Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-04-11 18:49:01 -04:00
Code Issues Packages Projects Releases Wiki Activity

Remove many duplicate linux CVE patches and update patchers

Browse Source
This commit is contained in:
Tad 2017-10-29 03:46:24 -04:00
parent 3376142301
commit 86c2d7a648
72 changed files with 513 additions and 5578 deletions
Patches/Linux_CVEs
CVE-2012-6703
1.patch2.patch
CVE-2014-4656
1.patch
CVE-2014-9420
0.patch1.patch
CVE-2014-9683
1.patch
CVE-2014-9715
1.patch
CVE-2014-9778
0.patch
CVE-2014-9898
0.patch
CVE-2015-2041
1.patch
CVE-2015-8830
1.patch
CVE-2016-10229
0.patch
CVE-2016-10296
0.patch
CVE-2016-2185
1.patch
CVE-2016-2186
1.patch
CVE-2016-2187
0.patch
CVE-2016-3136
1.patch
CVE-2016-3137
1.patch
CVE-2016-3138
1.patch
CVE-2016-3140
1.patch
CVE-2016-3689
1.patch
CVE-2016-3855
0.patch
CVE-2016-5861
2.patch
CVE-2016-6681
0.patch
CVE-2016-6786
0.patch
CVE-2016-8391
0.patch
CVE-2016-8393
0.patch
CVE-2016-8474
0.patch
CVE-2016-8478
0.patch
CVE-2017-0435
0.patch1.patch
CVE-2017-0436
0.patch
CVE-2017-0438
0.patch1.patch
CVE-2017-0442
0.patch1.patch
CVE-2017-0443
0.patch1.patch
CVE-2017-0445
2.patch3.patch
CVE-2017-0446
0.patch
CVE-2017-0447
0.patch
CVE-2017-0533
0.patch
CVE-2017-0534
0.patch
CVE-2017-0536
0.patch
CVE-2017-0569
0.patch
CVE-2017-0570
0.patch
CVE-2017-0628
0.patch
CVE-2017-0788
0.patch
CVE-2017-10998
1.patch
CVE-2017-5669
1.patch
CVE-2017-6074
1.patch
CVE-2017-7369
1.patch
CVE-2017-7371
1.patch
CVE-2017-7618
1.patch
CVE-2017-9077
0.patch
Scripts/LineageOS-14.1/CVE_Patchers
android_kernel_amazon_hdx-common.shandroid_kernel_asus_msm8916.shandroid_kernel_fairphone_msm8974.shandroid_kernel_google_marlin.shandroid_kernel_google_msm.shandroid_kernel_htc_flounder.shandroid_kernel_huawei_angler.shandroid_kernel_lge_bullhead.shandroid_kernel_lge_hammerhead.shandroid_kernel_lge_mako.shandroid_kernel_moto_shamu.shandroid_kernel_motorola_msm8916.shandroid_kernel_motorola_msm8992.shandroid_kernel_nextbit_msm8992.shandroid_kernel_oneplus_msm8974.shandroid_kernel_samsung_smdk4412.sh

31
Patches/Linux_CVEs/CVE-2012-6703/1.patch

@ -1,31 +0,0 @@
From 81ce573830e9d5531531b3ec778c58e6b9167bcd Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 5 Sep 2012 15:32:18 +0300
Subject: [PATCH] ALSA: compress_core: integer overflow in
snd_compr_allocate_buffer()
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/compress_offload.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index eb60cb8dbb8a6..68fe02c7400a2 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size;
void *buffer;
+ if (params->buffer.fragment_size == 0 ||
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+ return -EINVAL;
+
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) {
buffer = NULL;

66
Patches/Linux_CVEs/CVE-2012-6703/2.patch

@ -1,66 +0,0 @@
From 4dc040a0b34890d2adc0d63da6e9bfb4eb791b19 Mon Sep 17 00:00:00 2001
From: Vinod Koul <vinod.koul@linux.intel.com>
Date: Mon, 17 Sep 2012 11:51:25 +0530
Subject: [PATCH] ALSA: compress - move the buffer check
Commit ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
added a new error check for input params.
this add new routine for input checks and moves buffer overflow check to this
new routine. This allows the error value to be propogated to user space
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/compress_offload.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 68fe02c7400a2..bd7f28e892540 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -407,10 +407,6 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
unsigned int buffer_size;
void *buffer;
- if (params->buffer.fragment_size == 0 ||
- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
- return -EINVAL;
-
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
if (stream->ops->copy) {
buffer = NULL;
@@ -429,6 +425,16 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
return 0;
}
+static int snd_compress_check_input(struct snd_compr_params *params)
+{
+ /* first let's check the buffer parameter's */
+ if (params->buffer.fragment_size == 0 ||
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+ return -EINVAL;
+
+ return 0;
+}
+
static int
snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
{
@@ -447,11 +453,17 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
retval = -EFAULT;
goto out;
}
+
+ retval = snd_compress_check_input(params);
+ if (retval)
+ goto out;
+
retval = snd_compr_allocate_buffer(stream, params);
if (retval) {
retval = -ENOMEM;
goto out;
}
+
retval = stream->ops->set_params(stream, params);
if (retval)
goto out;

39
Patches/Linux_CVEs/CVE-2014-4656/1.patch

@ -1,39 +0,0 @@
From f7500568b7633324e7c4282bb8baa3ff3f17fd7a Mon Sep 17 00:00:00 2001
From: Lars-Peter Clausen <lars@metafoo.de>
Date: Wed, 18 Jun 2014 13:32:35 +0200
Subject: ALSA: control: Make sure that id->index does not overflow
commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
The ALSA control code expects that the range of assigned indices to a control is
continuous and does not overflow. Currently there are no checks to enforce this.
If a control with a overflowing index range is created that control becomes
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
able to find it. This patch adds a check that makes sure that controls with a
overflowing index range can not be created.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/control.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/core/control.c b/sound/core/control.c
index d3f17de..9210594 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -341,6 +341,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
if (snd_BUG_ON(!card || !kcontrol->info))
goto error;
id = kcontrol->id;
+ if (id.index > UINT_MAX - kcontrol->count)
+ goto error;
+
down_write(&card->controls_rwsem);
if (snd_ctl_find_id(card, &id)) {
up_write(&card->controls_rwsem);
--
cgit v1.1

13
Patches/Linux_CVEs/CVE-2014-9420/0.patch

@ -1,7 +1,9 @@
From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001
From 212c4d33ca83e2144064fe9c2911607fbed5386f Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Mon, 15 Dec 2014 14:22:46 +0100
Subject: [PATCH] isofs: Fix infinite looping over CE entries
Subject: isofs: Fix infinite looping over CE entries
commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
Rock Ridge extensions define so called Continuation Entries (CE) which
define where is further space with Rock Ridge data. Corrupted isofs
@ -13,14 +15,14 @@ Limit the traversal to 32 entries which should be more than enough space
to store all the Rock Ridge data.
Reported-by: P J P <ppandit@redhat.com>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/isofs/rock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index f488bbae541ac..bb63254ed8486 100644
index ee62cc0..26859de 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -30,6 +30,7 @@ struct rock_state {
@ -50,3 +52,6 @@ index f488bbae541ac..bb63254ed8486 100644
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
if (bh) {
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
--
cgit v1.1

57
Patches/Linux_CVEs/CVE-2014-9420/1.patch

@ -1,57 +0,0 @@
From 212c4d33ca83e2144064fe9c2911607fbed5386f Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Mon, 15 Dec 2014 14:22:46 +0100
Subject: isofs: Fix infinite looping over CE entries
commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
Rock Ridge extensions define so called Continuation Entries (CE) which
define where is further space with Rock Ridge data. Corrupted isofs
image can contain arbitrarily long chain of these, including a one
containing loop and thus causing kernel to end in an infinite loop when
traversing these entries.
Limit the traversal to 32 entries which should be more than enough space
to store all the Rock Ridge data.
Reported-by: P J P <ppandit@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/isofs/rock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index ee62cc0..26859de 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -30,6 +30,7 @@ struct rock_state {
int cont_size;
int cont_extent;
int cont_offset;
+ int cont_loops;
struct inode *inode;
};
@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
rs->inode = inode;
}
+/* Maximum number of Rock Ridge continuation entries */
+#define RR_MAX_CE_ENTRIES 32
+
/*
* Returns 0 if the caller should continue scanning, 1 if the scan must end
* and -ve on error.
@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
goto out;
}
ret = -EIO;
+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
+ goto out;
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
if (bh) {
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
--
cgit v1.1

37
Patches/Linux_CVEs/CVE-2014-9683/1.patch

@ -1,37 +0,0 @@
From f2d130454e46c3989af1b4f882b6a666d24fa2e0 Mon Sep 17 00:00:00 2001
From: Michael Halcrow <mhalcrow@google.com>
Date: Wed, 26 Nov 2014 09:09:16 -0800
Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
routine
commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
end of the allocated buffer during encrypted filename decoding. This
fix corrects the issue by getting rid of the unnecessary 0 write when
the current bit offset is 2.
Signed-off-by: Michael Halcrow <mhalcrow@google.com>
Reported-by: Dmitry Chernenkov <dmitryc@google.com>
Suggested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ecryptfs/crypto.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
index 68b19ab..dceedec 100644
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
break;
case 2:
dst[dst_byte_offset++] |= (src_byte);
- dst[dst_byte_offset] = 0;
current_bit_offset = 0;
break;
}
--
cgit v1.1

56
Patches/Linux_CVEs/CVE-2014-9715/1.patch

@ -1,56 +0,0 @@
From 33eedfe8ecbaabcdc38be63901cb2b79e3190fda Mon Sep 17 00:00:00 2001
From: Andrey Vagin <avagin@openvz.org>
Date: Fri, 28 Mar 2014 13:54:32 +0400
Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.
"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
case it can contain all extensions. Bellow you can find sizes for all
types of extensions. Their sum is definitely bigger than 256.
nf_ct_ext_types[0]->len = 24
nf_ct_ext_types[1]->len = 32
nf_ct_ext_types[2]->len = 24
nf_ct_ext_types[3]->len = 32
nf_ct_ext_types[4]->len = 152
nf_ct_ext_types[5]->len = 2
nf_ct_ext_types[6]->len = 16
nf_ct_ext_types[7]->len = 8
I have seen "len" up to 280 and my host has crashes w/o this patch.
The right way to fix this problem is reducing the size of the ecache
extension (4) and Florian is going to do this, but these changes will
be quite large to be appropriate for a stable tree.
Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/netfilter/nf_conntrack_extend.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 2dcf317..d918074 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -33,8 +33,8 @@ enum nf_ct_ext_id {
/* Extensions: optional stuff which isn't permanently in struct. */
struct nf_ct_ext {
struct rcu_head rcu;
- u8 offset[NF_CT_EXT_NUM];
- u8 len;
+ u16 offset[NF_CT_EXT_NUM];
+ u16 len;
char data[0];
};
--
cgit v1.1

48
Patches/Linux_CVEs/CVE-2014-9778/0.patch

@ -1,48 +0,0 @@
From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001
From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
Date: Fri, 1 Nov 2013 21:06:37 +0530
Subject: msm: vidc: Validate userspace buffer count
Makesure the number of buffers count is less than
the maximum limit to avoid structure overflow errors.
Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
CRs-fixed: 563694
Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
---
drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
include/media/msm/vidc_init.h | 1 +
2 files changed, 7 insertions(+)
diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
index a843889..b45100f 100644
--- a/drivers/video/msm/vidc/common/dec/vdec.c
+++ b/drivers/video/msm/vidc/common/dec/vdec.c
@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx,
vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
vcd_h264_mv_buffer->offset = mv_data->offset;
+ if (mv_data->count > MAX_MV_BUFFERS) {
+ ERR("MV buffers maximum count reached, count = %d",
+ mv_data->count);
+ return false;
+ }
+
if (!vcd_get_ion_status()) {
if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd,
(unsigned long *) (&(vcd_h264_mv_buffer->
diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
index c35f770..5df0c3e 100644
--- a/include/media/msm/vidc_init.h
+++ b/include/media/msm/vidc_init.h
@@ -20,6 +20,7 @@
#define VIDC_MAX_NUM_CLIENTS 4
#define MAX_VIDEO_NUM_OF_BUFF 100
#define MAX_META_BUFFERS 32
+#define MAX_MV_BUFFERS 32
enum buffer_dir {
BUFFER_TYPE_INPUT,
--
cgit v1.1

178
Patches/Linux_CVEs/CVE-2014-9898/0.patch

@ -1,178 +0,0 @@
From 80be0e249c906704085d13d4ae446f73913fc225 Mon Sep 17 00:00:00 2001
From: Baruch Eruchimovitch <baruche@codeaurora.org>
Date: Mon, 14 Oct 2013 15:49:41 +0300
Subject: msm: ultrasound: add verifications of some input parameters
Some security vulnerabilities were found.
To fix them, additional verifications of some input parameters
are required.
CRs-Fixed: 554575, 554560, 555030
Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020
Signed-off-by: Baruch Eruchimovitch <baruche@codeaurora.org>
---
arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c | 82 ++++++++++++++++++------------
1 file changed, 49 insertions(+), 33 deletions(-)
diff --git a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
index 1ea213a..01fcfd9 100644
--- a/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
+++ b/arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c
@@ -51,6 +51,11 @@
#define Y_IND 1
#define Z_IND 2
+/* Shared memory limits */
+/* max_buf_size = (port_size(65535*2) * port_num(8) * group_size(3) */
+#define USF_MAX_BUF_SIZE 3145680
+#define USF_MAX_BUF_NUM 32
+
/* Place for opreation result, received from QDSP6 */
#define APR_RESULT_IND 1
@@ -436,6 +441,15 @@ static int config_xx(struct usf_xx_type *usf_xx, struct us_xx_info_type *config)
(config == NULL))
return -EINVAL;
+ if ((config->buf_size == 0) ||
+ (config->buf_size > USF_MAX_BUF_SIZE) ||
+ (config->buf_num == 0) ||
+ (config->buf_num > USF_MAX_BUF_NUM)) {
+ pr_err("%s: wrong params: buf_size=%d; buf_num=%d\n",
+ __func__, config->buf_size, config->buf_num);
+ return -EINVAL;
+ }
+
data_map_size = sizeof(usf_xx->encdec_cfg.cfg_common.data_map);
min_map_size = min(data_map_size, config->port_cnt);
@@ -748,6 +762,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
{
uint32_t timeout = 0;
struct us_detect_info_type detect_info;
+ struct usm_session_cmd_detect_info *p_allocated_memory = NULL;
struct usm_session_cmd_detect_info usm_detect_info;
struct usm_session_cmd_detect_info *p_usm_detect_info =
&usm_detect_info;
@@ -774,12 +789,13 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
uint8_t *p_data = NULL;
detect_info_size += detect_info.params_data_size;
- p_usm_detect_info = kzalloc(detect_info_size, GFP_KERNEL);
- if (p_usm_detect_info == NULL) {
+ p_allocated_memory = kzalloc(detect_info_size, GFP_KERNEL);
+ if (p_allocated_memory == NULL) {
pr_err("%s: detect_info[%d] allocation failed\n",
__func__, detect_info_size);
return -ENOMEM;
}
+ p_usm_detect_info = p_allocated_memory;
p_data = (uint8_t *)p_usm_detect_info +
sizeof(struct usm_session_cmd_detect_info);
@@ -789,7 +805,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
if (rc) {
pr_err("%s: copy params from user; rc=%d\n",
__func__, rc);
- kfree(p_usm_detect_info);
+ kfree(p_allocated_memory);
return -EFAULT;
}
p_usm_detect_info->algorithm_cfg_size =
@@ -806,9 +822,7 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
p_usm_detect_info,
detect_info_size);
if (rc || (detect_info.detect_timeout == USF_NO_WAIT_TIMEOUT)) {
- if (detect_info_size >
- sizeof(struct usm_session_cmd_detect_info))
- kfree(p_usm_detect_info);
+ kfree(p_allocated_memory);
return rc;
}
@@ -828,25 +842,24 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg)
USF_US_DETECT_UNDEF),
timeout);
/* In the case of timeout, "no US" is assumed */
- if (rc < 0) {
+ if (rc < 0)
pr_err("%s: Getting US detection failed rc[%d]\n",
__func__, rc);
- return rc;
- }
-
- usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type;
- detect_info.is_us = (usf_xx->us_detect_type == USF_US_DETECT_YES);
- rc = copy_to_user((void __user *)arg,
- &detect_info,
- sizeof(detect_info));
- if (rc) {
- pr_err("%s: copy detect_info to user; rc=%d\n",
- __func__, rc);
- rc = -EFAULT;
+ else {
+ usf->usf_rx.us_detect_type = usf->usf_tx.us_detect_type;
+ detect_info.is_us =
+ (usf_xx->us_detect_type == USF_US_DETECT_YES);
+ rc = copy_to_user((void __user *)arg,
+ &detect_info,
+ sizeof(detect_info));
+ if (rc) {
+ pr_err("%s: copy detect_info to user; rc=%d\n",
+ __func__, rc);
+ rc = -EFAULT;
+ }
}
- if (detect_info_size > sizeof(struct usm_session_cmd_detect_info))
- kfree(p_usm_detect_info);
+ kfree(p_allocated_memory);
return rc;
} /* usf_set_us_detection */
@@ -947,16 +960,14 @@ static int usf_set_rx_info(struct usf_type *usf, unsigned long arg)
if (rc)
return rc;
- if (usf_xx->buffer_size && usf_xx->buffer_count) {
- rc = q6usm_us_client_buf_alloc(
- IN,
- usf_xx->usc,
- usf_xx->buffer_size,
- usf_xx->buffer_count);
- if (rc) {
- (void)q6usm_cmd(usf_xx->usc, CMD_CLOSE);
- return rc;
- }
+ rc = q6usm_us_client_buf_alloc(
+ IN,
+ usf_xx->usc,
+ usf_xx->buffer_size,
+ usf_xx->buffer_count);
+ if (rc) {
+ (void)q6usm_cmd(usf_xx->usc, CMD_CLOSE);
+ return rc;
}
rc = q6usm_dec_cfg_blk(usf_xx->usc,
@@ -1175,10 +1186,15 @@ static int usf_get_version(unsigned long arg)
return -EFAULT;
}
- /* version_info.buf is pointer to place for the version string */
+ if (version_info.buf_size < sizeof(DRV_VERSION)) {
+ pr_err("%s: buf_size (%d) < version string size (%d)\n",
+ __func__, version_info.buf_size, sizeof(DRV_VERSION));
+ return -EINVAL;
+ }
+
rc = copy_to_user(version_info.pbuf,
DRV_VERSION,
- version_info.buf_size);
+ sizeof(DRV_VERSION));
if (rc) {
pr_err("%s: copy to version_info.pbuf; rc=%d\n",
__func__, rc);
--
cgit v1.1

58
Patches/Linux_CVEs/CVE-2015-2041/1.patch

@ -1,58 +0,0 @@
From 88fe14be08a475ad0eea4ca7c51f32437baf41af Mon Sep 17 00:00:00 2001
From: Sasha Levin <sasha.levin@oracle.com>
Date: Fri, 23 Jan 2015 20:47:00 -0500
Subject: net: llc: use correct size for sysctl timeout entries
commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
The timeout entries are sizeof(int) rather than sizeof(long), which
means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/llc/sysctl_net_llc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
index e2ebe35..be078ec 100644
--- a/net/llc/sysctl_net_llc.c
+++ b/net/llc/sysctl_net_llc.c
@@ -17,28 +17,28 @@ static struct ctl_table llc2_timeout_table[] = {
{
.procname = "ack",
.data = &sysctl_llc2_ack_timeout,
- .maxlen = sizeof(long),
+ .maxlen = sizeof(sysctl_llc2_ack_timeout),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "busy",
.data = &sysctl_llc2_busy_timeout,
- .maxlen = sizeof(long),
+ .maxlen = sizeof(sysctl_llc2_busy_timeout),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "p",
.data = &sysctl_llc2_p_timeout,
- .maxlen = sizeof(long),
+ .maxlen = sizeof(sysctl_llc2_p_timeout),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "rej",
.data = &sysctl_llc2_rej_timeout,
- .maxlen = sizeof(long),
+ .maxlen = sizeof(sysctl_llc2_rej_timeout),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
--
cgit v1.1

