Update Linux CVE patches

2025-08-03 20:04:21 -04:00 · 2017-10-29 22:14:37 -04:00 · 2017-10-29 22:14:37 -04:00 · 3989a1b20b
commit 3989a1b20b
parent 12b63c12b7
958 changed files with 21074 additions and 397 deletions
--- a/Patches/Linux_CVEs/CVE-2014-9784/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2014-9784/ANY/0.patch
@ -0,0 +1,203 @@
+From 36503d639cedcc73880974ed92132247576e72ba Mon Sep 17 00:00:00 2001
+From: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
+Date: Tue, 14 Jan 2014 16:54:46 -0800
+Subject: diag: Fix for diag debugfs buffer overflow
+
+Diag debugfs buffer has potential buffer overflow scenario which can cause
+memory corruption. Added safeguard to prevent this.
+
+Crs-fixed: 585147
+Change-Id: Ie1f099bb4bb626adff99ae225966aef70c1bc15e
+Signed-off-by: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
+---
+ drivers/char/diag/diag_debugfs.c | 44 +++++++++++++++++++++++++---------------
+ 1 file changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
+index d63d34b..96c0fa0 100644
+--- a/drivers/char/diag/diag_debugfs.c
+++ b/drivers/char/diag/diag_debugfs.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2011-2013, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -33,14 +33,14 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf,
+ {
+ 	char *buf;
+ 	int ret;
+-
+	unsigned int buf_size;
+ 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
+ 	if (!buf) {
+ 		pr_err("diag: %s, Error allocating memory\n", __func__);
+ 		return -ENOMEM;
+ 	}
+-
+-	ret = scnprintf(buf, DEBUG_BUF_SIZE,
+	buf_size = ksize(buf);
+	ret = scnprintf(buf, buf_size,
+ 		"modem ch: 0x%p\n"
+ 		"lpass ch: 0x%p\n"
+ 		"riva ch: 0x%p\n"
+@@ -183,7 +183,7 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf,
+ 		driver->real_time_mode);
+ 
+ #ifdef CONFIG_DIAG_OVER_USB
+-	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,
+	ret += scnprintf(buf+ret, buf_size-ret,
+ 		"usb_connected: %d\n",
+ 		driver->usb_connected);
+ #endif
+@@ -200,7 +200,8 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file,
+ 	unsigned int bytes_remaining, bytes_written = 0;
+ 	unsigned int bytes_in_buf = 0, i = 0;
+ 	struct diag_dci_data_info *temp_data = dci_data_smd;
+-	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
+	unsigned int buf_size;
+	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
+ 
+ 	if (diag_dbgfs_dci_finished) {
+ 		diag_dbgfs_dci_finished = 0;
+@@ -213,6 +214,7 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file,
+ 		return -ENOMEM;
+ 	}
+ 
+	buf_size = ksize(buf);
+ 	bytes_remaining = buf_size;
+ 
+ 	if (diag_dbgfs_dci_data_index == 0) {
+@@ -281,6 +283,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
+ {
+ 	char *buf;
+ 	int ret;
+	unsigned int buf_size;
+ 
+ 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
+ 	if (!buf) {
+@@ -288,7 +291,8 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
+ 		return -ENOMEM;
+ 	}
+ 
+-	ret = scnprintf(buf, DEBUG_BUF_SIZE,
+	buf_size = ksize(buf);
+	ret = scnprintf(buf, buf_size,
+ 		"Pending status for work_stucts:\n"
+ 		"diag_drain_work: %d\n"
+ 		"Modem data diag_read_smd_work: %d\n"
+@@ -336,7 +340,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
+ 						diag_notify_update_smd_work)));
+ 
+ #ifdef CONFIG_DIAG_OVER_USB
+-	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,
+	ret += scnprintf(buf+ret, buf_size-ret,
+ 		"diag_proc_hdlc_work: %d\n"
+ 		"diag_read_work: %d\n",
+ 		work_pending(&(driver->diag_proc_hdlc_work)),
+@@ -357,7 +361,8 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
