Add patches for many Linux CVEs, and overhaul script paths

Patches/Linux_CVEs/CVE-2017-11060/0.patch

@@ -0,0 +1,116 @@
+From 657bb41463b837b2681e1fed310bd97970b09b83 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@codeaurora.org>
+Date: Mon, 19 Jun 2017 19:21:42 +0530
+Subject: qcacld-2.0: Avoid buffer overread when parsing PNO commands
+
+Propagation from qcacld-3.0 to qcacld-2.0
+
+There are currently three issues which can result in a buffer overread
+when processing PNO vendor commands:
+1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
+   when invoking nla_parse().
+2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
+   when invoking nla_parse().
+3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
+   of the attributes that are parsed are present in the policy.
+To prevent buffer overread:
+1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
+   hdd_extscan_passpoint_fill_network_list() to use the policy
+   wlan_hdd_pno_config_policy.
+2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
+   attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
+   hdd_extscan_passpoint_fill_network_list(), and
+   __wlan_hdd_cfg80211_set_epno_list().
+
+Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
+CRs-Fixed: 2058447
+---
+ CORE/HDD/src/wlan_hdd_cfg80211.c | 58 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 43 insertions(+), 15 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
+index cae8b45..20f127b 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -868,19 +868,46 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
+ 
+ static const struct nla_policy
+ wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
+-	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
+-		.type = NLA_U32
+-	},
+-	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = {
+-		.type = NLA_BINARY,
+-		.len = IEEE80211_MAX_SSID_LEN + 1
+-	},
+-	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = {
+-		.type = NLA_U8
+-	},
+-	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
+-		.type = NLA_U8
+-	},
++    [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = {
++        .type = NLA_BINARY,
++        .len = IEEE80211_MAX_SSID_LEN + 1
++    },
++    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = {
++        .type = NLA_U8
++    },
++    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
++        .type = NLA_U8
++    },
++    [QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS] = {
++        .type = NLA_U32
++    },
++    [QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
++        .type = NLA_U32
++    },
+ };
+ 
+ static const struct nla_policy
+@@ -4914,7 +4941,8 @@ static int hdd_extscan_passpoint_fill_network_list(
+ 
+ 		if (nla_parse(network,
+ 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
+-			nla_data(networks), nla_len(networks), NULL)) {
++			nla_data(networks), nla_len(networks),
++			wlan_hdd_pno_config_policy)) {
+ 			hddLog(LOGE, FL("nla_parse failed"));
+ 			return -EINVAL;
+ 		}
+@@ -5015,7 +5043,7 @@ static int __wlan_hdd_cfg80211_set_passpoint_list(struct wiphy *wiphy,
+ 	}
+ 
+ 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
+-		wlan_hdd_extscan_config_policy)) {
++		wlan_hdd_pno_config_policy)) {
+ 		hddLog(LOGE, FL("Invalid ATTR"));
+ 		return -EINVAL;
+ 	}
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2017-11060/1.patch

@@ -0,0 +1,97 @@
+From 5204ea3cae1b07aad76d9d831e46dfaea492f488 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@codeaurora.org>
+Date: Mon, 19 Jun 2017 19:21:42 +0530
+Subject: [PATCH] qcacld-2.0: Avoid buffer overread when parsing PNO commands
+
+Propagation from qcacld-3.0 to qcacld-2.0
+
+There are currently three issues which can result in a buffer overread
+when processing PNO vendor commands:
+1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
+   when invoking nla_parse().
+2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
+   when invoking nla_parse().
+3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
+   of the attributes that are parsed are present in the policy.
+To prevent buffer overread:
+1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
+   hdd_extscan_passpoint_fill_network_list() to use the policy
+   wlan_hdd_pno_config_policy.
+2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
+   attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
+   hdd_extscan_passpoint_fill_network_list(), and
+   __wlan_hdd_cfg80211_set_epno_list().
+
+Bug: 36817548
+Bug: 36815952
+Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
+CRs-Fixed: 2058447
+Signed-off-by: Ecco Park <eccopark@google.com>
+---
+ .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 32 ++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+index 94b161e37a59a..c7d271f91ceb9 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -857,6 +857,12 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
+ 
+ static const struct nla_policy
+ wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
++	[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM] = {
++		.type = NLA_U32
++	},
++	[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID] = {
++		.type = NLA_U32
++	},
+ 	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
+ 		.type = NLA_U32
+ 	},
+@@ -870,6 +876,27 @@ wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
+ 	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
+ 		.type = NLA_U8
+ 	},
++	[QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI] = {
++		.type = NLA_U32
++	},
++	[QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI] = {
++		.type = NLA_U32
++	},
++	[QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX] = {
++		.type = NLA_U32
++	},
++	[QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS] = {
++		.type = NLA_U32
++	},
++	[QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS] = {
++		.type = NLA_U32
++	},
++	[QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS] = {
++		.type = NLA_U32
++	},
++	[QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
++		.type = NLA_U32
++	},
+ };
+ 
+ static const struct nla_policy
+@@ -4696,7 +4723,8 @@ static int hdd_extscan_passpoint_fill_network_list(
+ 
+ 		if (nla_parse(network,
+ 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
+-			nla_data(networks), nla_len(networks), NULL)) {
++			nla_data(networks), nla_len(networks),
++			wlan_hdd_pno_config_policy)) {
+ 			hddLog(LOGE, FL("nla_parse failed"));
+ 			return -EINVAL;
+ 		}
+@@ -4918,7 +4946,7 @@ static int __wlan_hdd_cfg80211_reset_passpoint_list(struct wiphy *wiphy,
+ 	}
+ 
+ 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
+-		wlan_hdd_extscan_config_policy)) {
++		wlan_hdd_pno_config_policy)) {
+ 		hddLog(LOGE, FL("Invalid ATTR"));
+ 		return -EINVAL;
+ 	}

Patches/Linux_CVEs/CVE-2017-11060/2.patch

@@ -0,0 +1,36 @@
+From 49eec96af9448e23a8fc2e41f67db948983b8427 Mon Sep 17 00:00:00 2001
+From: Ecco Park <eccopark@google.com>
+Date: Wed, 16 Aug 2017 16:45:03 -0700
+Subject: [PATCH] qcacld-2.0: Avoid buffer overread when parsing PNO commands
+
+fix merge of 5204ea3cae1b07aad76d9d831e46dfaea492f488
+
+Bug: 36817548
+Change-Id: Ie5abe6ed5797588688f3a83cf12a964429ed11d3
+Signed-off-by: Ecco Park <eccopark@google.com>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+index da139cf225ce2..9029ef3b9e4a3 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -4873,7 +4873,7 @@ static int __wlan_hdd_cfg80211_set_passpoint_list(struct wiphy *wiphy,
+ 	}
+ 
+ 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
+-		wlan_hdd_extscan_config_policy)) {
++		wlan_hdd_pno_config_policy)) {
+ 		hddLog(LOGE, FL("Invalid ATTR"));
+ 		return -EINVAL;
+ 	}
+@@ -4994,7 +4994,7 @@ static int __wlan_hdd_cfg80211_reset_passpoint_list(struct wiphy *wiphy,
+ 	}
+ 
+ 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
+-		wlan_hdd_pno_config_policy)) {
++		wlan_hdd_extscan_config_policy)) {
+ 		hddLog(LOGE, FL("Invalid ATTR"));
+ 		return -EINVAL;
+ 	}