106
Patches/Linux_CVEs/CVE-2015-8830/1.patch

@ -1,106 +0,0 @@
From a70b52ec1aaeaf60f4739edb1b422827cb6f3893 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon, 21 May 2012 16:06:20 -0700
Subject: vfs: make AIO use the proper rw_verify_area() area helpers
We had for some reason overlooked the AIO interface, and it didn't use
the proper rw_verify_area() helper function that checks (for example)
mandatory locking on the file, and that the size of the access doesn't
cause us to overflow the provided offset limits etc.
Instead, AIO did just the security_file_permission() thing (that
rw_verify_area() also does) directly.
This fixes it to do all the proper helper functions, which not only
means that now mandatory file locking works with AIO too, we can
actually remove lines of code.
Reported-by: Manish Honap <manish_honap_vit@yahoo.co.in>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
fs/aio.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c
index 67a6db3..e7f2fad 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1456,6 +1456,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
if (ret < 0)
goto out;
+ ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret);
+ if (ret < 0)
+ goto out;
+
kiocb->ki_nr_segs = kiocb->ki_nbytes;
kiocb->ki_cur_seg = 0;
/* ki_nbytes/left now reflect bytes instead of segs */
@@ -1467,11 +1471,17 @@ out:
return ret;
}
-static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
+static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb)
{
+ int bytes;
+
+ bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left);
+ if (bytes < 0)
+ return bytes;
+
kiocb->ki_iovec = &kiocb->ki_inline_vec;
kiocb->ki_iovec->iov_base = kiocb->ki_buf;
- kiocb->ki_iovec->iov_len = kiocb->ki_left;
+ kiocb->ki_iovec->iov_len = bytes;
kiocb->ki_nr_segs = 1;
kiocb->ki_cur_seg = 0;
return 0;
@@ -1496,10 +1506,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
kiocb->ki_left)))
break;
- ret = security_file_permission(file, MAY_READ);
- if (unlikely(ret))
- break;
- ret = aio_setup_single_vector(kiocb);
+ ret = aio_setup_single_vector(READ, file, kiocb);
if (ret)
break;
ret = -EINVAL;
@@ -1514,10 +1521,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
kiocb->ki_left)))
break;
- ret = security_file_permission(file, MAY_WRITE);
- if (unlikely(ret))
- break;
- ret = aio_setup_single_vector(kiocb);
+ ret = aio_setup_single_vector(WRITE, file, kiocb);
if (ret)
break;
ret = -EINVAL;
@@ -1528,9 +1532,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
ret = -EBADF;
if (unlikely(!(file->f_mode & FMODE_READ)))
break;
- ret = security_file_permission(file, MAY_READ);
- if (unlikely(ret))
- break;
ret = aio_setup_vectored_rw(READ, kiocb, compat);
if (ret)
break;
@@ -1542,9 +1543,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
ret = -EBADF;
if (unlikely(!(file->f_mode & FMODE_WRITE)))
break;
- ret = security_file_permission(file, MAY_WRITE);
- if (unlikely(ret))
- break;
ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
if (ret)
break;
--
cgit v1.1

94
Patches/Linux_CVEs/CVE-2016-10229/0.patch

@ -1,94 +0,0 @@
From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 30 Dec 2015 08:51:12 -0500
Subject: udp: properly support MSG_PEEK with truncated buffers
Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.
In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
msg->msg_iov);
returns -EFAULT.
This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.
For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.
This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/udp.c | 6 ++++--
net/ipv6/udp.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 8841e98..ac14ae4 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1271,6 +1271,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
int peeked, off = 0;
int err;
int is_udplite = IS_UDPLITE(sk);
+ bool checksum_valid = false;
bool slow;
if (flags & MSG_ERRQUEUE)
@@ -1296,11 +1297,12 @@ try_again:
*/
if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
- if (udp_lib_checksum_complete(skb))
+ checksum_valid = !udp_lib_checksum_complete(skb);
+ if (!checksum_valid)
goto csum_copy_err;
}
- if (skb_csum_unnecessary(skb))
+ if (checksum_valid || skb_csum_unnecessary(skb))
err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
msg, copied);
else {
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 9da3287..00775ee 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
int peeked, off = 0;
int err;
int is_udplite = IS_UDPLITE(sk);
+ bool checksum_valid = false;
int is_udp4;
bool slow;
@@ -433,11 +434,12 @@ try_again:
*/
if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
- if (udp_lib_checksum_complete(skb))
+ checksum_valid = !udp_lib_checksum_complete(skb);
+ if (!checksum_valid)
goto csum_copy_err;
}
- if (skb_csum_unnecessary(skb))
+ if (checksum_valid || skb_csum_unnecessary(skb))
err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
msg, copied);
else {
--
cgit v1.1

88
Patches/Linux_CVEs/CVE-2016-10296/0.patch

@ -1,88 +0,0 @@
From a5e46d8635a2e28463b365aacdeab6750abd0d49 Mon Sep 17 00:00:00 2001
From: Sahitya Tummala <stummala@codeaurora.org>
Date: Fri, 3 Feb 2017 13:24:19 +0530
Subject: uio: fix potential use after free issue when accessing debug_buffer
The variable debug_buffer is a global variable which is allocated
and free'd when open/close is called on debugfs file -
"/sys/kernel/debug/rmt_storage/info". The current code doesn't
have locks to handle concurrent accesses to the above file.
This results into use after free issue when debug_buffer is
accessed by two threads at the same time. Fix this by adding
a mutex lock to protect this global variable.
Change-Id: I6bc3f0ae2d7fca3ca9fe8561612f5863b6c3268a
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
---
drivers/uio/msm_sharedmem/sharedmem_qmi.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/drivers/uio/msm_sharedmem/sharedmem_qmi.c b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
index 48fb17e..fd95dee 100644
--- a/drivers/uio/msm_sharedmem/sharedmem_qmi.c
+++ b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -223,6 +223,7 @@ static int sharedmem_qmi_req_cb(struct qmi_handle *handle, void *conn_h,
#define DEBUG_BUF_SIZE (2048)
static char *debug_buffer;
static u32 debug_data_size;
+static struct mutex dbg_buf_lock; /* mutex for debug_buffer */
static ssize_t debug_read(struct file *file, char __user *buf,
size_t count, loff_t *file_pos)
@@ -279,21 +280,29 @@ static int debug_open(struct inode *inode, struct file *file)
{
u32 buffer_size;
- if (debug_buffer != NULL)
+ mutex_lock(&dbg_buf_lock);
+ if (debug_buffer != NULL) {
+ mutex_unlock(&dbg_buf_lock);
return -EBUSY;
+ }
buffer_size = DEBUG_BUF_SIZE;
debug_buffer = kzalloc(buffer_size, GFP_KERNEL);
- if (debug_buffer == NULL)
+ if (debug_buffer == NULL) {
+ mutex_unlock(&dbg_buf_lock);
return -ENOMEM;
+ }
debug_data_size = fill_debug_info(debug_buffer, buffer_size);
+ mutex_unlock(&dbg_buf_lock);
return 0;
}
static int debug_close(struct inode *inode, struct file *file)
{
+ mutex_lock(&dbg_buf_lock);
kfree(debug_buffer);
debug_buffer = NULL;
debug_data_size = 0;
+ mutex_unlock(&dbg_buf_lock);
return 0;
}
@@ -324,6 +333,7 @@ static void debugfs_init(void)
{
struct dentry *f_ent;
+ mutex_init(&dbg_buf_lock);
dir_ent = debugfs_create_dir("rmt_storage", NULL);
if (IS_ERR(dir_ent)) {
pr_err("Failed to create debug_fs directory\n");
@@ -352,6 +362,7 @@ static void debugfs_init(void)
static void debugfs_exit(void)
{
debugfs_remove_recursive(dir_ent);
+ mutex_destroy(&dbg_buf_lock);
}
static void sharedmem_qmi_svc_recv_msg(struct work_struct *work)
--
cgit v1.1

109
Patches/Linux_CVEs/CVE-2016-2185/1.patch

@ -1,109 +0,0 @@
From 37735ed2c8c12e9671a3742d6b9028bad43852df Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Wed, 23 Mar 2016 11:53:46 -0700
Subject: [PATCH] Input: ati_remote2 - fix crashes on detecting device with
invalid descriptor
[ Upstream commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d ]
The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.
The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
1 file changed, 30 insertions(+), 6 deletions(-)
diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
index f63341f20b91a..e8c6a4842e91c 100644
--- a/drivers/input/misc/ati_remote2.c
+++ b/drivers/input/misc/ati_remote2.c
@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
ar2->udev = udev;
+ /* Sanity check, first interface must have an endpoint */
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 0 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail1;
+ }
ar2->intf[0] = interface;
ar2->ep[0] = &alt->endpoint[0].desc;
+ /* Sanity check, the device must have two interfaces */
ar2->intf[1] = usb_ifnum_to_if(udev, 1);
+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
+ __func__, udev->actconfig->desc.bNumInterfaces);
+ r = -ENODEV;
+ goto fail1;
+ }
+
r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
if (r)
goto fail1;
+
+ /* Sanity check, second interface must have an endpoint */
alt = ar2->intf[1]->cur_altsetting;
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 1 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail2;
+ }
ar2->ep[1] = &alt->endpoint[0].desc;
r = ati_remote2_urb_init(ar2);
if (r)
- goto fail2;
+ goto fail3;
ar2->channel_mask = channel_mask;
ar2->mode_mask = mode_mask;
r = ati_remote2_setup(ar2, ar2->channel_mask);
if (r)
- goto fail2;
+ goto fail3;
usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
if (r)
- goto fail2;
+ goto fail3;
r = ati_remote2_input_init(ar2);
if (r)
- goto fail3;
+ goto fail4;
usb_set_intfdata(interface, ar2);
@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
return 0;
- fail3:
+ fail4:
sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
- fail2:
+ fail3:
ati_remote2_urb_cleanup(ar2);
+ fail2:
usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
fail1:
kfree(ar2);

38
Patches/Linux_CVEs/CVE-2016-2186/1.patch

@ -1,38 +0,0 @@
From b684cb33d6867e10ba45375a12ef9f3ceb6f0aa7 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 14 Mar 2016 09:33:40 -0700
Subject: [PATCH] Input: powermate - fix oops with malicious USB descriptors
[ Upstream commit 9c6ba456711687b794dcf285856fc14e2c76074f ]
The powermate driver expects at least one valid USB endpoint in its
probe function. If given malicious descriptors that specify 0 for
the number of endpoints, it will crash. Validate the number of
endpoints on the interface before using them.
The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
drivers/input/misc/powermate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
index 63b539d3dabae..84909a12ff36c 100644
--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
int error = -ENOMEM;
interface = intf->cur_altsetting;
+ if (interface->desc.bNumEndpoints < 1)
+ return -EINVAL;
+
endpoint = &interface->endpoint[0].desc;
if (!usb_endpoint_is_int_in(endpoint))
return -EIO;

56
Patches/Linux_CVEs/CVE-2016-2187/0.patch

@ -1,56 +0,0 @@
From 162f98dea487206d9ab79fc12ed64700667a894d Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Thu, 31 Mar 2016 10:53:42 -0700
Subject: Input: gtco - fix crash on detecting device without endpoints
The gtco driver expects at least one valid endpoint. If given malicious
descriptors that specify 0 for the number of endpoints, it will crash in
the probe function. Ensure there is at least one endpoint on the interface
before using it.
Also let's fix a minor coding style issue.
The full correct report of this issue can be found in the public
Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1283385
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
drivers/input/tablet/gtco.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
index 3a7f3a4..7c18249 100644
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
goto err_free_buf;
}
+ /* Sanity check that a device has an endpoint */
+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
+ dev_err(&usbinterface->dev,
+ "Invalid number of endpoints\n");
+ error = -EINVAL;
+ goto err_free_urb;
+ }
+
/*
* The endpoint is always altsetting 0, we know this since we know
* this device only has one interrupt endpoint
@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
* HID report descriptor
*/
if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
- HID_DEVICE_TYPE, &hid_desc) != 0){
+ HID_DEVICE_TYPE, &hid_desc) != 0) {
dev_err(&usbinterface->dev,
"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
error = -EIO;
--
cgit v1.1

53
Patches/Linux_CVEs/CVE-2016-3136/1.patch

@ -1,53 +0,0 @@
From 2633b8df3dff0377066fb32feb8ef06ae834d7ff Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <Badhri@google.com>
Date: Tue, 30 Aug 2016 13:33:55 -0700
Subject: UPSTREAM: USB: mct_u232: add sanity checking in probe
commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.
An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.
CVE-2016-3136
BUG: 28242610
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I284ad648c2087c34a098d67e0cc6d948a568413c
---
drivers/usb/serial/mct_u232.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 6a15adf..c14c29f 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port,
static int mct_u232_port_probe(struct usb_serial_port *port)
{
+ struct usb_serial *serial = port->serial;
struct mct_u232_private *priv;
+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+ dev_err(&port->dev, "expected endpoint missing\n");
+ return -ENODEV;
+ }
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
/* Use second interrupt-in endpoint for reading. */
- priv->read_urb = port->serial->port[1]->interrupt_in_urb;
+ priv->read_urb = serial->port[1]->interrupt_in_urb;
priv->read_urb->context = port;
spin_lock_init(&priv->lock);
--
cgit v1.1

53
Patches/Linux_CVEs/CVE-2016-3137/1.patch

@ -1,53 +0,0 @@
From 7a17891b0194ba11f7ee15a18e545808b0d27495 Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <Badhri@google.com>
Date: Mon, 29 Aug 2016 17:33:52 -0700
Subject: UPSTREAM: USB: cypress_m8: add endpoint sanity check
commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.
An attack using missing endpoints exists.
CVE-2016-3137
BUG: 28242610
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I1cc7957a5924175d24f12fdc41162ece67c907e5
---
drivers/usb/serial/cypress_m8.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index 08212019..09f0f63 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -449,6 +449,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
struct usb_serial *serial = port->serial;
struct cypress_private *priv;
+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
+ dev_err(&port->dev, "required endpoint is missing\n");
+ return -ENODEV;
+ }
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
cypress_set_termios(tty, port, &priv->tmp_termios);
/* setup the port and start reading from the device */
- if (!port->interrupt_in_urb) {
- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
- __func__);
- return -1;
- }
-
usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
port->interrupt_in_urb->transfer_buffer,
--
cgit v1.1

39
Patches/Linux_CVEs/CVE-2016-3138/1.patch

@ -1,39 +0,0 @@
From 801c5f937ef7edb23e411bc00d3695496b89dca2 Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <Badhri@google.com>
Date: Tue, 30 Aug 2016 13:39:02 -0700
Subject: UPSTREAM: USB: cdc-acm: more sanity checking
commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream.
An attack has become available which pretends to be a quirky
device circumventing normal sanity checks and crashes the kernel
by an insufficient number of interfaces. This patch adds a check
to the code path for quirky devices.
BUG: 28242610
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I9a5f7f3c704b65e866335054f470451fcfae9d1c
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 9b1cbcf..f519d28 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -972,6 +972,9 @@ static int acm_probe(struct usb_interface *intf,
if (quirks == NO_UNION_NORMAL) {
data_interface = usb_ifnum_to_if(usb_dev, 1);
control_interface = usb_ifnum_to_if(usb_dev, 0);
+ /* we would crash */
+ if (!data_interface || !control_interface)
+ return -ENODEV;
goto skip_normal_probe;
}
--
cgit v1.1

57
Patches/Linux_CVEs/CVE-2016-3140/1.patch

@ -1,57 +0,0 @@
From 129e6372f40a423bcded0a6dae547205edf652fb Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 31 Mar 2016 12:04:26 -0400
Subject: USB: digi_acceleport: do sanity checking for the number of ports
commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.
The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.
See: http://seclists.org/bugtraq/2016/Mar/61
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: fix OOB endpoint check and add error messages ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
index 7b807d3..8c34d9c 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1253,8 +1253,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
static int digi_startup(struct usb_serial *serial)
{
+ struct device *dev = &serial->interface->dev;
struct digi_serial *serial_priv;
int ret;
+ int i;
+
+ /* check whether the device has the expected number of endpoints */
+ if (serial->num_port_pointers < serial->type->num_ports + 1) {
+ dev_err(dev, "OOB endpoints missing\n");
+ return -ENODEV;
+ }
+
+ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
+ if (!serial->port[i]->read_urb) {
+ dev_err(dev, "bulk-in endpoint missing\n");
+ return -ENODEV;
+ }
+ if (!serial->port[i]->write_urb) {
+ dev_err(dev, "bulk-out endpoint missing\n");
+ return -ENODEV;
+ }
+ }
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)
--
cgit v1.1

40
Patches/Linux_CVEs/CVE-2016-3689/1.patch

@ -1,40 +0,0 @@
From 7ca573e32c0a6634d679540314a80d235f224bfb Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 17 Mar 2016 14:00:17 -0700
Subject: [PATCH] Input: ims-pcu - sanity check against missing interfaces
[ Upstream commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff ]
A malicious device missing interface can make the driver oops.
Add sanity checking.
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
drivers/input/misc/ims-pcu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index afed8e2b2f944..41ef29b516f35 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
union_desc->bMasterInterface0);
+ if (!pcu->ctrl_intf)
+ return -EINVAL;
alt = pcu->ctrl_intf->cur_altsetting;
pcu->ep_ctrl = &alt->endpoint[0].desc;
@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
pcu->data_intf = usb_ifnum_to_if(pcu->udev,
union_desc->bSlaveInterface0);
+ if (!pcu->data_intf)
+ return -EINVAL;
alt = pcu->data_intf->cur_altsetting;
if (alt->desc.bNumEndpoints != 2) {

41
Patches/Linux_CVEs/CVE-2016-3855/0.patch

@ -1,41 +0,0 @@
From ab3f46119ca10de87a11fe966b0723c48f27acd4 Mon Sep 17 00:00:00 2001
From: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
Date: Wed, 30 Mar 2016 17:12:16 +0530
Subject: msm: limits: Check user buffer size before copying to local buffer
User input data is passed in from userspace through debugfs interface
of supply lm core to validate supply lm core functionality. Ensure
user buffer size is not greater than expected stack buffer size
to avoid out of bounds array accesses.
Change-Id: I5a93774855241b50895c5e2b3ff939e4c33a0185
Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
---
drivers/thermal/supply_lm_core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/thermal/supply_lm_core.c b/drivers/thermal/supply_lm_core.c
index fc8e807..a4d137f 100644
--- a/drivers/thermal/supply_lm_core.c
+++ b/drivers/thermal/supply_lm_core.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -303,6 +303,11 @@ static ssize_t supply_lm_input_write(struct file *fp,
enum corner_state gpu;
enum corner_state modem;
+ if (count > (MODE_MAX - 1)) {
+ pr_err("Invalid user input\n");
+ return -EINVAL;
+ }
+
if (copy_from_user(&buf, user_buffer, count))
return -EFAULT;
--
cgit v1.1

