.h>`

			`+#define PMU_CODES_SIZE 64`
			`+`
			`/*`
			`* The L2 PMU is shared between all CPU's, so protect`
			`* its bitmap access.`
			`*/`
			`struct pmu_constraints {`
			`u64 pmu_bitmap;`
			`- u8 codes[64];`
			`+ u8 codes[PMU_CODES_SIZE];`
			`raw_spinlock_t lock;`
			`} l2_pmu_constraints = {`
			`.pmu_bitmap = 0,`
			`@@ -427,10 +429,9 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)`
			`u8 group = evt_type & 0x0000F;`
			`u8 code = (evt_type & 0x00FF0) >> 4;`
			`unsigned long flags;`
			`- u32 err = 0;`
			`+ int err = 0;`
			`u64 bitmap_t;`
			`u32 shift_idx;`
			`-`
			`if (evt_prefix == L2_TRACECTR_PREFIX)`
			`return err;`
			`/*`
			`@@ -444,6 +445,11 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)`

			`shift_idx = ((reg * 4) + group);`

			`+ if (shift_idx >= PMU_CODES_SIZE) {`
			`+ err = -EINVAL;`
			`+ goto out;`
			`+ }`
			`+`
			`bitmap_t = 1 << shift_idx;`

			`if (!(l2_pmu_constraints.pmu_bitmap & bitmap_t)) {`
			`@@ -484,6 +490,7 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)`
			`unsigned long flags;`
			`u64 bitmap_t;`
			`u32 shift_idx;`
			`+ int err = 1;`

			`if (evt_prefix == L2_TRACECTR_PREFIX)`
			`return 1;`
			`@@ -491,6 +498,10 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)`

			`shift_idx = ((reg * 4) + group);`

			`+ if (shift_idx >= PMU_CODES_SIZE) {`
			`+ err = -EINVAL;`
			`+ goto out;`
			`+ }`
			`bitmap_t = 1 << shift_idx;`

			`/* Clear constraint bit. */`
			`@@ -498,9 +509,9 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)`

			`/* Clear code. */`
			`l2_pmu_constraints.codes[shift_idx] = -1;`
			`-`
			`+out:`
			`raw_spin_unlock_irqrestore(&l2_pmu_constraints.lock, flags);`
			`- return 1;`
			`+ return err;`
			`}`

			`int get_num_events(void)`
			`--`
			`cgit v1.1`