+ 	unsigned int bytes_remaining;
+ 	unsigned int bytes_in_buffer = 0;
+ 	unsigned int bytes_written;
+-	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
+	unsigned int buf_size;
+	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
+ 
+ 	if (diag_dbgfs_table_index >= diag_max_reg) {
+ 		/* Done. Reset to prepare for future requests */
+@@ -370,7 +375,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
+ 		pr_err("diag: %s, Error allocating memory\n", __func__);
+ 		return -ENOMEM;
+ 	}
+-
+	buf_size = ksize(buf);
+ 	bytes_remaining = buf_size;
+ 
+ 	if (diag_dbgfs_table_index == 0) {
+@@ -379,6 +384,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
+ 			"WCNSS: %d, APPS: %d\n",
+ 			MODEM_DATA, LPASS_DATA, WCNSS_DATA, APPS_DATA);
+ 		bytes_in_buffer += bytes_written;
+		bytes_remaining -= bytes_written;
+ 	}
+ 
+ 	for (i = diag_dbgfs_table_index; i < diag_max_reg; i++) {
+@@ -422,14 +428,15 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
+ {
+ 	char *buf = NULL;
+ 	int ret = 0, i = 0;
+-
+	unsigned int buf_size;
+ 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
+ 	if (ZERO_OR_NULL_PTR(buf)) {
+ 		pr_err("diag: %s, Error allocating memory\n", __func__);
+ 		return -ENOMEM;
+ 	}
+	buf_size = ksize(buf);
+ 
+-	ret = scnprintf(buf, DEBUG_BUF_SIZE,
+	ret = scnprintf(buf, buf_size,
+ 		"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"
+ 		"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"
+ 		"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
+@@ -454,7 +461,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
+ 	for (i = 0; i < MAX_HSIC_CH; i++) {
+ 		if (!diag_hsic[i].hsic_inited)
+ 			continue;
+-		ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,
+		ret += scnprintf(buf+ret, buf_size-ret,
+ 				"POOL_TYPE_HSIC_%d: [0x%p : 0x%p] count = %d\n",
+ 				i+1,
+ 				diag_hsic[i].diag_hsic_pool,
+@@ -465,7 +472,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
+ 	for (i = 0; i < MAX_HSIC_CH; i++) {
+ 		if (!diag_hsic[i].hsic_inited)
+ 			continue;
+-		ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,
+		ret += scnprintf(buf+ret, buf_size-ret,
+ 				"POOL_TYPE_HSIC_%d_WRITE: [0x%p : 0x%p] count = %d\n",
+ 				i+1,
+ 				diag_hsic[i].diag_hsic_write_pool,
+@@ -484,6 +491,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
+ {
+ 	char *buf = NULL;
+ 	int ret = 0;
+	unsigned int buf_size;
+ 
+ 	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
+ 	if (ZERO_OR_NULL_PTR(buf)) {
+@@ -491,7 +499,8 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
+ 		return -ENOMEM;
+ 	}
+ 
+-	ret = scnprintf(buf, DEBUG_BUF_SIZE,
+	buf_size = ksize(buf);
+	ret = scnprintf(buf, buf_size,
+ 		"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"
+ 		"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"
+ 		"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
+@@ -530,10 +539,12 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf,
+ 	unsigned int bytes_remaining;
+ 	unsigned int bytes_in_buffer = 0;
+ 	unsigned int bytes_written;
+-	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
+	unsigned int buf_size;
+ 	int bytes_hsic_inited = 45;
+ 	int bytes_hsic_not_inited = 410;
+ 
+	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
+
+ 	if (diag_dbgfs_finished) {
+ 		diag_dbgfs_finished = 0;
+ 		return 0;
+@@ -545,6 +556,7 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf,
+ 		return -ENOMEM;
+ 	}
+ 
+	buf_size = ksize(buf);
+ 	bytes_remaining = buf_size;
+ 
+ 	/* Only one smux for now */
+-- 
+cgit v1.1
+