78
Patches/Linux_CVEs/CVE-2016-5861/2.patch

@ -1,78 +0,0 @@
From bfc6eee5e30a0c20bc37495233506f4f0cc4991d Mon Sep 17 00:00:00 2001
From: Ping Li <quicpingli@codeaurora.org>
Date: Thu, 3 Oct 2013 20:01:52 -0400
Subject: msm: mdss: Replace the size check for gamut LUTs
Add more reliable size check for gamut LUTs to prevent potential
security issues such as information leak.
Change-Id: I32be41a2612a100b9ba6167737c2f8778f720fa2
Signed-off-by: Ping Li <quicpingli@codeaurora.org>
---
drivers/video/msm/mdss/mdss_mdp_pp.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
index ed95030..1d8430e 100644
--- a/drivers/video/msm/mdss/mdss_mdp_pp.c
+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
@@ -295,6 +295,10 @@ static void pp_update_argc_lut(char __iomem *addr,
struct mdp_pgc_lut_data *config);
static void pp_update_hist_lut(char __iomem *base,
struct mdp_hist_lut_data *cfg);
+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config);
+static void pp_gamut_config(struct mdp_gamut_cfg_data *gamut_cfg,
+ char __iomem *base,
+ struct pp_sts_type *pp_sts);
static void pp_pa_config(unsigned long flags, char __iomem *addr,
struct pp_sts_type *pp_sts,
struct mdp_pa_cfg *pa_config);
@@ -2086,10 +2090,32 @@ int mdss_mdp_dither_config(struct mdp_dither_cfg_data *config,
return 0;
}
+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config)
+{
+ if (config->tbl_size[0] != GAMUT_T0_SIZE)
+ return -EINVAL;
+ if (config->tbl_size[1] != GAMUT_T1_SIZE)
+ return -EINVAL;
+ if (config->tbl_size[2] != GAMUT_T2_SIZE)
+ return -EINVAL;
+ if (config->tbl_size[3] != GAMUT_T3_SIZE)
+ return -EINVAL;
+ if (config->tbl_size[4] != GAMUT_T4_SIZE)
+ return -EINVAL;
+ if (config->tbl_size[5] != GAMUT_T5_SIZE)
+ return -EINVAL;
+ if (config->tbl_size[6] != GAMUT_T6_SIZE)
+ return -EINVAL;
+ if (config->tbl_size[7] != GAMUT_T7_SIZE)
+ return -EINVAL;
+
+ return 0;
+}
+
int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config,
u32 *copyback)
{
- int i, j, size_total = 0, ret = 0;
+ int i, j, ret = 0;
u32 disp_num, dspp_num = 0;
uint16_t *tbl_off;
@@ -2102,9 +2128,8 @@ int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config,
if ((config->block < MDP_LOGICAL_BLOCK_DISP_0) ||
(config->block >= MDP_BLOCK_MAX))
return -EINVAL;
- for (i = 0; i < MDP_GAMUT_TABLE_NUM; i++)
- size_total += config->tbl_size[i];
- if (size_total != GAMUT_TOTAL_TABLE_SIZE)
+
+ if (pp_gm_has_invalid_lut_size(config))
return -EINVAL;
mutex_lock(&mdss_pp_mutex);
--
cgit v1.1

46
Patches/Linux_CVEs/CVE-2016-6681/0.patch

@ -1,46 +0,0 @@
From f3a55611dc1c0363374ad92eb52b6ee09bf5ff49 Mon Sep 17 00:00:00 2001
From: vivek mehta <mvivek@codeaurora.org>
Date: Thu, 11 Aug 2016 13:27:32 -0700
Subject: [PATCH] misc: qcom: qdsp6v2: Add missing initialization
Use variables in driver context after proper initialization
Bug: 30152182 30152501
Change-Id: I3e59e27534b8e1088d74b42c72e0075d2fe910e6
Signed-off-by: Haynes Mathew George <hgeorge@codeaurora.org>
Signed-off-by: vivek mehta <mvivek@codeaurora.org>
---
drivers/misc/qcom/qdsp6v2/audio_utils.c | 3 ++-
drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c
index 2206a3461cc0d..ac56464683600 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_utils.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2010-2014, 2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -593,6 +593,7 @@ long audio_in_compat_ioctl(struct file *file,
}
case AUDIO_GET_CONFIG_32: {
struct msm_audio_config32 cfg_32;
+ memset(&cfg_32, 0, sizeof(cfg_32));
cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
cfg_32.channel_count = audio->pcm_cfg.channel_count;
diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
index 11d890d443007..d444742c603cb 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
@@ -1877,6 +1877,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
case AUDIO_GET_CONFIG_32: {
struct msm_audio_config32 cfg_32;
mutex_lock(&audio->lock);
+ memset(&cfg_32, 0, sizeof(cfg_32));
cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
cfg_32.channel_count = audio->pcm_cfg.channel_count;

505
Patches/Linux_CVEs/CVE-2016-6786/0.patch

@ -1,505 +0,0 @@
From f63a8daa5812afef4f06c962351687e1ff9ccb2b Mon Sep 17 00:00:00 2001
From: Peter Zijlstra <peterz@infradead.org>
Date: Fri, 23 Jan 2015 12:24:14 +0100
Subject: perf: Fix event->ctx locking
There have been a few reported issues wrt. the lack of locking around
changing event->ctx. This patch tries to address those.
It avoids the whole rwsem thing; and while it appears to work, please
give it some thought in review.
What I did fail at is sensible runtime checks on the use of
event->ctx, the RCU use makes it very hard.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
kernel/events/core.c | 244 +++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 207 insertions(+), 37 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index b358cb3..417a96b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -907,6 +907,77 @@ static void put_ctx(struct perf_event_context *ctx)
}
/*
+ * Because of perf_event::ctx migration in sys_perf_event_open::move_group and
+ * perf_pmu_migrate_context() we need some magic.
+ *
+ * Those places that change perf_event::ctx will hold both
+ * perf_event_ctx::mutex of the 'old' and 'new' ctx value.
+ *
+ * Lock ordering is by mutex address. There is one other site where
+ * perf_event_context::mutex nests and that is put_event(). But remember that
+ * that is a parent<->child context relation, and migration does not affect
+ * children, therefore these two orderings should not interact.
+ *
+ * The change in perf_event::ctx does not affect children (as claimed above)
+ * because the sys_perf_event_open() case will install a new event and break
+ * the ctx parent<->child relation, and perf_pmu_migrate_context() is only
+ * concerned with cpuctx and that doesn't have children.
+ *
+ * The places that change perf_event::ctx will issue:
+ *
+ * perf_remove_from_context();
+ * synchronize_rcu();
+ * perf_install_in_context();
+ *
+ * to affect the change. The remove_from_context() + synchronize_rcu() should
+ * quiesce the event, after which we can install it in the new location. This
+ * means that only external vectors (perf_fops, prctl) can perturb the event
+ * while in transit. Therefore all such accessors should also acquire
+ * perf_event_context::mutex to serialize against this.
+ *
+ * However; because event->ctx can change while we're waiting to acquire
+ * ctx->mutex we must be careful and use the below perf_event_ctx_lock()
+ * function.
+ *
+ * Lock order:
+ * task_struct::perf_event_mutex
+ * perf_event_context::mutex
+ * perf_event_context::lock
+ * perf_event::child_mutex;
+ * perf_event::mmap_mutex
+ * mmap_sem
+ */
+static struct perf_event_context *perf_event_ctx_lock(struct perf_event *event)
+{
+ struct perf_event_context *ctx;
+
+again:
+ rcu_read_lock();
+ ctx = ACCESS_ONCE(event->ctx);
+ if (!atomic_inc_not_zero(&ctx->refcount)) {
+ rcu_read_unlock();
+ goto again;
+ }
+ rcu_read_unlock();
+
+ mutex_lock(&ctx->mutex);
+ if (event->ctx != ctx) {
+ mutex_unlock(&ctx->mutex);
+ put_ctx(ctx);
+ goto again;
+ }
+
+ return ctx;
+}
+
+static void perf_event_ctx_unlock(struct perf_event *event,
+ struct perf_event_context *ctx)
+{
+ mutex_unlock(&ctx->mutex);
+ put_ctx(ctx);
+}
+
+/*
* This must be done under the ctx->lock, such as to serialize against
* context_equiv(), therefore we cannot call put_ctx() since that might end up
* calling scheduler related locks and ctx->lock nests inside those.
@@ -1666,7 +1737,7 @@ int __perf_event_disable(void *info)
* is the current context on this CPU and preemption is disabled,
* hence we can't get into perf_event_task_sched_out for this context.
*/
-void perf_event_disable(struct perf_event *event)
+static void _perf_event_disable(struct perf_event *event)
{
struct perf_event_context *ctx = event->ctx;
struct task_struct *task = ctx->task;
@@ -1707,6 +1778,19 @@ retry:
}
raw_spin_unlock_irq(&ctx->lock);
}
+
+/*
+ * Strictly speaking kernel users cannot create groups and therefore this
+ * interface does not need the perf_event_ctx_lock() magic.
+ */
+void perf_event_disable(struct perf_event *event)
+{
+ struct perf_event_context *ctx;
+
+ ctx = perf_event_ctx_lock(event);
+ _perf_event_disable(event);
+ perf_event_ctx_unlock(event, ctx);
+}
EXPORT_SYMBOL_GPL(perf_event_disable);
static void perf_set_shadow_time(struct perf_event *event,
@@ -2170,7 +2254,7 @@ unlock:
* perf_event_for_each_child or perf_event_for_each as described
* for perf_event_disable.
*/
-void perf_event_enable(struct perf_event *event)
+static void _perf_event_enable(struct perf_event *event)
{
struct perf_event_context *ctx = event->ctx;
struct task_struct *task = ctx->task;
@@ -2226,9 +2310,21 @@ retry:
out:
raw_spin_unlock_irq(&ctx->lock);
}
+
+/*
+ * See perf_event_disable();
+ */
+void perf_event_enable(struct perf_event *event)
+{
+ struct perf_event_context *ctx;
+
+ ctx = perf_event_ctx_lock(event);
+ _perf_event_enable(event);
+ perf_event_ctx_unlock(event, ctx);
+}
EXPORT_SYMBOL_GPL(perf_event_enable);
-int perf_event_refresh(struct perf_event *event, int refresh)
+static int _perf_event_refresh(struct perf_event *event, int refresh)
{
/*
* not supported on inherited events
@@ -2237,10 +2333,25 @@ int perf_event_refresh(struct perf_event *event, int refresh)
return -EINVAL;
atomic_add(refresh, &event->event_limit);
- perf_event_enable(event);
+ _perf_event_enable(event);
return 0;
}
+
+/*
+ * See perf_event_disable()
+ */
+int perf_event_refresh(struct perf_event *event, int refresh)
+{
+ struct perf_event_context *ctx;
+ int ret;
+
+ ctx = perf_event_ctx_lock(event);
+ ret = _perf_event_refresh(event, refresh);
+ perf_event_ctx_unlock(event, ctx);
+
+ return ret;
+}
EXPORT_SYMBOL_GPL(perf_event_refresh);
static void ctx_sched_out(struct perf_event_context *ctx,
@@ -3433,7 +3544,16 @@ static void perf_remove_from_owner(struct perf_event *event)
rcu_read_unlock();
if (owner) {
- mutex_lock(&owner->perf_event_mutex);
+ /*
+ * If we're here through perf_event_exit_task() we're already
+ * holding ctx->mutex which would be an inversion wrt. the
+ * normal lock order.
+ *
+ * However we can safely take this lock because its the child
+ * ctx->mutex.
+ */
+ mutex_lock_nested(&owner->perf_event_mutex, SINGLE_DEPTH_NESTING);
+
/*
* We have to re-check the event->owner field, if it is cleared
* we raced with perf_event_exit_task(), acquiring the mutex
@@ -3559,12 +3679,13 @@ static int perf_event_read_group(struct perf_event *event,
u64 read_format, char __user *buf)
{
struct perf_event *leader = event->group_leader, *sub;
- int n = 0, size = 0, ret = -EFAULT;
struct perf_event_context *ctx = leader->ctx;
- u64 values[5];
+ int n = 0, size = 0, ret;
u64 count, enabled, running;
+ u64 values[5];
+
+ lockdep_assert_held(&ctx->mutex);
- mutex_lock(&ctx->mutex);
count = perf_event_read_value(leader, &enabled, &running);
values[n++] = 1 + leader->nr_siblings;
@@ -3579,7 +3700,7 @@ static int perf_event_read_group(struct perf_event *event,
size = n * sizeof(u64);
if (copy_to_user(buf, values, size))
- goto unlock;
+ return -EFAULT;
ret = size;
@@ -3593,14 +3714,11 @@ static int perf_event_read_group(struct perf_event *event,
size = n * sizeof(u64);
if (copy_to_user(buf + ret, values, size)) {
- ret = -EFAULT;
- goto unlock;
+ return -EFAULT;
}
ret += size;
}
-unlock:
- mutex_unlock(&ctx->mutex);
return ret;
}
@@ -3672,8 +3790,14 @@ static ssize_t
perf_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
{
struct perf_event *event = file->private_data;
+ struct perf_event_context *ctx;
+ int ret;
- return perf_read_hw(event, buf, count);
+ ctx = perf_event_ctx_lock(event);
+ ret = perf_read_hw(event, buf, count);
+ perf_event_ctx_unlock(event, ctx);
+
+ return ret;
}
static unsigned int perf_poll(struct file *file, poll_table *wait)
@@ -3699,7 +3823,7 @@ static unsigned int perf_poll(struct file *file, poll_table *wait)
return events;
}
-static void perf_event_reset(struct perf_event *event)
+static void _perf_event_reset(struct perf_event *event)
{
(void)perf_event_read(event);
local64_set(&event->count, 0);
@@ -3718,6 +3842,7 @@ static void perf_event_for_each_child(struct perf_event *event,
struct perf_event *child;
WARN_ON_ONCE(event->ctx->parent_ctx);
+
mutex_lock(&event->child_mutex);
func(event);
list_for_each_entry(child, &event->child_list, child_list)
@@ -3731,14 +3856,13 @@ static void perf_event_for_each(struct perf_event *event,
struct perf_event_context *ctx = event->ctx;
struct perf_event *sibling;
- WARN_ON_ONCE(ctx->parent_ctx);
- mutex_lock(&ctx->mutex);
+ lockdep_assert_held(&ctx->mutex);
+
event = event->group_leader;
perf_event_for_each_child(event, func);
list_for_each_entry(sibling, &event->sibling_list, group_entry)
perf_event_for_each_child(sibling, func);
- mutex_unlock(&ctx->mutex);
}
static int perf_event_period(struct perf_event *event, u64 __user *arg)
@@ -3808,25 +3932,24 @@ static int perf_event_set_output(struct perf_event *event,
struct perf_event *output_event);
static int perf_event_set_filter(struct perf_event *event, void __user *arg);
-static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg)
{
- struct perf_event *event = file->private_data;
void (*func)(struct perf_event *);
u32 flags = arg;
switch (cmd) {
case PERF_EVENT_IOC_ENABLE:
- func = perf_event_enable;
+ func = _perf_event_enable;
break;
case PERF_EVENT_IOC_DISABLE:
- func = perf_event_disable;
+ func = _perf_event_disable;
break;
case PERF_EVENT_IOC_RESET:
- func = perf_event_reset;
+ func = _perf_event_reset;
break;
case PERF_EVENT_IOC_REFRESH:
- return perf_event_refresh(event, arg);
+ return _perf_event_refresh(event, arg);
case PERF_EVENT_IOC_PERIOD:
return perf_event_period(event, (u64 __user *)arg);
@@ -3873,6 +3996,19 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
return 0;
}
+static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ struct perf_event *event = file->private_data;
+ struct perf_event_context *ctx;
+ long ret;
+
+ ctx = perf_event_ctx_lock(event);
+ ret = _perf_ioctl(event, cmd, arg);
+ perf_event_ctx_unlock(event, ctx);
+
+ return ret;
+}
+
#ifdef CONFIG_COMPAT
static long perf_compat_ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
@@ -3895,11 +4031,15 @@ static long perf_compat_ioctl(struct file *file, unsigned int cmd,
int perf_event_task_enable(void)
{
+ struct perf_event_context *ctx;
struct perf_event *event;
mutex_lock(&current->perf_event_mutex);
- list_for_each_entry(event, &current->perf_event_list, owner_entry)
- perf_event_for_each_child(event, perf_event_enable);
+ list_for_each_entry(event, &current->perf_event_list, owner_entry) {
+ ctx = perf_event_ctx_lock(event);
+ perf_event_for_each_child(event, _perf_event_enable);
+ perf_event_ctx_unlock(event, ctx);
+ }
mutex_unlock(&current->perf_event_mutex);
return 0;
@@ -3907,11 +4047,15 @@ int perf_event_task_enable(void)
int perf_event_task_disable(void)
{
+ struct perf_event_context *ctx;
struct perf_event *event;
mutex_lock(&current->perf_event_mutex);
- list_for_each_entry(event, &current->perf_event_list, owner_entry)
- perf_event_for_each_child(event, perf_event_disable);
+ list_for_each_entry(event, &current->perf_event_list, owner_entry) {
+ ctx = perf_event_ctx_lock(event);
+ perf_event_for_each_child(event, _perf_event_disable);
+ perf_event_ctx_unlock(event, ctx);
+ }
mutex_unlock(&current->perf_event_mutex);
return 0;
@@ -7269,6 +7413,15 @@ out:
return ret;
}
+static void mutex_lock_double(struct mutex *a, struct mutex *b)
+{
+ if (b < a)
+ swap(a, b);
+
+ mutex_lock(a);
+ mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
+}
+
/**
* sys_perf_event_open - open a performance event, associate it to a task/cpu
*
@@ -7284,7 +7437,7 @@ SYSCALL_DEFINE5(perf_event_open,
struct perf_event *group_leader = NULL, *output_event = NULL;
struct perf_event *event, *sibling;
struct perf_event_attr attr;
- struct perf_event_context *ctx;
+ struct perf_event_context *ctx, *uninitialized_var(gctx);
struct file *event_file = NULL;
struct fd group = {NULL, 0};
struct task_struct *task = NULL;
@@ -7482,9 +7635,14 @@ SYSCALL_DEFINE5(perf_event_open,
}
if (move_group) {
- struct perf_event_context *gctx = group_leader->ctx;
+ gctx = group_leader->ctx;
+
+ /*
+ * See perf_event_ctx_lock() for comments on the details
+ * of swizzling perf_event::ctx.
+ */
+ mutex_lock_double(&gctx->mutex, &ctx->mutex);
- mutex_lock(&gctx->mutex);
perf_remove_from_context(group_leader, false);
/*
@@ -7499,15 +7657,19 @@ SYSCALL_DEFINE5(perf_event_open,
perf_event__state_init(sibling);
put_ctx(gctx);
}
- mutex_unlock(&gctx->mutex);
- put_ctx(gctx);
+ } else {
+ mutex_lock(&ctx->mutex);
}
WARN_ON_ONCE(ctx->parent_ctx);
- mutex_lock(&ctx->mutex);
if (move_group) {
+ /*
+ * Wait for everybody to stop referencing the events through
+ * the old lists, before installing it on new lists.
+ */
synchronize_rcu();
+
perf_install_in_context(ctx, group_leader, group_leader->cpu);
get_ctx(ctx);
list_for_each_entry(sibling, &group_leader->sibling_list,
@@ -7519,6 +7681,11 @@ SYSCALL_DEFINE5(perf_event_open,
perf_install_in_context(ctx, event, event->cpu);
perf_unpin_context(ctx);
+
+ if (move_group) {
+ mutex_unlock(&gctx->mutex);
+ put_ctx(gctx);
+ }
mutex_unlock(&ctx->mutex);
put_online_cpus();
@@ -7626,7 +7793,11 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
src_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, src_cpu)->ctx;
dst_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, dst_cpu)->ctx;
- mutex_lock(&src_ctx->mutex);
+ /*
+ * See perf_event_ctx_lock() for comments on the details
+ * of swizzling perf_event::ctx.
+ */
+ mutex_lock_double(&src_ctx->mutex, &dst_ctx->mutex);
list_for_each_entry_safe(event, tmp, &src_ctx->event_list,
event_entry) {
perf_remove_from_context(event, false);
@@ -7634,11 +7805,9 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
put_ctx(src_ctx);
list_add(&event->migrate_entry, &events);
}
- mutex_unlock(&src_ctx->mutex);
synchronize_rcu();
- mutex_lock(&dst_ctx->mutex);
list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
list_del(&event->migrate_entry);
if (event->state >= PERF_EVENT_STATE_OFF)
@@ -7648,6 +7817,7 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
get_ctx(dst_ctx);
}
mutex_unlock(&dst_ctx->mutex);
+ mutex_unlock(&src_ctx->mutex);
}
EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
--
cgit v1.1

97
Patches/Linux_CVEs/CVE-2016-8391/0.patch

@ -1,97 +0,0 @@
From 62580295210b6c0bd809cde7088b45ebb65ace79 Mon Sep 17 00:00:00 2001
From: Walter Yang <yandongy@codeaurora.org>
Date: Wed, 28 Sep 2016 20:11:23 +0800
Subject: ASoC: msm: lock read/write when add/free audio ion memory
As read/write get access to ion memory region as well, it's
necessary to lock them when ion memory is about to be added/freed
to avoid racing cases.
CRs-Fixed: 1071809
Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
---
drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
index 8041111..7a4bae3 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
@@ -1,6 +1,6 @@
/* Copyright (C) 2008 Google, Inc.
* Copyright (C) 2008 HTC Corporation
- * Copyright (c) 2009-2014, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
*
* This software is licensed under the terms of the GNU General Public
* License version 2, as published by the Free Software Foundation, and
@@ -570,6 +570,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
struct q6audio_aio *audio = file->private_data;
pr_debug("%s[%p]\n", __func__, audio);
mutex_lock(&audio->lock);
+ mutex_lock(&audio->read_lock);
+ mutex_lock(&audio->write_lock);
audio->wflush = 1;
if (audio->enabled)
audio_aio_flush(audio);
@@ -584,6 +586,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
wake_up(&audio->event_wait);
audio_aio_reset_event_queue(audio);
q6asm_audio_client_free(audio->ac);
+ mutex_unlock(&audio->write_lock);
+ mutex_unlock(&audio->read_lock);
mutex_unlock(&audio->lock);
mutex_destroy(&audio->lock);
mutex_destroy(&audio->read_lock);
@@ -1679,7 +1683,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
__func__);
rc = -EFAULT;
} else {
+ mutex_lock(&audio->read_lock);
+ mutex_lock(&audio->write_lock);
rc = audio_aio_ion_add(audio, &info);
+ mutex_unlock(&audio->write_lock);
+ mutex_unlock(&audio->read_lock);
}
mutex_unlock(&audio->lock);
break;
@@ -1694,7 +1702,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
__func__);
rc = -EFAULT;
} else {
+ mutex_lock(&audio->read_lock);
+ mutex_lock(&audio->write_lock);
rc = audio_aio_ion_remove(audio, &info);
+ mutex_unlock(&audio->write_lock);
+ mutex_unlock(&audio->read_lock);
}
mutex_unlock(&audio->lock);
break;
@@ -1996,7 +2008,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
} else {
info.fd = info_32.fd;
info.vaddr = compat_ptr(info_32.vaddr);
+ mutex_lock(&audio->read_lock);
+ mutex_lock(&audio->write_lock);
rc = audio_aio_ion_add(audio, &info);
+ mutex_unlock(&audio->write_lock);
+ mutex_unlock(&audio->read_lock);
}
mutex_unlock(&audio->lock);
break;
@@ -2013,7 +2029,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
} else {
info.fd = info_32.fd;
info.vaddr = compat_ptr(info_32.vaddr);
+ mutex_lock(&audio->read_lock);
+ mutex_lock(&audio->write_lock);
rc = audio_aio_ion_remove(audio, &info);
+ mutex_unlock(&audio->write_lock);
+ mutex_unlock(&audio->read_lock);
}
mutex_unlock(&audio->lock);
break;
--
cgit v1.1

444
Patches/Linux_CVEs/CVE-2016-8393/0.patch

@ -1,444 +0,0 @@
From 9397e20764da2fdffdfe20e35cb78211753b83cc Mon Sep 17 00:00:00 2001
From: Andrew Chant <achant@google.com>
Date: Wed, 14 Sep 2016 17:21:48 -0700
Subject: [PATCH] input: synaptics: prevent sysfs races
concurrent sysfs calls on the fw updater can cause
ugly race conditions. Return EBUSY on concurrent sysfs calls.
For sysfs calls which generate deferred work, prevent
the deferred work from running concurrently with other
sysfs calls.
Change-Id: Ie33add946fbcca8309998e4cb7cb01525c667c7e
Signed-off-by: Andrew Chant <achant@google.com>
Bug: 31252388
---
drivers/input/touchscreen/synaptics_fw_update.c | 144 ++++++++++++++++++------
1 file changed, 109 insertions(+), 35 deletions(-)
diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
index 79b3a780550b8..ffa992b829a5a 100644
--- a/drivers/input/touchscreen/synaptics_fw_update.c
+++ b/drivers/input/touchscreen/synaptics_fw_update.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <linux/i2c.h>
#include <linux/interrupt.h>
+#include <linux/mutex.h>
#include <linux/delay.h>
#include <linux/input.h>
#include <linux/firmware.h>
@@ -296,6 +297,7 @@ struct synaptics_rmi4_fwu_handle {
static struct synaptics_rmi4_fwu_handle *fwu;
DECLARE_COMPLETION(fwu_remove_complete);
+DEFINE_MUTEX(fwu_sysfs_mutex);
static unsigned int extract_uint(const unsigned char *ptr)
{
@@ -1713,34 +1715,47 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
char *buf, loff_t pos, size_t count)
{
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ ssize_t retval;
+
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
if (count < fwu->config_size) {
dev_err(&rmi4_data->i2c_client->dev,
"%s: Not enough space (%zu bytes) in buffer\n",
__func__, count);
- return -EINVAL;
+ retval = -EINVAL;
+ goto show_image_exit;
}
memcpy(buf, fwu->read_config_buf, fwu->config_size);
-
- return fwu->config_size;
+ retval = fwu->config_size;
+show_image_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
+ return retval;
}
static ssize_t fwu_sysfs_store_image(struct file *data_file,
struct kobject *kobj, struct bin_attribute *attributes,
char *buf, loff_t pos, size_t count)
{
+ ssize_t retval;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
+
if (!fwu->ext_data_source) {
dev_err(&fwu->rmi4_data->i2c_client->dev,
"Cannot use this without setting imagesize!\n");
- return -EAGAIN;
+ retval = -EAGAIN;
+ goto store_image_exit;
}
if (count > fwu->image_size - fwu->data_pos) {
dev_err(&fwu->rmi4_data->i2c_client->dev,
"%s: Not enough space in buffer\n",
__func__);
- return -EINVAL;
+ retval = -EINVAL;
+ goto store_image_exit;
}
memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]),
@@ -1749,8 +1764,11 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file,
fwu->data_buffer = fwu->ext_data_source;
fwu->data_pos += count;
+ retval = count;
- return count;
+store_image_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
+ return retval;
}
static ssize_t fwu_sysfs_image_name_store(struct device *dev,
@@ -1758,11 +1776,15 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
{
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
char *strptr;
+ ssize_t retval;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
if (count >= NAME_BUFFER_SIZE) {
dev_err(&rmi4_data->i2c_client->dev,
"Input over %d characters long\n", NAME_BUFFER_SIZE);
- return -EINVAL;
+ retval = -EINVAL;
+ goto image_name_store_exit;
}
strptr = strnstr(buf, ".img",
@@ -1770,21 +1792,32 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
if (!strptr) {
dev_err(&rmi4_data->i2c_client->dev,
"Input is not valid .img file\n");
- return -EINVAL;
+ retval = -EINVAL;
+ goto image_name_store_exit;
}
strlcpy(rmi4_data->fw_image_name, buf, count);
- return count;
+ retval = count;
+
+image_name_store_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
+ return retval;
}
static ssize_t fwu_sysfs_image_name_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
+ ssize_t retval;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
if (strnlen(fwu->rmi4_data->fw_image_name, NAME_BUFFER_SIZE) > 0)
- return snprintf(buf, PAGE_SIZE, "%s\n",
+ retval = snprintf(buf, PAGE_SIZE, "%s\n",
fwu->rmi4_data->fw_image_name);
else
- return snprintf(buf, PAGE_SIZE, "No firmware name given\n");
+ retval = snprintf(buf, PAGE_SIZE, "No firmware name given\n");
+
+ mutex_unlock(&fwu_sysfs_mutex);
+ return retval;
}
static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
@@ -1794,14 +1827,17 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
unsigned int input;
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
+
if (sscanf(buf, "%u", &input) != 1) {
retval = -EINVAL;
- goto exit;
+ goto force_reflash_store_exit;
}
if (input != 1) {
retval = -EINVAL;
- goto exit;
+ goto force_reflash_store_exit;
}
if (LOCKDOWN)
fwu->do_lockdown = true;
@@ -1812,16 +1848,18 @@ static ssize_t fwu_sysfs_force_reflash_store(struct device *dev,
dev_err(&rmi4_data->i2c_client->dev,
"%s: Failed to do reflash\n",
__func__);
- goto exit;
+ goto force_reflash_store_free_exit;
}
retval = count;
-exit:
+force_reflash_store_free_exit:
kfree(fwu->ext_data_source);
fwu->ext_data_source = NULL;
fwu->force_update = FORCE_UPDATE;
fwu->do_lockdown = rmi4_data->board->do_lockdown;
+force_reflash_store_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
return retval;
}
@@ -1832,9 +1870,12 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
unsigned int input;
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
+
if (sscanf(buf, "%u", &input) != 1) {
retval = -EINVAL;
- goto exit;
+ goto reflash_store_exit;
}
if (input & LOCKDOWN) {
@@ -1844,7 +1885,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
if ((input != NORMAL) && (input != FORCE)) {
retval = -EINVAL;
- goto exit;
+ goto reflash_store_exit;
}
if (input == FORCE)
@@ -1855,16 +1896,18 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
dev_err(&rmi4_data->i2c_client->dev,
"%s: Failed to do reflash\n",
__func__);
- goto exit;
+ goto reflash_store_free_exit;
}
retval = count;
-exit:
+reflash_store_free_exit:
kfree(fwu->ext_data_source);
fwu->ext_data_source = NULL;
fwu->force_update = FORCE_UPDATE;
fwu->do_lockdown = rmi4_data->board->do_lockdown;
+reflash_store_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
return retval;
}
@@ -1875,26 +1918,31 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
unsigned int input;
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
+
if (sscanf(buf, "%u", &input) != 1) {
retval = -EINVAL;
- goto exit;
+ goto lockdown_store_exit;
}
if (input != 1) {
retval = -EINVAL;
- goto exit;
+ goto lockdown_store_exit;
}
if (!fwu->ext_data_source) {
dev_err(&fwu->rmi4_data->i2c_client->dev,
"Cannot use this without loading image in manual way!\n");
- return -EAGAIN;
+ retval = -EAGAIN;
+ goto lockdown_store_exit;
}
if (fwu->rmi4_data->suspended == true) {
dev_err(&fwu->rmi4_data->i2c_client->dev,
"Cannot lockdown while device is in suspend\n");
- return -EBUSY;
+ retval = -EBUSY;
+ goto lockdown_store_exit;
}
retval = fwu_start_write_lockdown();
@@ -1902,16 +1950,18 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
dev_err(&rmi4_data->i2c_client->dev,
"%s: Failed to write lockdown block\n",
__func__);
- goto exit;
+ goto lockdown_store_free_exit;
}
retval = count;
-exit:
+lockdown_store_free_exit:
kfree(fwu->ext_data_source);
fwu->ext_data_source = NULL;
fwu->force_update = FORCE_UPDATE;
fwu->do_lockdown = rmi4_data->board->do_lockdown;
+lockdown_store_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
return retval;
}
@@ -1920,6 +1970,8 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
{
unsigned int input = 0;
+ /* Takes fwu_sysfs_mutex in the deferred work function. */
+
if (sscanf(buf, "%u", &input) != 1)
return -EINVAL;
@@ -1942,26 +1994,31 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
unsigned int input;
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
+
if (sscanf(buf, "%u", &input) != 1) {
retval = -EINVAL;
- goto exit;
+ goto write_config_store_exit;
}
if (input != 1) {
retval = -EINVAL;
- goto exit;
+ goto write_config_store_exit;
}
if (!fwu->ext_data_source) {
dev_err(&fwu->rmi4_data->i2c_client->dev,
"Cannot use this without loading image in manual way!\n");
- return -EAGAIN;
+ retval = -EAGAIN;
+ goto write_config_store_exit;
}
if (fwu->rmi4_data->suspended == true) {
dev_err(&fwu->rmi4_data->i2c_client->dev,
"Cannot write config while device is in suspend\n");
- return -EBUSY;
+ retval = -EBUSY;
+ goto write_config_store_exit;
}
retval = fwu_start_write_config();
@@ -1969,14 +2026,16 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
dev_err(&rmi4_data->i2c_client->dev,
"%s: Failed to write config\n",
__func__);
- goto exit;
+ goto write_config_store_free_exit;
}
retval = count;
-exit:
+write_config_store_free_exit:
kfree(fwu->ext_data_source);
fwu->ext_data_source = NULL;
+write_config_store_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
return retval;
}
@@ -1999,7 +2058,11 @@ static ssize_t fwu_sysfs_read_config_store(struct device *dev,
return -EBUSY;
}
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
retval = fwu_do_read_config();
+ mutex_unlock(&fwu_sysfs_mutex);
+
if (retval < 0) {
dev_err(&rmi4_data->i2c_client->dev,
"%s: Failed to read config\n",
@@ -2028,7 +2091,10 @@ static ssize_t fwu_sysfs_config_area_store(struct device *dev,
return -EINVAL;
}
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
fwu->config_area = config_area;
+ mutex_unlock(&fwu_sysfs_mutex);
return count;
}
@@ -2039,10 +2105,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
int retval;
unsigned long size;
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ if (!mutex_trylock(&fwu_sysfs_mutex))
+ return -EBUSY;
retval = kstrtoul(buf, 10, &size);
if (retval)
- return retval;
+ goto image_size_store_exit;
fwu->image_size = size;
fwu->data_pos = 0;
@@ -2053,10 +2121,12 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
dev_err(&rmi4_data->i2c_client->dev,
"%s: Failed to alloc mem for image data\n",
__func__);
- return -ENOMEM;
+ retval = -ENOMEM;
}
- return count;
+image_size_store_exit:
+ mutex_unlock(&fwu_sysfs_mutex);
+ return retval;
}
static ssize_t fwu_sysfs_block_size_show(struct device *dev,
@@ -2241,6 +2311,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work)
container_of(to_delayed_work(work),
struct synaptics_rmi4_fwu_handle, fwu_work);
+ mutex_lock(&fwu_sysfs_mutex);
+
if (fwu->fn_ptr->enable)
fwu->fn_ptr->enable(fwu->rmi4_data, false);
@@ -2248,6 +2320,8 @@ static void synaptics_rmi4_fwu_work(struct work_struct *work)
if (fwu->fn_ptr->enable)
fwu->fn_ptr->enable(fwu->rmi4_data, true);
+
+ mutex_unlock(&fwu_sysfs_mutex);
}
static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
@@ -2338,7 +2412,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
#endif
- retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
+ retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
&dev_attr_data);
if (retval < 0) {
dev_err(&rmi4_data->i2c_client->dev,

46
Patches/Linux_CVEs/CVE-2016-8474/0.patch

@ -1,46 +0,0 @@
From 900b8b72c57cefebb39c150dfddfdd493a1cea79 Mon Sep 17 00:00:00 2001
From: Steve Pfetsch <spfetsch@google.com>
Date: Mon, 7 Nov 2016 16:20:11 -0800
Subject: [PATCH] input: ldaf: Initialize buffers before use.
Prevent writing uninitialized stack data to calibration files by
zeroing out buffers upon creation.
Bug: 31799972
Bug: 31795790
Change-Id: Ic848d4d1e181818f461e4b61ad73ada28a474bd1
---
drivers/input/misc/vl6180/stmvl6180_module.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/input/misc/vl6180/stmvl6180_module.c b/drivers/input/misc/vl6180/stmvl6180_module.c
index c61cc0f063424..78bc7f6844c33 100755
--- a/drivers/input/misc/vl6180/stmvl6180_module.c
+++ b/drivers/input/misc/vl6180/stmvl6180_module.c
@@ -107,7 +107,7 @@ static int stmvl6180_stop(struct stmvl6180_data *data);
static void stmvl6180_read_calibration_file(void)
{
struct file *f;
- char buf[8];
+ char buf[8] = {0};
mm_segment_t fs;
int i, is_sign = 0;
@@ -184,7 +184,7 @@ static void stmvl6180_read_calibration_file(void)
static void stmvl6180_write_offset_calibration_file(void)
{
struct file *f = NULL;
- char buf[8];
+ char buf[8] = {0};
mm_segment_t fs;
f = filp_open(CAL_FILE_OFFSET, O_CREAT | O_TRUNC | O_RDWR,
@@ -207,7 +207,7 @@ static void stmvl6180_write_offset_calibration_file(void)
static void stmvl6180_write_xtalk_calibration_file(void)
{
struct file *f = NULL;
- char buf[8];
+ char buf[8] = {0};
mm_segment_t fs;
f = filp_open(CAL_FILE_XTALK, O_CREAT | O_TRUNC | O_RDWR,

73
Patches/Linux_CVEs/CVE-2016-8478/0.patch

@ -1,73 +0,0 @@
From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
From: Benet Clark <benetc@codeaurora.org>
Date: Thu, 10 Nov 2016 17:49:09 -0800
Subject: msm: mdss: Clear compat structures before copying to user
In the compat layer, the temporary structures used to convert
data from 32bit to 64bit structures need to be set to 0 before
being assigned values.
CRs-Fixed: 1088206
Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
Signed-off-by: Benet Clark <benetc@codeaurora.org>
---
drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
index 5ad51dd..a9ab5c1 100644
--- a/drivers/video/msm/mdss/mdss_compat_utils.c
+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
return -EFAULT;
}
+ memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
pr_err("failed to copy payload from user for igc\n");
return -EFAULT;
}
+
+ memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
igc_cfg_payload.len = igc_cfg_payload_32.len;
@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
pr_err("failed to copy from user the pgc32 payload\n");
return -EFAULT;
}
+ memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
return -EFAULT;
}
+ memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
return -EFAULT;
}
+ memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
pa_cfg_payload.mode = pa_cfg_payload32.mode;
pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
pr_err("failed to copy the gamut payload from userspace\n");
return -EFAULT;
}
+
+ memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
gamut_cfg_payload.tbl_size[i] =
--
cgit v1.1

185
Patches/Linux_CVEs/CVE-2017-0435/0.patch

@ -1,185 +0,0 @@
From ce9db0874906f6aedd80bb28d457eadfe38bdd02 Mon Sep 17 00:00:00 2001
From: Sudheer Papothi <spapothi@codeaurora.org>
Date: Wed, 26 Oct 2016 01:07:04 +0530
Subject: drivers: qcom: ultrasound: Lock async driver calls
Adds lock to ioctl and other external calls to driver.
Adds missing null check in __usf_set_stream_param.
Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
---
drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++----
1 file changed, 59 insertions(+), 7 deletions(-)
diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
index d535ccb..9270dbc 100644
--- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
@@ -22,6 +22,7 @@
#include <linux/uaccess.h>
#include <linux/time.h>
#include <linux/kmemleak.h>
+#include <linux/mutex.h>
#include <sound/apr_audio.h>
#include <linux/qdsp6v2/usf.h>
#include "q6usm.h"
@@ -128,6 +129,8 @@ struct usf_type {
uint16_t conflicting_event_filters;
/* The requested buttons bitmap */
uint16_t req_buttons_bitmap;
+ /* Mutex for exclusive operations (all public APIs) */
+ struct mutex mutex;
};
struct usf_input_dev_type {
@@ -1376,9 +1379,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx,
int dir)
{
struct us_client *usc = usf_xx->usc;
- struct us_port_data *port = &usc->port[dir];
+ struct us_port_data *port;
int rc = 0;
+ if (usc == NULL) {
+ pr_err("%s: usc is null\n",
+ __func__);
+ return -EFAULT;
+ }
+
+ port = &usc->port[dir];
+ if (port == NULL) {
+ pr_err("%s: port is null\n",
+ __func__);
+ return -EFAULT;
+ }
+
if (port->param_buf == NULL) {
pr_err("%s: parameter buffer is null\n",
__func__);
@@ -1503,10 +1519,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx,
return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
} /* usf_get_stream_param */
-static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+static long __usf_ioctl(struct usf_type *usf,
+ unsigned int cmd,
+ unsigned long arg)
{
+
int rc = 0;
- struct usf_type *usf = file->private_data;
struct usf_xx_type *usf_xx = NULL;
switch (cmd) {
@@ -1669,6 +1687,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
release_xx(usf_xx);
return rc;
+} /* __usf_ioctl */
+
+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ struct usf_type *usf = file->private_data;
+ int rc = 0;
+
+ mutex_lock(&usf->mutex);
+ rc = __usf_ioctl(usf, cmd, arg);
+ mutex_unlock(&usf->mutex);
+
+ return rc;
} /* usf_ioctl */
#ifdef CONFIG_COMPAT
@@ -2106,12 +2136,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx,
return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
} /* usf_get_stream_param32 */
-static long usf_compat_ioctl(struct file *file,
+static long __usf_compat_ioctl(struct usf_type *usf,
unsigned int cmd,
unsigned long arg)
{
int rc = 0;
- struct usf_type *usf = file->private_data;
struct usf_xx_type *usf_xx = NULL;
switch (cmd) {
@@ -2119,7 +2148,7 @@ static long usf_compat_ioctl(struct file *file,
case US_START_RX:
case US_STOP_TX:
case US_STOP_RX: {
- return usf_ioctl(file, cmd, arg);
+ return __usf_ioctl(usf, cmd, arg);
}
case US_SET_TX_INFO32: {
@@ -2228,6 +2257,20 @@ static long usf_compat_ioctl(struct file *file,
release_xx(usf_xx);
return rc;
+} /* __usf_compat_ioctl */
+
+static long usf_compat_ioctl(struct file *file,
+ unsigned int cmd,
+ unsigned long arg)
+{
+ struct usf_type *usf = file->private_data;
+ int rc = 0;
+
+ mutex_lock(&usf->mutex);
+ rc = __usf_compat_ioctl(usf, cmd, arg);
+ mutex_unlock(&usf->mutex);
+
+ return rc;
} /* usf_compat_ioctl */
#endif /* CONFIG_COMPAT */
@@ -2236,13 +2279,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms)
struct usf_type *usf = file->private_data;
int dir = OUT;
struct usf_xx_type *usf_xx = &usf->usf_tx;
+ int rc = 0;
+ mutex_lock(&usf->mutex);
if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */
dir = IN;
usf_xx = &usf->usf_rx;
}
+ rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms);
+ mutex_unlock(&usf->mutex);
- return q6usm_get_virtual_address(dir, usf_xx->usc, vms);
+ return rc;
}
static uint16_t add_opened_dev(int minor)
@@ -2294,6 +2341,8 @@ static int usf_open(struct inode *inode, struct file *file)
usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF;
usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF;
+ mutex_init(&usf->mutex);
+
pr_debug("%s:usf in open\n", __func__);
return 0;
}
@@ -2304,6 +2353,7 @@ static int usf_release(struct inode *inode, struct file *file)
pr_debug("%s: release entry\n", __func__);
+ mutex_lock(&usf->mutex);
usf_release_input(usf);
usf_disable(&usf->usf_tx);
@@ -2311,6 +2361,8 @@ static int usf_release(struct inode *inode, struct file *file)
s_opened_devs[usf->dev_ind] = 0;
+ mutex_unlock(&usf->mutex);
+ mutex_destroy(&usf->mutex);
kfree(usf);
pr_debug("%s: release exit\n", __func__);
return 0;
--
cgit v1.1

26
Patches/Linux_CVEs/CVE-2017-0435/1.patch

@ -1,26 +0,0 @@
From 831da5d113d214db6894e9fd0ce98762ee8a544a Mon Sep 17 00:00:00 2001
From: Nick Desaulniers <ndesaulniers@google.com>
Date: Tue, 6 Dec 2016 09:57:57 -0800
Subject: [PATCH] Kconfig: msm: disable ultrasound driver
Bug: 31906415
Bug: 31906657
Bug: 32553868
Change-Id: Iab736a5d5622098c89c76dbe6b0b395652bbae57
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
sound/soc/msm/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/sound/soc/msm/Kconfig b/sound/soc/msm/Kconfig
index 6eb168e4d10d5..2e6f642241ef3 100644
--- a/sound/soc/msm/Kconfig
+++ b/sound/soc/msm/Kconfig
@@ -267,7 +267,6 @@ config SND_SOC_MSM8994
select SND_SOC_MSM_HDMI_CODEC_RX
select QTI_PP
select SND_SOC_CPE
- select MSM_ULTRASOUND
select SND_HWDEP
help
To add support for SoC audio on MSM8994.

185
Patches/Linux_CVEs/CVE-2017-0436/0.patch

@ -1,185 +0,0 @@
From ce9db0874906f6aedd80bb28d457eadfe38bdd02 Mon Sep 17 00:00:00 2001
From: Sudheer Papothi <spapothi@codeaurora.org>
Date: Wed, 26 Oct 2016 01:07:04 +0530
Subject: drivers: qcom: ultrasound: Lock async driver calls
Adds lock to ioctl and other external calls to driver.
Adds missing null check in __usf_set_stream_param.
Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
---
drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++----
1 file changed, 59 insertions(+), 7 deletions(-)
diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
index d535ccb..9270dbc 100644
--- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
+++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
@@ -22,6 +22,7 @@
#include <linux/uaccess.h>
#include <linux/time.h>
#include <linux/kmemleak.h>
+#include <linux/mutex.h>
#include <sound/apr_audio.h>
#include <linux/qdsp6v2/usf.h>
#include "q6usm.h"
@@ -128,6 +129,8 @@ struct usf_type {
uint16_t conflicting_event_filters;
/* The requested buttons bitmap */
uint16_t req_buttons_bitmap;
+ /* Mutex for exclusive operations (all public APIs) */
+ struct mutex mutex;
};
struct usf_input_dev_type {
@@ -1376,9 +1379,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx,
int dir)
{
struct us_client *usc = usf_xx->usc;
- struct us_port_data *port = &usc->port[dir];
+ struct us_port_data *port;
int rc = 0;
+ if (usc == NULL) {
+ pr_err("%s: usc is null\n",
+ __func__);
+ return -EFAULT;
+ }
+
+ port = &usc->port[dir];
+ if (port == NULL) {
+ pr_err("%s: port is null\n",
+ __func__);
+ return -EFAULT;
+ }
+
if (port->param_buf == NULL) {
pr_err("%s: parameter buffer is null\n",
__func__);
@@ -1503,10 +1519,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx,
return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
} /* usf_get_stream_param */
-static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+static long __usf_ioctl(struct usf_type *usf,
+ unsigned int cmd,
+ unsigned long arg)
{
+
int rc = 0;
- struct usf_type *usf = file->private_data;
struct usf_xx_type *usf_xx = NULL;
switch (cmd) {
@@ -1669,6 +1687,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
release_xx(usf_xx);
return rc;
+} /* __usf_ioctl */
+
+static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ struct usf_type *usf = file->private_data;
+ int rc = 0;
+
+ mutex_lock(&usf->mutex);
+ rc = __usf_ioctl(usf, cmd, arg);
+ mutex_unlock(&usf->mutex);
+
+ return rc;
} /* usf_ioctl */
#ifdef CONFIG_COMPAT
@@ -2106,12 +2136,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx,
return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
} /* usf_get_stream_param32 */
-static long usf_compat_ioctl(struct file *file,
+static long __usf_compat_ioctl(struct usf_type *usf,
unsigned int cmd,
unsigned long arg)
{
int rc = 0;
- struct usf_type *usf = file->private_data;
struct usf_xx_type *usf_xx = NULL;
switch (cmd) {
@@ -2119,7 +2148,7 @@ static long usf_compat_ioctl(struct file *file,
case US_START_RX:
case US_STOP_TX:
case US_STOP_RX: {
- return usf_ioctl(file, cmd, arg);
+ return __usf_ioctl(usf, cmd, arg);
}
case US_SET_TX_INFO32: {
@@ -2228,6 +2257,20 @@ static long usf_compat_ioctl(struct file *file,
release_xx(usf_xx);
return rc;
+} /* __usf_compat_ioctl */
+
+static long usf_compat_ioctl(struct file *file,
+ unsigned int cmd,
+ unsigned long arg)
+{
+ struct usf_type *usf = file->private_data;
+ int rc = 0;
+
+ mutex_lock(&usf->mutex);
+ rc = __usf_compat_ioctl(usf, cmd, arg);
+ mutex_unlock(&usf->mutex);
+
+ return rc;
} /* usf_compat_ioctl */
#endif /* CONFIG_COMPAT */
@@ -2236,13 +2279,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms)
struct usf_type *usf = file->private_data;
int dir = OUT;
struct usf_xx_type *usf_xx = &usf->usf_tx;
+ int rc = 0;
+ mutex_lock(&usf->mutex);
if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */
dir = IN;
usf_xx = &usf->usf_rx;
}
+ rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms);
+ mutex_unlock(&usf->mutex);
- return q6usm_get_virtual_address(dir, usf_xx->usc, vms);
+ return rc;
}
static uint16_t add_opened_dev(int minor)
@@ -2294,6 +2341,8 @@ static int usf_open(struct inode *inode, struct file *file)
usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF;
usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF;
+ mutex_init(&usf->mutex);
+
pr_debug("%s:usf in open\n", __func__);
return 0;
}
@@ -2304,6 +2353,7 @@ static int usf_release(struct inode *inode, struct file *file)
pr_debug("%s: release entry\n", __func__);
+ mutex_lock(&usf->mutex);
usf_release_input(usf);
usf_disable(&usf->usf_tx);
@@ -2311,6 +2361,8 @@ static int usf_release(struct inode *inode, struct file *file)
s_opened_devs[usf->dev_ind] = 0;
+ mutex_unlock(&usf->mutex);
+ mutex_destroy(&usf->mutex);
kfree(usf);
pr_debug("%s: release exit\n", __func__);
return 0;
--
cgit v1.1

128
Patches/Linux_CVEs/CVE-2017-0438/0.patch

@ -1,128 +0,0 @@
From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Mon, 28 Nov 2016 09:19:02 -0800
Subject: qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b3c265c..800d123 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
if (VOS_FTM_MODE == hdd_get_conparam()) {
@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of preferred bssid failed"));
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+ if (count > MAX_BSSID_FAVORED) {
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of Preferred BSSID (%d)"),
- roam_params.num_bssid_favored);
+ FL("Num of Preferred BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Preferred BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of blacklist BSSID (%d)"),
- roam_params.num_bssid_avoid_list);
+ FL("Num of blacklist BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i]));
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Blacklist BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;
--
cgit v1.1

127
Patches/Linux_CVEs/CVE-2017-0438/1.patch

@ -1,127 +0,0 @@
From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Mon, 28 Nov 2016 20:47:30 -0800
Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
Bug: 32402310 32402604 32871330
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++---
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
index 89dba5d54b627..fd23a304b93bd 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
if (VOS_FTM_MODE == hdd_get_conparam()) {
@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of preferred bssid failed"));
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+ if (count > MAX_BSSID_FAVORED) {
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of Preferred BSSID (%d)"),
- roam_params.num_bssid_favored);
+ FL("Num of Preferred BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Preferred BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of blacklist BSSID (%d)"),
- roam_params.num_bssid_avoid_list);
+ FL("Num of blacklist BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i]));
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Blacklist BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;

128
Patches/Linux_CVEs/CVE-2017-0442/0.patch

@ -1,128 +0,0 @@
From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Mon, 28 Nov 2016 09:19:02 -0800
Subject: qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b3c265c..800d123 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
if (VOS_FTM_MODE == hdd_get_conparam()) {
@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of preferred bssid failed"));
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+ if (count > MAX_BSSID_FAVORED) {
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of Preferred BSSID (%d)"),
- roam_params.num_bssid_favored);
+ FL("Num of Preferred BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Preferred BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of blacklist BSSID (%d)"),
- roam_params.num_bssid_avoid_list);
+ FL("Num of blacklist BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i]));
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Blacklist BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;
--
cgit v1.1

127
Patches/Linux_CVEs/CVE-2017-0442/1.patch

@ -1,127 +0,0 @@
From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Mon, 28 Nov 2016 20:47:30 -0800
Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
Bug: 32402310 32402604 32871330
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++---
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
index 89dba5d54b627..fd23a304b93bd 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
if (VOS_FTM_MODE == hdd_get_conparam()) {
@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of preferred bssid failed"));
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+ if (count > MAX_BSSID_FAVORED) {
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of Preferred BSSID (%d)"),
- roam_params.num_bssid_favored);
+ FL("Num of Preferred BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Preferred BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of blacklist BSSID (%d)"),
- roam_params.num_bssid_avoid_list);
+ FL("Num of blacklist BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i]));
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Blacklist BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;

128
Patches/Linux_CVEs/CVE-2017-0443/0.patch

@ -1,128 +0,0 @@
From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Mon, 28 Nov 2016 09:19:02 -0800
Subject: qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b3c265c..800d123 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
if (VOS_FTM_MODE == hdd_get_conparam()) {
@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of preferred bssid failed"));
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+ if (count > MAX_BSSID_FAVORED) {
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of Preferred BSSID (%d)"),
- roam_params.num_bssid_favored);
+ FL("Num of Preferred BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Preferred BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of blacklist BSSID (%d)"),
- roam_params.num_bssid_avoid_list);
+ FL("Num of blacklist BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i]));
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Blacklist BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;
--
cgit v1.1

127
Patches/Linux_CVEs/CVE-2017-0443/1.patch

@ -1,127 +0,0 @@
From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Mon, 28 Nov 2016 20:47:30 -0800
Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
Bug: 32402310 32402604 32871330
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++---
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
index 89dba5d54b627..fd23a304b93bd 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
if (VOS_FTM_MODE == hdd_get_conparam()) {
@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of preferred bssid failed"));
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+ if (count > MAX_BSSID_FAVORED) {
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of Preferred BSSID (%d)"),
- roam_params.num_bssid_favored);
+ FL("Num of Preferred BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Preferred BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of blacklist BSSID (%d)"),
- roam_params.num_bssid_avoid_list);
+ FL("Num of blacklist BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i]));
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Blacklist BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;

210
Patches/Linux_CVEs/CVE-2017-0445/2.patch

@ -1,210 +0,0 @@
From 2615c5f302441568e6dd20007bc5246d72837e80 Mon Sep 17 00:00:00 2001
From: Andrew Chant <achant@google.com>
Date: Tue, 6 Dec 2016 19:19:26 -0800
Subject: [PATCH] input: synaptics_dsx: remove update sysfs entries
Remove sysfs entrypoints to fw_update module.
BUG: 32769717
Change-Id: I425761af84ed5c31cc5902b4f49c4981a49f3af0
Signed-off-by: Andrew Chant <achant@google.com>
---
drivers/input/touchscreen/synaptics_dsx25/Kconfig | 10 ++++++++
.../synaptics_dsx25/synaptics_dsx_fw_update.c | 27 ++++++++++++++++++++--
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/drivers/input/touchscreen/synaptics_dsx25/Kconfig b/drivers/input/touchscreen/synaptics_dsx25/Kconfig
index 36661fc9d6a2d..218a6c3c96467 100644
--- a/drivers/input/touchscreen/synaptics_dsx25/Kconfig
+++ b/drivers/input/touchscreen/synaptics_dsx25/Kconfig
@@ -59,6 +59,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE
To compile this driver as a module, choose M here: the
module will be called synaptics_dsx_fw_update.
+config TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
+ bool "Synaptics DSX firmware update sysfs attributes"
+ depends on TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE
+ help
+ Say Y here to enable support for sysfs attributes for
+ performing firmware update in a development environment.
+ This does not affect the core or other subsystem attributes.
+
+ If unsure, say N.
+
config TOUCHSCREEN_SYNAPTICS_DSX25_ACTIVE_PEN
tristate "Synaptics DSX active pen module"
depends on TOUCHSCREEN_SYNAPTICS25_DSX_CORE
diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
index 323f65891b458..8cad4d3b3a9d9 100755
--- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
@@ -105,6 +105,7 @@ static int fwu_do_reflash(void);
static int fwu_recovery_check_status(void);
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
static ssize_t fwu_sysfs_show_image(struct file *data_file,
struct kobject *kobj, struct bin_attribute *attributes,
char *buf, loff_t pos, size_t count);
@@ -157,6 +158,7 @@ static ssize_t fwu_sysfs_guest_code_block_count_show(struct device *dev,
static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count);
+#endif
enum f34_version {
F34_V0 = 0,
@@ -595,6 +597,7 @@ struct synaptics_rmi4_fwu_handle {
struct work_struct fwu_work;
};
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
static struct bin_attribute dev_attr_data = {
.attr = {
.name = "data",
@@ -652,12 +655,14 @@ static struct device_attribute attrs[] = {
synaptics_rmi4_show_error,
fwu_sysfs_write_guest_code_store),
};
+#endif
static struct synaptics_rmi4_fwu_handle *fwu;
DECLARE_COMPLETION(dsx_fwu_remove_complete);
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
DEFINE_MUTEX(fwu_sysfs_mutex);
-
+#endif
static bool tp_2k_panel = false;
/**
* early_param: Parse system early startup parameters.
@@ -3057,6 +3062,7 @@ static int fwu_do_reflash(void)
return retval;
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
static int fwu_do_read_config(void)
{
int retval;
@@ -3136,6 +3142,7 @@ static int fwu_do_read_config(void)
return retval;
}
+#endif
static int fwu_do_lockdown(void)
{
@@ -3173,6 +3180,7 @@ static int fwu_do_lockdown(void)
return retval;
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
static int fwu_start_write_guest_code(void)
{
int retval;
@@ -3348,6 +3356,7 @@ static int fwu_start_write_config(void)
return retval;
}
+#endif
static void synaptics_refresh_configid(void)
{
@@ -3584,6 +3593,7 @@ static int fwu_recovery_check_status(void)
return 0;
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
static int fwu_recovery_erase_all(void)
{
int retval;
@@ -3778,6 +3788,7 @@ static int fwu_start_recovery(void)
return retval;
}
+#endif
int synaptics_dsx25_fw_updater(const unsigned char *fw_data)
{
@@ -3838,6 +3849,7 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
}
#endif
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
static ssize_t fwu_sysfs_show_image(struct file *data_file,
struct kobject *kobj, struct bin_attribute *attributes,
char *buf, loff_t pos, size_t count)
@@ -4236,6 +4248,7 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
mutex_unlock(&fwu_sysfs_mutex);
return retval;
}
+#endif
static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
unsigned char intr_mask)
@@ -4252,7 +4265,9 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
{
int retval;
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
unsigned char attr_count;
+#endif
struct pdt_properties pdt_props;
if (fwu) {
@@ -4319,6 +4334,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
&fwu->fwu_work);
#endif
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
retval = sysfs_create_bin_file(&rmi4_data->input_dev->dev.kobj,
&dev_attr_data);
if (retval < 0) {
@@ -4339,9 +4355,11 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
goto exit_remove_attrs;
}
}
+#endif
return 0;
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
exit_remove_attrs:
for (attr_count--; attr_count >= 0; attr_count--) {
sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
@@ -4349,8 +4367,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
}
sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
-
exit_destroy_work:
+#endif
+
#ifdef DO_STARTUP_FW_UPDATE
cancel_work_sync(&fwu->fwu_work);
flush_workqueue(fwu->fwu_workqueue);
@@ -4370,7 +4389,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
{
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
unsigned char attr_count;
+#endif
if (!fwu)
goto exit;
@@ -4381,12 +4402,14 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
destroy_workqueue(fwu->fwu_workqueue);
#endif
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX25_FW_UPDATE_SYSFS
for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,
&attrs[attr_count].attr);
}
sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
+#endif
kfree(fwu->read_config_buf);
kfree(fwu->image_name);

181
Patches/Linux_CVEs/CVE-2017-0445/3.patch

@ -1,181 +0,0 @@
From fe160e51f02ee5db529c2e84ac8364c89cce005e Mon Sep 17 00:00:00 2001
From: Andrew Chant <achant@google.com>
Date: Tue, 6 Dec 2016 20:59:01 -0800
Subject: [PATCH] input: synaptics_dsx: remove some sysfs nodes.
Remove most sysfs entrypoints to fw_update module.
Retains check_fw, which is triggered from an
init script.
BUG: 32769717
Change-Id: I710cb37a8b5382dce7aa6a1d8748be5853a18a7a
Signed-off-by: Andrew Chant <achant@google.com>
---
drivers/input/touchscreen/Kconfig | 10 ++++++++++
drivers/input/touchscreen/synaptics_fw_update.c | 20 ++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
index a42fea5862af2..64266998c2290 100644
--- a/drivers/input/touchscreen/Kconfig
+++ b/drivers/input/touchscreen/Kconfig
@@ -1019,6 +1019,16 @@ config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE
To compile this driver as a module, choose M here: the
module will be called synaptics_dsx_fw_update.
+config TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
+ bool "Synaptics DSX firmware update extra sysfs attributes"
+ depends on TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE
+ help
+ Say Y here to enable support for extra sysfs attributes
+ supporting firmware update in a development environment.
+ This does not affect the core or other subsystem attributes.
+
+ If unsure, say N.
+
config SECURE_TOUCH
bool "Secure Touch"
depends on (TOUCHSCREEN_ATMEL_MXT || TOUCHSCREEN_SYNAPTICS_I2C_RMI4 || \
diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
index 8891f1c836684..360e455a5a51b 100644
--- a/drivers/input/touchscreen/synaptics_fw_update.c
+++ b/drivers/input/touchscreen/synaptics_fw_update.c
@@ -1331,6 +1331,7 @@ static int fwu_do_write_config(void)
return retval;
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
static int fwu_start_write_config(void)
{
int retval;
@@ -1383,6 +1384,7 @@ static int fwu_start_write_config(void)
return retval;
}
+#endif
static int fwu_do_write_lockdown(bool reset)
{
@@ -1430,6 +1432,7 @@ static int fwu_do_write_lockdown(bool reset)
return retval;
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
static int fwu_start_write_lockdown(void)
{
if (parse_header())
@@ -1533,6 +1536,7 @@ static int fwu_do_read_config(void)
exit:
return retval;
}
+#endif
static int fwu_do_reflash(void)
{
@@ -1767,6 +1771,7 @@ int synaptics_fw_updater(void)
}
EXPORT_SYMBOL(synaptics_fw_updater);
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
static ssize_t fwu_sysfs_show_image(struct file *data_file,
struct kobject *kobj, struct bin_attribute *attributes,
char *buf, loff_t pos, size_t count)
@@ -2021,6 +2026,7 @@ static ssize_t fwu_sysfs_write_lockdown_store(struct device *dev,
mutex_unlock(&fwu_sysfs_mutex);
return retval;
}
+#endif
static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
@@ -2044,6 +2050,7 @@ static ssize_t fwu_sysfs_check_fw_store(struct device *dev,
return count;
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
static ssize_t fwu_sysfs_write_config_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
@@ -2265,6 +2272,7 @@ static ssize_t fwu_sysfs_package_id_show(struct device *dev,
(pkg_id[1] << 8) | pkg_id[0],
(pkg_id[3] << 8) | pkg_id[2]);
}
+#endif
static int synaptics_rmi4_debug_dump_info(struct seq_file *m, void *v)
{
@@ -2298,6 +2306,7 @@ static void synaptics_rmi4_fwu_attn(struct synaptics_rmi4_data *rmi4_data,
return;
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
static struct bin_attribute dev_attr_data = {
.attr = {
.name = "data",
@@ -2307,8 +2316,10 @@ static struct bin_attribute dev_attr_data = {
.read = fwu_sysfs_show_image,
.write = fwu_sysfs_store_image,
};
+#endif
static struct device_attribute attrs[] = {
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
__ATTR(fw_name, S_IRUGO | S_IWUSR | S_IWGRP,
fwu_sysfs_image_name_show,
fwu_sysfs_image_name_store),
@@ -2318,9 +2329,11 @@ static struct device_attribute attrs[] = {
__ATTR(update_fw, S_IWUSR | S_IWGRP,
NULL,
fwu_sysfs_do_reflash_store),
+#endif
__ATTR(check_fw, S_IWUSR | S_IWGRP,
NULL,
fwu_sysfs_check_fw_store),
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
__ATTR(writeconfig, S_IWUSR | S_IWGRP,
NULL,
fwu_sysfs_write_config_store),
@@ -2360,6 +2373,7 @@ static struct device_attribute attrs[] = {
__ATTR(package_id, S_IRUGO,
fwu_sysfs_package_id_show,
synaptics_rmi4_store_error),
+#endif
};
@@ -2470,6 +2484,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
INIT_DELAYED_WORK(&fwu->fwu_work, synaptics_rmi4_fwu_work);
#endif
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
retval = sysfs_create_bin_file(&rmi4_data->i2c_client->dev.kobj,
&dev_attr_data);
if (retval < 0) {
@@ -2478,6 +2493,7 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
__func__);
goto exit_free_mem;
}
+#endif
for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
retval = sysfs_create_file(&rmi4_data->i2c_client->dev.kobj,
@@ -2511,7 +2527,9 @@ static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
&attrs[attr_count].attr);
}
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
+#endif
exit_free_mem:
kfree(fwu->fn_ptr);
@@ -2528,7 +2546,9 @@ static void synaptics_rmi4_fwu_remove(struct synaptics_rmi4_data *rmi4_data)
{
unsigned char attr_count;
+#ifdef CONFIG_TOUCHSCREEN_SYNAPTICS_DSX_FW_UPDATE_EXTRA_SYSFS
sysfs_remove_bin_file(&rmi4_data->input_dev->dev.kobj, &dev_attr_data);
+#endif
for (attr_count = 0; attr_count < ARRAY_SIZE(attrs); attr_count++) {
sysfs_remove_file(&rmi4_data->input_dev->dev.kobj,

34
Patches/Linux_CVEs/CVE-2017-0446/0.patch

@ -1,34 +0,0 @@
From 773179468893965c2b81aa7ffe3722b6868ef749 Mon Sep 17 00:00:00 2001
From: Andrew Chant <achant@google.com>
Date: Fri, 2 Dec 2016 21:56:40 -0800
Subject: [PATCH] input: touchscreen: disable generic update i/f
Disable the generic touchscreen firmware update hook.
The generic touchscreen firmware update driver has
security flaws and is not necessary for Marlin touchscreen
firmware updates.
synaptics_dsx_htc_2.6 still attempts firmware updates
via request_firmware on boot with this disabled.
BUG: 32917445
BUG: 32919560
BUG: 32769717
Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43
Signed-off-by: Andrew Chant <achant@google.com>
---
drivers/input/touchscreen/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
index b633d17ea8b18..1e7ce91810f41 100644
--- a/drivers/input/touchscreen/Kconfig
+++ b/drivers/input/touchscreen/Kconfig
@@ -1020,7 +1020,6 @@ config SECURE_TOUCH
config TOUCHSCREEN_TOUCH_FW_UPDATE
tristate "Touchscreen firmware update"
- default y
help
Say Y here to support touch firmware update

34
Patches/Linux_CVEs/CVE-2017-0447/0.patch

@ -1,34 +0,0 @@
From 773179468893965c2b81aa7ffe3722b6868ef749 Mon Sep 17 00:00:00 2001
From: Andrew Chant <achant@google.com>
Date: Fri, 2 Dec 2016 21:56:40 -0800
Subject: [PATCH] input: touchscreen: disable generic update i/f
Disable the generic touchscreen firmware update hook.
The generic touchscreen firmware update driver has
security flaws and is not necessary for Marlin touchscreen
firmware updates.
synaptics_dsx_htc_2.6 still attempts firmware updates
via request_firmware on boot with this disabled.
BUG: 32917445
BUG: 32919560
BUG: 32769717
Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43
Signed-off-by: Andrew Chant <achant@google.com>
---
drivers/input/touchscreen/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/input/touchscreen/Kconfig b/drivers/input/touchscreen/Kconfig
index b633d17ea8b18..1e7ce91810f41 100644
--- a/drivers/input/touchscreen/Kconfig
+++ b/drivers/input/touchscreen/Kconfig
@@ -1020,7 +1020,6 @@ config SECURE_TOUCH
config TOUCHSCREEN_TOUCH_FW_UPDATE
tristate "Touchscreen firmware update"
- default y
help
Say Y here to support touch firmware update

73
Patches/Linux_CVEs/CVE-2017-0533/0.patch

@ -1,73 +0,0 @@
From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
From: Benet Clark <benetc@codeaurora.org>
Date: Thu, 10 Nov 2016 17:49:09 -0800
Subject: msm: mdss: Clear compat structures before copying to user
In the compat layer, the temporary structures used to convert
data from 32bit to 64bit structures need to be set to 0 before
being assigned values.
CRs-Fixed: 1088206
Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
Signed-off-by: Benet Clark <benetc@codeaurora.org>
---
drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
index 5ad51dd..a9ab5c1 100644
--- a/drivers/video/msm/mdss/mdss_compat_utils.c
+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
return -EFAULT;
}
+ memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
pr_err("failed to copy payload from user for igc\n");
return -EFAULT;
}
+
+ memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
igc_cfg_payload.len = igc_cfg_payload_32.len;
@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
pr_err("failed to copy from user the pgc32 payload\n");
return -EFAULT;
}
+ memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
return -EFAULT;
}
+ memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
return -EFAULT;
}
+ memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
pa_cfg_payload.mode = pa_cfg_payload32.mode;
pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
pr_err("failed to copy the gamut payload from userspace\n");
return -EFAULT;
}
+
+ memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
gamut_cfg_payload.tbl_size[i] =
--
cgit v1.1

73
Patches/Linux_CVEs/CVE-2017-0534/0.patch

@ -1,73 +0,0 @@
From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
From: Benet Clark <benetc@codeaurora.org>
Date: Thu, 10 Nov 2016 17:49:09 -0800
Subject: msm: mdss: Clear compat structures before copying to user
In the compat layer, the temporary structures used to convert
data from 32bit to 64bit structures need to be set to 0 before
being assigned values.
CRs-Fixed: 1088206
Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
Signed-off-by: Benet Clark <benetc@codeaurora.org>
---
drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
index 5ad51dd..a9ab5c1 100644
--- a/drivers/video/msm/mdss/mdss_compat_utils.c
+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
return -EFAULT;
}
+ memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
pr_err("failed to copy payload from user for igc\n");
return -EFAULT;
}
+
+ memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
igc_cfg_payload.len = igc_cfg_payload_32.len;
@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
pr_err("failed to copy from user the pgc32 payload\n");
return -EFAULT;
}
+ memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
return -EFAULT;
}
+ memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
return -EFAULT;
}
+ memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
pa_cfg_payload.mode = pa_cfg_payload32.mode;
pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
pr_err("failed to copy the gamut payload from userspace\n");
return -EFAULT;
}
+
+ memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
gamut_cfg_payload.tbl_size[i] =
--
cgit v1.1

91
Patches/Linux_CVEs/CVE-2017-0536/0.patch

@ -1,91 +0,0 @@
From e6430a4da1fb0212a546379eadbe986f629c3ae9 Mon Sep 17 00:00:00 2001
From: Andrew Chant <achant@google.com>
Date: Fri, 13 Jan 2017 11:41:03 -0800
Subject: [PATCH] input: synaptics_dsx: protect tmpbuf allocation.
Protect tmpbuf from concurrent access by mutex.
BUG: 33555878
BUG: 33002026
Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4
Signed-off-by: Andrew Chant <achant@google.com>
---
.../synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c | 36 ++++++++++++++--------
1 file changed, 24 insertions(+), 12 deletions(-)
diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
index e699dfea50c81..6878b71da9be0 100644
--- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
@@ -565,18 +565,24 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
return -EBADF;
}
- if (count == 0)
- return 0;
+ mutex_lock(&(dev_data->file_mutex));
+
+ if (*f_pos > REG_ADDR_LIMIT) {
+ retval = -EFAULT;
+ goto clean_up;
+ }
if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos;
+ if (count == 0) {
+ retval = 0;
+ goto clean_up;
+ }
address = (unsigned short)(*f_pos);
rmidev_allocate_buffer(count);
- mutex_lock(&(dev_data->file_mutex));
-
retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
*f_pos,
rmidev->tmpbuf,
@@ -636,19 +642,25 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
return -EBADF;
}
- if (count == 0)
- return 0;
+ mutex_lock(&(dev_data->file_mutex));
+ if (*f_pos > REG_ADDR_LIMIT) {
+ retval = -EFAULT;
+ goto unlock;
+ }
if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos;
+ if (count == 0) {
+ retval = 0;
+ goto unlock;
+ }
rmidev_allocate_buffer(count);
- if (copy_from_user(rmidev->tmpbuf, buf, count))
- return -EFAULT;
-
- mutex_lock(&(dev_data->file_mutex));
-
+ if (copy_from_user(rmidev->tmpbuf, buf, count)) {
+ retval = -EFAULT;
+ goto unlock;
+ }
retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
*f_pos,
rmidev->tmpbuf,
@@ -656,8 +668,8 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
if (retval >= 0)
*f_pos += retval;
+unlock:
mutex_unlock(&(dev_data->file_mutex));
-
return retval;
}

79
Patches/Linux_CVEs/CVE-2017-0569/0.patch

@ -1,79 +0,0 @@
From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001
From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Date: Fri, 20 Jan 2017 17:32:53 -0800
Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan.
1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.
3) Issue of chances of cumulative results->pkt_count length
exceeding allocated memory length of results->total_count is
avoided in this fix. change_array is the destination array
whose length is allocated to results->total_count.
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Bug: 34197514
Bug: 34199963
Bug: 34198729
Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
---
drivers/net/wireless/bcmdhd/dhd_pno.c | 12 +++++++++++-
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 ++++++++-
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index ec2c347ca6219..95bfe2729855f 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_
}
change_array = &params->change_array[params->results_rxed_so_far];
- memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count);
+ if ((params->results_rxed_so_far + results->pkt_count) >
+ results->total_count) {
+ DHD_ERROR(("Error: Invalid data reset the counters!!\n"));
+ *send_evt_bytes = 0;
+ kfree(params->change_array);
+ params->change_array = NULL;
+ return ptr;
+ }
+
+ memcpy(change_array, results->list,
+ sizeof(wl_pfn_significant_net_t) * results->pkt_count);
params->results_rxed_so_far += results->pkt_count;
if (params->results_rxed_so_far == results->total_count) {
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 6cadcb56582be..063d49015e5a6 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
/* allows only supported channel on
* current reguatory
*/
+ if (n_nodfs >= num_chans)
+ break;
+
if (channel == (dtoh32(list->element[j])))
default_chan_list[n_nodfs++] =
channel;
@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
struct wiphy *wiphy = bcmcfg_to_wiphy(cfg);
#endif /* GSCAN_SUPPORT */
- WL_ERR((">>> PNO Event\n"));
+ if (!data) {
+ WL_ERR(("Data is NULL!\n"));
+ return 0;
+ }
+ WL_DBG((">>> PNO Event\n"));
ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
#ifdef GSCAN_SUPPORT

79
Patches/Linux_CVEs/CVE-2017-0570/0.patch

@ -1,79 +0,0 @@
From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001
From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Date: Fri, 20 Jan 2017 17:32:53 -0800
Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan.
1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.
3) Issue of chances of cumulative results->pkt_count length
exceeding allocated memory length of results->total_count is
avoided in this fix. change_array is the destination array
whose length is allocated to results->total_count.
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Bug: 34197514
Bug: 34199963
Bug: 34198729
Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
---
drivers/net/wireless/bcmdhd/dhd_pno.c | 12 +++++++++++-
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 ++++++++-
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index ec2c347ca6219..95bfe2729855f 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_
}
change_array = &params->change_array[params->results_rxed_so_far];
- memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count);
+ if ((params->results_rxed_so_far + results->pkt_count) >
+ results->total_count) {
+ DHD_ERROR(("Error: Invalid data reset the counters!!\n"));
+ *send_evt_bytes = 0;
+ kfree(params->change_array);
+ params->change_array = NULL;
+ return ptr;
+ }
+
+ memcpy(change_array, results->list,
+ sizeof(wl_pfn_significant_net_t) * results->pkt_count);
params->results_rxed_so_far += results->pkt_count;
if (params->results_rxed_so_far == results->total_count) {
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 6cadcb56582be..063d49015e5a6 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
/* allows only supported channel on
* current reguatory
*/
+ if (n_nodfs >= num_chans)
+ break;
+
if (channel == (dtoh32(list->element[j])))
default_chan_list[n_nodfs++] =
channel;
@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
struct wiphy *wiphy = bcmcfg_to_wiphy(cfg);
#endif /* GSCAN_SUPPORT */
- WL_ERR((">>> PNO Event\n"));
+ if (!data) {
+ WL_ERR(("Data is NULL!\n"));
+ return 0;
+ }
+ WL_DBG((">>> PNO Event\n"));
ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
#ifdef GSCAN_SUPPORT

56
Patches/Linux_CVEs/CVE-2017-0628/0.patch

@ -1,56 +0,0 @@
From 012e37bf91490c5b59ba2ab68a4d214b632b613f Mon Sep 17 00:00:00 2001
From: Rajesh Bondugula <rajeshb@codeaurora.org>
Date: Tue, 8 Nov 2016 11:52:55 -0800
Subject: msm: camera: sensor: Validate i2c_frq_mode in msm_cci_get_clk_rates
i2c_freq_mode in msm_cci_get_clk_rates is populated from userspace.
Validate to make sure it has valid values. If a large number is sent
from userspace to avoid a buffer over read.
Crs-Fixed: 1086833
Change-Id: I237f60dca3e3dbad4e6188bf047cf7ec5163d159
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
index b1c2382..f113bdc 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
@@ -115,15 +115,16 @@ static int32_t msm_cci_set_clk_param(struct cci_device *cci_dev,
enum cci_i2c_master_t master = c_ctrl->cci_info->cci_i2c_master;
enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
- clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
-
if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
pr_err("%s:%d invalid i2c_freq_mode = %d",
__func__, __LINE__, i2c_freq_mode);
return -EINVAL;
}
+
if (cci_dev->i2c_freq_mode[master] == i2c_freq_mode)
return 0;
+
+ clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
if (MASTER_0 == master) {
msm_camera_io_w_mb(clk_params->hw_thigh << 16 |
clk_params->hw_tlow,
@@ -1196,6 +1197,13 @@ static uint32_t *msm_cci_get_clk_rates(struct cci_device *cci_dev,
struct msm_cci_clk_params_t *clk_params = NULL;
enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
struct device_node *of_node = cci_dev->pdev->dev.of_node;
+
+ if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
+ pr_err("%s:%d invalid i2c_freq_mode %d\n",
+ __func__, __LINE__, i2c_freq_mode);
+ return NULL;
+ }
+
clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
cci_clk_src = clk_params->cci_clk_src;
--
cgit v1.1

60
Patches/Linux_CVEs/CVE-2017-0788/0.patch

@ -1,60 +0,0 @@
From 08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Mon, 5 Jun 2017 14:39:26 -0700
Subject: net: wireless: bcmdhd: adding boundary check for pfn events
adding boundary check for bssid count in dhd_pno_process_epno_result
and dhd_handle_hotlist_scan_evt function to prevent heap overflow.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 37722328
Bug: 37722970
Change-Id: I1f0bc25ef4e7f5ba8f1aa9d9271919ee84d780a1
---
drivers/net/wireless/bcmdhd/dhd_pno.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index 8ebdf53..1a8e4ee 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -92,6 +92,11 @@
#define ENTRY_OVERHEAD strlen("bssid=\nssid=\nfreq=\nlevel=\nage=\ndist=\ndistSd=\n====")
#define TIME_MIN_DIFF 5
+#define EVENT_DATABUF_MAXLEN (512 - sizeof(bcm_event_t))
+#define EVENT_MAX_NETCNT \
+ ((EVENT_DATABUF_MAXLEN - sizeof(wl_pfn_scanresults_t)) \
+ / sizeof(wl_pfn_net_info_t) + 1)
+
#ifdef GSCAN_SUPPORT
static int _dhd_pno_flush_ssid(dhd_pub_t *dhd);
static wl_pfn_gscan_ch_bucket_cfg_t *
@@ -3575,7 +3580,12 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
if (event == WLC_E_PFN_NET_FOUND || event == WLC_E_PFN_NET_LOST) {
wl_pfn_scanresults_t *pfn_result = (wl_pfn_scanresults_t *)data;
wl_pfn_net_info_t *net;
-
+ if ((pfn_result->count == 0) ||
+ (pfn_result->count > EVENT_MAX_NETCNT)) {
+ DHD_ERROR(("%s event %d: incorrect results count:%d\n",
+ __FUNCTION__, event, pfn_result->count));
+ return NULL;
+ }
if (pfn_result->version != PFN_SCANRESULT_VERSION) {
DHD_ERROR(("%s event %d: Incorrect version %d %d\n", __FUNCTION__, event,
pfn_result->version, PFN_SCANRESULT_VERSION));
@@ -3690,7 +3700,9 @@ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *s
gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
- if (!results->count) {
+ if ((results->count == 0) || (results->count > EVENT_MAX_NETCNT)) {
+ DHD_ERROR(("%s: wrong count:%d\n", __FUNCTION__,
+ results->count));
*send_evt_bytes = 0;
return ptr;
}
--
cgit v1.1

43
Patches/Linux_CVEs/CVE-2017-10998/1.patch

@ -1,43 +0,0 @@
From 208e72e59c8411e75d4118b48648a5b7d42b1682 Mon Sep 17 00:00:00 2001
From: Siena Richard <sienar@codeaurora.org>
Date: Wed, 11 Jan 2017 11:09:24 -0800
Subject: ASoC: msm: qdsp6v2: extend validation of virtual address
Validate a buffer virtual address is fully within the region before
returning the region to ensure functionality for an extended edge
case.
Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
Signed-off-by: Siena Richard <sienar@codeaurora.org>
CRs-fixed: 1108461
---
drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
index 9ade557..c12f791 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
@@ -1,6 +1,6 @@
/* Copyright (C) 2008 Google, Inc.
* Copyright (C) 2008 HTC Corporation
- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
*
* This software is licensed under the terms of the GNU General Public
* License version 2, as published by the Free Software Foundation, and
@@ -119,7 +119,10 @@ static int audio_aio_ion_lookup_vaddr(struct q6audio_aio *audio, void *addr,
list_for_each_entry(region_elt, &audio->ion_region_queue, list) {
if (addr >= region_elt->vaddr &&
addr < region_elt->vaddr + region_elt->len &&
- addr + len <= region_elt->vaddr + region_elt->len) {
+ addr + len <= region_elt->vaddr + region_elt->len &&
+ addr + len > addr) {
+ /* to avoid integer addition overflow */
+
/* offset since we could pass vaddr inside a registerd
* ion buffer
*/
--
cgit v1.1

75
Patches/Linux_CVEs/CVE-2017-5669/1.patch

@ -1,75 +0,0 @@
From 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 Mon Sep 17 00:00:00 2001
From: Davidlohr Bueso <dave@stgolabs.net>
Date: Mon, 27 Feb 2017 14:28:24 -0800
Subject: ipc/shm: Fix shmat mmap nil-page protection
The issue is described here, with a nice testcase:
https://bugzilla.kernel.org/show_bug.cgi?id=192931
The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
the address rounded down to 0. For the regular mmap case, the
protection mentioned above is that the kernel gets to generate the
address -- arch_get_unmapped_area() will always check for MAP_FIXED and
return that address. So by the time we do security_mmap_addr(0) things
get funky for shmat().
The testcase itself shows that while a regular user crashes, root will
not have a problem attaching a nil-page. There are two possible fixes
to this. The first, and which this patch does, is to simply allow root
to crash as well -- this is also regular mmap behavior, ie when hacking
up the testcase and adding mmap(... |MAP_FIXED). While this approach
is the safer option, the second alternative is to ignore SHM_RND if the
rounded address is 0, thus only having MAP_SHARED flags. This makes the
behavior of shmat() identical to the mmap() case. The downside of this
is obviously user visible, but does make sense in that it maintains
semantics after the round-down wrt 0 address and mmap.
Passes shm related ltp tests.
Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
ipc/shm.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/ipc/shm.c b/ipc/shm.c
index d7805ac..06ea9ef 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1091,8 +1091,8 @@ out_unlock1:
* "raddr" thing points to kernel space, and there has to be a wrapper around
* this.
*/
-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- unsigned long shmlba)
+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
+ ulong *raddr, unsigned long shmlba)
{
struct shmid_kernel *shp;
unsigned long addr;
@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
goto out;
else if ((addr = (ulong)shmaddr)) {
if (addr & (shmlba - 1)) {
- if (shmflg & SHM_RND)
- addr &= ~(shmlba - 1); /* round down */
+ /*
+ * Round down to the nearest multiple of shmlba.
+ * For sane do_mmap_pgoff() parameters, avoid
+ * round downs that trigger nil-page and MAP_FIXED.
+ */
+ if ((shmflg & SHM_RND) && addr >= shmlba)
+ addr &= ~(shmlba - 1);
else
#ifndef __ARCH_FORCE_SHMLBA
if (addr & ~PAGE_MASK)
--
cgit v1.1

47
Patches/Linux_CVEs/CVE-2017-6074/1.patch

@ -1,47 +0,0 @@
From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
From: Andrey Konovalov <andreyknvl@google.com>
Date: Thu, 16 Feb 2017 17:22:46 +0100
Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.
Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.
Similar fixes for TCP:
fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/dccp/input.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/dccp/input.c b/net/dccp/input.c
index ba34718..8fedc2d 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
skb) < 0)
return 1;
- goto discard;
+ consume_skb(skb);
+ return 0;
}
if (dh->dccph_type == DCCP_PKT_RESET)
goto discard;
--
cgit v1.1

50
Patches/Linux_CVEs/CVE-2017-7369/1.patch

@ -1,50 +0,0 @@
From ae8f1d5f60644983aba7fbab469d0e542a187c6e Mon Sep 17 00:00:00 2001
From: Walter Yang <yandongy@codeaurora.org>
Date: Thu, 2 Mar 2017 12:13:34 +0800
Subject: ASoC: Add backend user count checking
Add backend user count checking to protect the index
boundary.
Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd
CRs-Fixed: 2009216
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
---
sound/soc/soc-compress.c | 5 +++++
sound/soc/soc-pcm.c | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
index 832f221f..a56e2e5 100644
--- a/sound/soc/soc-compress.c
+++ b/sound/soc/soc-compress.c
@@ -533,6 +533,11 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream,
cstream, &async_domain);
} else {
be_list[j++] = be;
+ if (j == DPCM_MAX_BE_USERS) {
+ dev_dbg(fe->dev,
+ "ASoC: MAX backend users!\n");
+ break;
+ }
}
}
for (i = 0; i < j; i++) {
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 6c44757..e6de6ad 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -2320,6 +2320,10 @@ void dpcm_be_dai_prepare_async(struct snd_soc_pcm_runtime *fe, int stream,
dpcm, domain);
} else {
dpcm_async[i++] = dpcm;
+ if (i == DPCM_MAX_BE_USERS) {
+ dev_dbg(fe->dev, "ASoC: MAX backend users!\n");
+ break;
+ }
}
}
--
cgit v1.1

45
Patches/Linux_CVEs/CVE-2017-7371/1.patch

@ -1,45 +0,0 @@
From 9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b Mon Sep 17 00:00:00 2001
From: Sungjun Park <sjpark@codeaurora.org>
Date: Mon, 23 Jan 2017 13:28:44 -0800
Subject: bluetooth: Fix free data pointer routine
Data pointer has been reused after freed it. So,
it has been moved to after using the data pointer
to clean up resource and freed it.
Change-Id: Ibc94e092134ff1f36e896c679ade7f639254a24d
Signed-off-by: Sungjun Park <sjpark@codeaurora.org>
---
drivers/bluetooth/btfm_slim.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/bluetooth/btfm_slim.c b/drivers/bluetooth/btfm_slim.c
index 5fb00b9..1c6e256 100644
--- a/drivers/bluetooth/btfm_slim.c
+++ b/drivers/bluetooth/btfm_slim.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -509,7 +509,6 @@ static int btfm_slim_remove(struct slim_device *slim)
BTFMSLIM_DBG("");
mutex_destroy(&btfm_slim->io_lock);
mutex_destroy(&btfm_slim->xfer_lock);
- kfree(btfm_slim);
snd_soc_unregister_codec(&slim->dev);
BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_ifd");
@@ -517,6 +516,8 @@ static int btfm_slim_remove(struct slim_device *slim)
BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_pgd");
slim_remove_device(slim);
+
+ kfree(btfm_slim);
return 0;
}
--
cgit v1.1

1
Patches/Linux_CVEs/CVE-2017-7618/1.patch

@ -1 +0,0 @@
Not Found

64
Patches/Linux_CVEs/CVE-2017-9077/0.patch

@ -1,64 +0,0 @@
From 83eaddab4378db256d00d295bda6ca997cd13a52 Mon Sep 17 00:00:00 2001
From: WANG Cong <xiyou.wangcong@gmail.com>
Date: Tue, 9 May 2017 16:59:54 -0700
Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/dccp/ipv6.c | 6 ++++++
net/ipv6/tcp_ipv6.c | 2 ++
2 files changed, 8 insertions(+)
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index d9b6a4e..b6bbb71 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
newsk->sk_backlog_rcv = dccp_v4_do_rcv;
newnp->pktoptions = NULL;
newnp->opt = NULL;
+ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
newnp->mcast_oif = inet6_iif(skb);
newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
/* Clone RX bits */
newnp->rxopt.all = np->rxopt.all;
+ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
newnp->pktoptions = NULL;
newnp->opt = NULL;
newnp->mcast_oif = inet6_iif(skb);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index aeb9497..df5a9ff 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
#endif
+ newnp->ipv6_mc_list = NULL;
newnp->ipv6_ac_list = NULL;
newnp->ipv6_fl_list = NULL;
newnp->pktoptions = NULL;
@@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
First: no IPv4 options.
*/
newinet->inet_opt = NULL;
+ newnp->ipv6_mc_list = NULL;
newnp->ipv6_ac_list = NULL;
newnp->ipv6_fl_list = NULL;
--
cgit v1.1

93
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh

@ -1,49 +1,50 @@
#!/bin/bash
cd $base"kernel/amazon/hdx-common"
git apply $cvePatches"CVE-2012-6704"/*.patch && echo 'Applied fix for CVE-2012-6704'
git apply $cvePatches"CVE-2014-1739"/*.patch && echo 'Applied fix for CVE-2014-1739'
git apply $cvePatches"CVE-2014-4656"/*.patch && echo 'Applied fix for CVE-2014-4656'
git apply $cvePatches"CVE-2014-7822"/*.patch && echo 'Applied fix for CVE-2014-7822'
git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420'
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2014-9880"/*.patch && echo 'Applied fix for CVE-2014-9880'
git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593'
git apply $cvePatches"CVE-2016-10230"/*.patch && echo 'Applied fix for CVE-2016-10230'
git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185'
git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186'
git apply $cvePatches"CVE-2016-2488"/*.patch && echo 'Applied fix for CVE-2016-2488'
git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3893"/*.patch && echo 'Applied fix for CVE-2016-3893'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2016-6751"/*.patch && echo 'Applied fix for CVE-2016-6751'
git apply $cvePatches"CVE-2016-6753"/*.patch && echo 'Applied fix for CVE-2016-6753'
git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404'
git apply $cvePatches"CVE-2016-8417"/*.patch && echo 'Applied fix for CVE-2016-8417'
git apply $cvePatches"CVE-2016-8444"/*.patch && echo 'Applied fix for CVE-2016-8444'
git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2016-9793"/*.patch && echo 'Applied fix for CVE-2016-9793'
git apply $cvePatches"CVE-2017-0403"/*.patch && echo 'Applied fix for CVE-2017-0403'
git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404'
git apply $cvePatches"CVE-2017-0611"/*.patch && echo 'Applied fix for CVE-2017-0611'
git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751'
git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-10662"/*.patch && echo 'Applied fix for CVE-2017-10662'
git apply $cvePatches"CVE-2017-11000"/*.patch && echo 'Applied fix for CVE-2017-11000'
git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970'
git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches"CVE-2017-9706"/*.patch && echo 'Applied fix for CVE-2017-9706'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2012-6704/0.patch
git apply $cvePatches/CVE-2014-1739/0.patch
git apply $cvePatches/CVE-2014-4656/0.patch
git apply $cvePatches/CVE-2014-7822/0.patch
git apply $cvePatches/CVE-2014-9420/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2014-9880/0.patch
git apply $cvePatches/CVE-2015-1593/0.patch
git apply $cvePatches/CVE-2016-10230/0.patch
git apply $cvePatches/CVE-2016-2185/0.patch
git apply $cvePatches/CVE-2016-2186/0.patch
git apply $cvePatches/CVE-2016-2488/0.patch
git apply $cvePatches/CVE-2016-2544/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3893/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2016-6751/0.patch
git apply $cvePatches/CVE-2016-6753/0.patch
git apply $cvePatches/CVE-2016-8404/0.patch
git apply $cvePatches/CVE-2016-8417/0.patch
git apply $cvePatches/CVE-2016-8444/0.patch
git apply $cvePatches/CVE-2016-8650/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2016-9793/0.patch
git apply $cvePatches/CVE-2017-0403/0.patch
git apply $cvePatches/CVE-2017-0404/0.patch
git apply $cvePatches/CVE-2017-0611/0.patch
git apply $cvePatches/CVE-2017-0751/0.patch
git apply $cvePatches/CVE-2017-0786/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-10662/0.patch
git apply $cvePatches/CVE-2017-11000/0.patch
git apply $cvePatches/CVE-2017-11059/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5970/0.patch
git apply $cvePatches/CVE-2017-6074/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-8247/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
git apply $cvePatches/CVE-2017-9706/0.patch
cd $base

11
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_asus_msm8916.sh

@ -1,8 +1,9 @@
#!/bin/bash
cd $base"kernel/asus/msm8916"
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2016-8394"/*.patch && echo 'Applied fix for CVE-2016-8394'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2016-8394/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
cd $base

19
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh

@ -1,12 +1,13 @@
#!/bin/bash
cd $base"kernel/fairphone/msm8974"
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672'
git apply $cvePatches"CVE-2017-0430"/*.patch && echo 'Applied fix for CVE-2017-0430'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786'
git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3672/0.patch
git apply $cvePatches/CVE-2017-0430/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0786/0.patch
git apply $cvePatches/CVE-2017-11059/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
cd $base

135
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_marlin.sh

@ -1,69 +1,72 @@
#!/bin/bash
cd $base"kernel/google/marlin"
git apply $cvePatches"CVE-2014-9900"/*.patch && echo 'Applied fix for CVE-2014-9900'
git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041'
git apply $cvePatches"CVE-2015-8966"/*.patch && echo 'Applied fix for CVE-2015-8966'
git apply $cvePatches"CVE-2016-10044"/*.patch && echo 'Applied fix for CVE-2016-10044'
git apply $cvePatches"CVE-2016-10088"/*.patch && echo 'Applied fix for CVE-2016-10088'
git apply $cvePatches"CVE-2016-10153"/*.patch && echo 'Applied fix for CVE-2016-10153'
git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187'
git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544'
git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549'
git apply $cvePatches"CVE-2016-2847"/*.patch && echo 'Applied fix for CVE-2016-2847'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136'
git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137'
git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140'
git apply $cvePatches"CVE-2016-3156"/*.patch && echo 'Applied fix for CVE-2016-3156'
git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865'
git apply $cvePatches"CVE-2016-3906"/*.patch && echo 'Applied fix for CVE-2016-3906'
git apply $cvePatches"CVE-2016-5342"/*.patch && echo 'Applied fix for CVE-2016-5342'
git apply $cvePatches"CVE-2016-5345"/*.patch && echo 'Applied fix for CVE-2016-5345'
git apply $cvePatches"CVE-2016-5854"/*.patch && echo 'Applied fix for CVE-2016-5854'
git apply $cvePatches"CVE-2016-5856"/*.patch && echo 'Applied fix for CVE-2016-5856'
git apply $cvePatches"CVE-2016-5857"/*.patch && echo 'Applied fix for CVE-2016-5857'
git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867'
git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2016-7042"/*.patch && echo 'Applied fix for CVE-2016-7042'
git apply $cvePatches"CVE-2016-8418"/*.patch && echo 'Applied fix for CVE-2016-8418'
git apply $cvePatches"CVE-2016-9191"/*.patch && echo 'Applied fix for CVE-2016-9191'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537'
git apply $cvePatches"CVE-2017-0622"/*.patch && echo 'Applied fix for CVE-2017-0622'
git apply $cvePatches"CVE-2017-0627"/*.patch && echo 'Applied fix for CVE-2017-0627'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-10998"/*.patch && echo 'Applied fix for CVE-2017-10998'
git apply $cvePatches"CVE-2017-11001"/*.patch && echo 'Applied fix for CVE-2017-11001'
git apply $cvePatches"CVE-2017-11002"/*.patch && echo 'Applied fix for CVE-2017-11002'
git apply $cvePatches"CVE-2017-11046"/*.patch && echo 'Applied fix for CVE-2017-11046'
git apply $cvePatches"CVE-2017-11048"/*.patch && echo 'Applied fix for CVE-2017-11048'
git apply $cvePatches"CVE-2017-11057"/*.patch && echo 'Applied fix for CVE-2017-11057'
git apply $cvePatches"CVE-2017-11600"/*.patch && echo 'Applied fix for CVE-2017-11600'
git apply $cvePatches"CVE-2017-12146"/*.patch && echo 'Applied fix for CVE-2017-12146'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669'
git apply $cvePatches"CVE-2017-5986"/*.patch && echo 'Applied fix for CVE-2017-5986'
git apply $cvePatches"CVE-2017-6001"/*.patch && echo 'Applied fix for CVE-2017-6001'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6353"/*.patch && echo 'Applied fix for CVE-2017-6353'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7371"/*.patch && echo 'Applied fix for CVE-2017-7371'
git apply $cvePatches"CVE-2017-7372"/*.patch && echo 'Applied fix for CVE-2017-7372'
git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-7616"/*.patch && echo 'Applied fix for CVE-2017-7616'
git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247'
git apply $cvePatches"CVE-2017-8251"/*.patch && echo 'Applied fix for CVE-2017-8251'
git apply $cvePatches"CVE-2017-8280"/*.patch && echo 'Applied fix for CVE-2017-8280'
git apply $cvePatches"CVE-2017-9075"/*.patch && echo 'Applied fix for CVE-2017-9075'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches"CVE-2017-9686"/*.patch && echo 'Applied fix for CVE-2017-9686'
git apply $cvePatches"CVE-2017-9687"/*.patch && echo 'Applied fix for CVE-2017-9687'
git apply $cvePatches"CVE-2017-9697"/*.patch && echo 'Applied fix for CVE-2017-9697'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9900/0.patch
git apply $cvePatches/CVE-2015-2041/0.patch
git apply $cvePatches/CVE-2015-8966/0.patch
git apply $cvePatches/CVE-2016-10044/0.patch
git apply $cvePatches/CVE-2016-10088/0.patch
git apply $cvePatches/CVE-2016-10153/0.patch
git apply $cvePatches/CVE-2016-2187/1.patch
git apply $cvePatches/CVE-2016-2544/0.patch
git apply $cvePatches/CVE-2016-2549/0.patch
git apply $cvePatches/CVE-2016-2847/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3136/0.patch
git apply $cvePatches/CVE-2016-3137/0.patch
git apply $cvePatches/CVE-2016-3140/0.patch
git apply $cvePatches/CVE-2016-3156/0.patch
git apply $cvePatches/CVE-2016-3865/0.patch
git apply $cvePatches/CVE-2016-3865/1.patch
git apply $cvePatches/CVE-2016-3906/0.patch
git apply $cvePatches/CVE-2016-5342/0.patch
git apply $cvePatches/CVE-2016-5345/0.patch
git apply $cvePatches/CVE-2016-5854/0.patch
git apply $cvePatches/CVE-2016-5856/0.patch
git apply $cvePatches/CVE-2016-5857/0.patch
git apply $cvePatches/CVE-2016-5867/0.patch
git apply $cvePatches/CVE-2016-5870/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2016-7042/0.patch
git apply $cvePatches/CVE-2016-8418/0.patch
git apply $cvePatches/CVE-2016-9191/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0537/0.patch
git apply $cvePatches/CVE-2017-0622/0.patch
git apply $cvePatches/CVE-2017-0627/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-10998/0.patch
git apply $cvePatches/CVE-2017-11001/0.patch
git apply $cvePatches/CVE-2017-11002/0.patch
git apply $cvePatches/CVE-2017-11046/0.patch
git apply $cvePatches/CVE-2017-11048/0.patch
git apply $cvePatches/CVE-2017-11057/0.patch
git apply $cvePatches/CVE-2017-11600/0.patch
git apply $cvePatches/CVE-2017-12146/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5669/0.patch
git apply $cvePatches/CVE-2017-5986/0.patch
git apply $cvePatches/CVE-2017-6001/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6353/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7371/0.patch
git apply $cvePatches/CVE-2017-7372/0.patch
git apply $cvePatches/CVE-2017-7472/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-7616/0.patch
git apply $cvePatches/CVE-2017-7618/0.patch
git apply $cvePatches/CVE-2017-8247/0.patch
git apply $cvePatches/CVE-2017-8251/0.patch
git apply $cvePatches/CVE-2017-8280/0.patch
git apply $cvePatches/CVE-2017-9075/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
git apply $cvePatches/CVE-2017-9686/0.patch
git apply $cvePatches/CVE-2017-9687/0.patch
git apply $cvePatches/CVE-2017-9697/0.patch
cd $base

21
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh

@ -1,13 +1,14 @@
#!/bin/bash
cd $base"kernel/google/msm"
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3859"/*.patch && echo 'Applied fix for CVE-2016-3859'
git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751'
git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2015-1593/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3859/0.patch
git apply $cvePatches/CVE-2016-8404/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0751/0.patch
git apply $cvePatches/CVE-2017-0786/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
cd $base

51
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh

@ -1,28 +1,29 @@
#!/bin/bash
cd $base"kernel/htc/flounder"
git apply $cvePatches"CVE-2014-9892"/*.patch && echo 'Applied fix for CVE-2014-9892'
git apply $cvePatches"CVE-2014-9900"/*.patch && echo 'Applied fix for CVE-2014-9900'
git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177'
git apply $cvePatches"CVE-2015-8944"/*.patch && echo 'Applied fix for CVE-2015-8944'
git apply $cvePatches"CVE-2016-0819"/*.patch && echo 'Applied fix for CVE-2016-0819'
git apply $cvePatches"CVE-2016-8453"/*.patch && echo 'Applied fix for CVE-2016-8453'
git apply $cvePatches"CVE-2016-8464"/*.patch && echo 'Applied fix for CVE-2016-8464'
git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0449"/*.patch && echo 'Applied fix for CVE-2017-0449'
git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0794"/*.patch && echo 'Applied fix for CVE-2017-0794'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-10996"/*.patch && echo 'Applied fix for CVE-2017-10996'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669'
git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9892/0.patch
git apply $cvePatches/CVE-2014-9900/0.patch
git apply $cvePatches/CVE-2015-4177/0.patch
git apply $cvePatches/CVE-2015-8944/0.patch
git apply $cvePatches/CVE-2016-0819/0.patch
git apply $cvePatches/CVE-2016-8453/0.patch
git apply $cvePatches/CVE-2016-8464/0.patch
git apply $cvePatches/CVE-2016-8650/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0449/0.patch
git apply $cvePatches/CVE-2017-0537/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0794/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-10996/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5669/0.patch
git apply $cvePatches/CVE-2017-5970/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7472/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
cd $base

102
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_huawei_angler.sh

@ -1,54 +1,54 @@
#!/bin/bash
cd $base"kernel/huawei/angler"
git apply $cvePatches"CVE-2014-8173"/*.patch && echo 'Applied fix for CVE-2014-8173'
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041'
git apply $cvePatches"CVE-2015-4170"/*.patch && echo 'Applied fix for CVE-2015-4170'
git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177'
git apply $cvePatches"CVE-2015-7550"/*.patch && echo 'Applied fix for CVE-2015-7550'
git apply $cvePatches"CVE-2016-0805"/*.patch && echo 'Applied fix for CVE-2016-0805'
git apply $cvePatches"CVE-2016-2063"/*.patch && echo 'Applied fix for CVE-2016-2063'
git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185'
git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186'
git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187'
git apply $cvePatches"CVE-2016-2384"/*.patch && echo 'Applied fix for CVE-2016-2384'
git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544'
git apply $cvePatches"CVE-2016-2545"/*.patch && echo 'Applied fix for CVE-2016-2545'
git apply $cvePatches"CVE-2016-2547"/*.patch && echo 'Applied fix for CVE-2016-2547'
git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549'
git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136'
git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137'
git apply $cvePatches"CVE-2016-3138"/*.patch && echo 'Applied fix for CVE-2016-3138'
git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140'
git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672'
git apply $cvePatches"CVE-2016-3689"/*.patch && echo 'Applied fix for CVE-2016-3689'
git apply $cvePatches"CVE-2016-5342"/*.patch && echo 'Applied fix for CVE-2016-5342'
git apply $cvePatches"CVE-2016-5345"/*.patch && echo 'Applied fix for CVE-2016-5345'
git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859'
git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867'
git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0436"/*.patch && echo 'Applied fix for CVE-2017-0436'
git apply $cvePatches"CVE-2017-0516"/*.patch && echo 'Applied fix for CVE-2017-0516'
git apply $cvePatches"CVE-2017-0523"/*.patch && echo 'Applied fix for CVE-2017-0523'
git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537'
git apply $cvePatches"CVE-2017-0824"/*.patch && echo 'Applied fix for CVE-2017-0824'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669'
git apply $cvePatches"CVE-2017-6001"/*.patch && echo 'Applied fix for CVE-2017-6001'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-8280"/*.patch && echo 'Applied fix for CVE-2017-8280'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-8173/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2015-2041/0.patch
git apply $cvePatches/CVE-2015-4170/0.patch
git apply $cvePatches/CVE-2015-4177/0.patch
git apply $cvePatches/CVE-2015-7550/0.patch
git apply $cvePatches/CVE-2016-0805/0.patch
git apply $cvePatches/CVE-2016-2063/0.patch
git apply $cvePatches/CVE-2016-2185/0.patch
git apply $cvePatches/CVE-2016-2186/0.patch
git apply $cvePatches/CVE-2016-2187/1.patch
git apply $cvePatches/CVE-2016-2384/0.patch
git apply $cvePatches/CVE-2016-2544/0.patch
git apply $cvePatches/CVE-2016-2545/0.patch
git apply $cvePatches/CVE-2016-2547/0.patch
git apply $cvePatches/CVE-2016-2549/0.patch
git apply $cvePatches/CVE-2016-3070/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3136/0.patch
git apply $cvePatches/CVE-2016-3137/0.patch
git apply $cvePatches/CVE-2016-3138/0.patch
git apply $cvePatches/CVE-2016-3140/0.patch
git apply $cvePatches/CVE-2016-3672/0.patch
git apply $cvePatches/CVE-2016-3689/0.patch
git apply $cvePatches/CVE-2016-5342/0.patch
git apply $cvePatches/CVE-2016-5345/0.patch
git apply $cvePatches/CVE-2016-5859/0.patch
git apply $cvePatches/CVE-2016-5867/0.patch
git apply $cvePatches/CVE-2016-5870/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2016-8404/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0516/0.patch
git apply $cvePatches/CVE-2017-0523/0.patch
git apply $cvePatches/CVE-2017-0537/0.patch
git apply $cvePatches/CVE-2017-0824/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5669/0.patch
git apply $cvePatches/CVE-2017-6001/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7472/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-8280/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
cd $base

92
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_bullhead.sh

@ -1,49 +1,49 @@
#!/bin/bash
cd $base"kernel/lge/bullhead"
git apply $cvePatches"CVE-2014-8173"/*.patch && echo 'Applied fix for CVE-2014-8173'
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041'
git apply $cvePatches"CVE-2015-4170"/*.patch && echo 'Applied fix for CVE-2015-4170'
git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177'
git apply $cvePatches"CVE-2015-7550"/*.patch && echo 'Applied fix for CVE-2015-7550'
git apply $cvePatches"CVE-2016-0805"/*.patch && echo 'Applied fix for CVE-2016-0805'
git apply $cvePatches"CVE-2016-2063"/*.patch && echo 'Applied fix for CVE-2016-2063'
git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185'
git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186'
git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187'
git apply $cvePatches"CVE-2016-2384"/*.patch && echo 'Applied fix for CVE-2016-2384'
git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544'
git apply $cvePatches"CVE-2016-2545"/*.patch && echo 'Applied fix for CVE-2016-2545'
git apply $cvePatches"CVE-2016-2547"/*.patch && echo 'Applied fix for CVE-2016-2547'
git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549'
git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136'
git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137'
git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140'
git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672'
git apply $cvePatches"CVE-2016-3689"/*.patch && echo 'Applied fix for CVE-2016-3689'
git apply $cvePatches"CVE-2016-5345"/*.patch && echo 'Applied fix for CVE-2016-5345'
git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859'
git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867'
git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870'
git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0436"/*.patch && echo 'Applied fix for CVE-2017-0436'
git apply $cvePatches"CVE-2017-0516"/*.patch && echo 'Applied fix for CVE-2017-0516'
git apply $cvePatches"CVE-2017-0523"/*.patch && echo 'Applied fix for CVE-2017-0523'
git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669'
git apply $cvePatches"CVE-2017-6001"/*.patch && echo 'Applied fix for CVE-2017-6001'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-8173/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2015-2041/0.patch
git apply $cvePatches/CVE-2015-4170/0.patch
git apply $cvePatches/CVE-2015-4177/0.patch
git apply $cvePatches/CVE-2015-7550/0.patch
git apply $cvePatches/CVE-2016-0805/0.patch
git apply $cvePatches/CVE-2016-2063/0.patch
git apply $cvePatches/CVE-2016-2185/0.patch
git apply $cvePatches/CVE-2016-2186/0.patch
git apply $cvePatches/CVE-2016-2187/1.patch
git apply $cvePatches/CVE-2016-2384/0.patch
git apply $cvePatches/CVE-2016-2544/0.patch
git apply $cvePatches/CVE-2016-2545/0.patch
git apply $cvePatches/CVE-2016-2547/0.patch
git apply $cvePatches/CVE-2016-2549/0.patch
git apply $cvePatches/CVE-2016-3070/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3136/0.patch
git apply $cvePatches/CVE-2016-3137/0.patch
git apply $cvePatches/CVE-2016-3140/0.patch
git apply $cvePatches/CVE-2016-3672/0.patch
git apply $cvePatches/CVE-2016-3689/0.patch
git apply $cvePatches/CVE-2016-5345/0.patch
git apply $cvePatches/CVE-2016-5859/0.patch
git apply $cvePatches/CVE-2016-5867/0.patch
git apply $cvePatches/CVE-2016-5870/0.patch
git apply $cvePatches/CVE-2016-8404/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0516/0.patch
git apply $cvePatches/CVE-2017-0523/0.patch
git apply $cvePatches/CVE-2017-0537/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5669/0.patch
git apply $cvePatches/CVE-2017-6001/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7472/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
cd $base

47
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh

@ -1,26 +1,27 @@
#!/bin/bash
cd $base"kernel/lge/hammerhead"
git apply $cvePatches"CVE-2014-9881"/*.patch && echo 'Applied fix for CVE-2014-9881'
git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-5829"/*.patch && echo 'Applied fix for CVE-2016-5829'
git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0611"/*.patch && echo 'Applied fix for CVE-2017-0611'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751'
git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970'
git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9881/0.patch
git apply $cvePatches/CVE-2015-1593/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-5829/0.patch
git apply $cvePatches/CVE-2016-8650/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0611/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0751/0.patch
git apply $cvePatches/CVE-2017-0786/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5970/0.patch
git apply $cvePatches/CVE-2017-6074/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-8247/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
cd $base

7
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_mako.sh

@ -1,6 +1,7 @@
#!/bin/bash
cd $base"kernel/lge/mako"
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404'
git apply $cvePatches"CVE-2016-9793"/*.patch && echo 'Applied fix for CVE-2016-9793'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-8404/0.patch
git apply $cvePatches/CVE-2016-9793/0.patch
cd $base

108
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_moto_shamu.sh

@ -1,56 +1,58 @@
#!/bin/bash
cd $base"kernel/moto/shamu"
git apply $cvePatches"CVE-2014-8173"/*.patch && echo 'Applied fix for CVE-2014-8173'
git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420'
git apply $cvePatches"CVE-2014-9683"/*.patch && echo 'Applied fix for CVE-2014-9683'
git apply $cvePatches"CVE-2014-9715"/*.patch && echo 'Applied fix for CVE-2014-9715'
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2015-1420"/*.patch && echo 'Applied fix for CVE-2015-1420'
git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593'
git apply $cvePatches"CVE-2015-2041"/*.patch && echo 'Applied fix for CVE-2015-2041'
git apply $cvePatches"CVE-2015-4170"/*.patch && echo 'Applied fix for CVE-2015-4170'
git apply $cvePatches"CVE-2015-4177"/*.patch && echo 'Applied fix for CVE-2015-4177'
git apply $cvePatches"CVE-2015-7550"/*.patch && echo 'Applied fix for CVE-2015-7550'
git apply $cvePatches"CVE-2015-8967"/*.patch && echo 'Applied fix for CVE-2015-8967'
git apply $cvePatches"CVE-2016-0758"/*.patch && echo 'Applied fix for CVE-2016-0758'
git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185'
git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186'
git apply $cvePatches"CVE-2016-2187"/*.patch && echo 'Applied fix for CVE-2016-2187'
git apply $cvePatches"CVE-2016-2384"/*.patch && echo 'Applied fix for CVE-2016-2384'
git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544'
git apply $cvePatches"CVE-2016-2545"/*.patch && echo 'Applied fix for CVE-2016-2545'
git apply $cvePatches"CVE-2016-2547"/*.patch && echo 'Applied fix for CVE-2016-2547'
git apply $cvePatches"CVE-2016-2549"/*.patch && echo 'Applied fix for CVE-2016-2549'
git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3136"/*.patch && echo 'Applied fix for CVE-2016-3136'
git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137'
git apply $cvePatches"CVE-2016-3138"/*.patch && echo 'Applied fix for CVE-2016-3138'
git apply $cvePatches"CVE-2016-3140"/*.patch && echo 'Applied fix for CVE-2016-3140'
git apply $cvePatches"CVE-2016-3689"/*.patch && echo 'Applied fix for CVE-2016-3689'
git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865'
git apply $cvePatches"CVE-2016-5342"/*.patch && echo 'Applied fix for CVE-2016-5342'
git apply $cvePatches"CVE-2016-5870"/*.patch && echo 'Applied fix for CVE-2016-5870'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404'
git apply $cvePatches"CVE-2016-8464"/*.patch && echo 'Applied fix for CVE-2016-8464'
git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404'
git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537'
git apply $cvePatches"CVE-2017-0627"/*.patch && echo 'Applied fix for CVE-2017-0627'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0824"/*.patch && echo 'Applied fix for CVE-2017-0824'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-8269"/*.patch && echo 'Applied fix for CVE-2017-8269'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-8173/0.patch
git apply $cvePatches/CVE-2014-9420/0.patch
git apply $cvePatches/CVE-2014-9683/0.patch
git apply $cvePatches/CVE-2014-9715/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2015-1420/0.patch
git apply $cvePatches/CVE-2015-1593/0.patch
git apply $cvePatches/CVE-2015-2041/0.patch
git apply $cvePatches/CVE-2015-4170/0.patch
git apply $cvePatches/CVE-2015-4177/0.patch
git apply $cvePatches/CVE-2015-7550/0.patch
git apply $cvePatches/CVE-2015-8967/0.patch
git apply $cvePatches/CVE-2016-0758/0.patch
git apply $cvePatches/CVE-2016-2185/0.patch
git apply $cvePatches/CVE-2016-2186/0.patch
git apply $cvePatches/CVE-2016-2187/1.patch
git apply $cvePatches/CVE-2016-2384/0.patch
git apply $cvePatches/CVE-2016-2544/0.patch
git apply $cvePatches/CVE-2016-2545/0.patch
git apply $cvePatches/CVE-2016-2547/0.patch
git apply $cvePatches/CVE-2016-2549/0.patch
git apply $cvePatches/CVE-2016-3070/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3136/0.patch
git apply $cvePatches/CVE-2016-3137/0.patch
git apply $cvePatches/CVE-2016-3138/0.patch
git apply $cvePatches/CVE-2016-3140/0.patch
git apply $cvePatches/CVE-2016-3689/0.patch
git apply $cvePatches/CVE-2016-3865/0.patch
git apply $cvePatches/CVE-2016-3865/1.patch
git apply $cvePatches/CVE-2016-5342/0.patch
git apply $cvePatches/CVE-2016-5870/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2016-8404/0.patch
git apply $cvePatches/CVE-2016-8464/0.patch
git apply $cvePatches/CVE-2016-8650/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0404/0.patch
git apply $cvePatches/CVE-2017-0537/0.patch
git apply $cvePatches/CVE-2017-0627/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0824/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5669/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7472/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-8269/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
cd $base

41
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh

@ -1,22 +1,25 @@
#!/bin/bash
cd $base"kernel/motorola/msm8916"
git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420'
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2015-1593"/*.patch && echo 'Applied fix for CVE-2015-1593'
git apply $cvePatches"CVE-2015-8967"/*.patch && echo 'Applied fix for CVE-2015-8967'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3137"/*.patch && echo 'Applied fix for CVE-2016-3137'
git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672'
git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865'
git apply $cvePatches"CVE-2016-3902"/*.patch && echo 'Applied fix for CVE-2016-3902'
git apply $cvePatches"CVE-2016-5858"/*.patch && echo 'Applied fix for CVE-2016-5858'
git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859'
git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0794"/*.patch && echo 'Applied fix for CVE-2017-0794'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9420/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2015-1593/0.patch
git apply $cvePatches/CVE-2015-8967/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3137/0.patch
git apply $cvePatches/CVE-2016-3672/0.patch
git apply $cvePatches/CVE-2016-3865/0.patch
git apply $cvePatches/CVE-2016-3865/1.patch
git apply $cvePatches/CVE-2016-3902/0.patch
git apply $cvePatches/CVE-2016-5858/0.patch
git apply $cvePatches/CVE-2016-5858/1.patch
git apply $cvePatches/CVE-2016-5859/0.patch
git apply $cvePatches/CVE-2016-5867/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0794/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
cd $base

154
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh

@ -1,79 +1,81 @@
#!/bin/bash
cd $base"kernel/motorola/msm8992"
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2016-0758"/*.patch && echo 'Applied fix for CVE-2016-0758'
git apply $cvePatches"CVE-2016-10200"/*.patch && echo 'Applied fix for CVE-2016-10200'
git apply $cvePatches"CVE-2016-10230"/*.patch && echo 'Applied fix for CVE-2016-10230'
git apply $cvePatches"CVE-2016-2063"/*.patch && echo 'Applied fix for CVE-2016-2063'
git apply $cvePatches"CVE-2016-3070"/*.patch && echo 'Applied fix for CVE-2016-3070'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672'
git apply $cvePatches"CVE-2016-3865"/*.patch && echo 'Applied fix for CVE-2016-3865'
git apply $cvePatches"CVE-2016-3902"/*.patch && echo 'Applied fix for CVE-2016-3902'
git apply $cvePatches"CVE-2016-3907"/*.patch && echo 'Applied fix for CVE-2016-3907'
git apply $cvePatches"CVE-2016-5346"/*.patch && echo 'Applied fix for CVE-2016-5346'
git apply $cvePatches"CVE-2016-5347"/*.patch && echo 'Applied fix for CVE-2016-5347'
git apply $cvePatches"CVE-2016-5853"/*.patch && echo 'Applied fix for CVE-2016-5853'
git apply $cvePatches"CVE-2016-5858"/*.patch && echo 'Applied fix for CVE-2016-5858'
git apply $cvePatches"CVE-2016-5859"/*.patch && echo 'Applied fix for CVE-2016-5859'
git apply $cvePatches"CVE-2016-5867"/*.patch && echo 'Applied fix for CVE-2016-5867'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2016-6681"/*.patch && echo 'Applied fix for CVE-2016-6681'
git apply $cvePatches"CVE-2016-6751"/*.patch && echo 'Applied fix for CVE-2016-6751'
git apply $cvePatches"CVE-2016-6753"/*.patch && echo 'Applied fix for CVE-2016-6753'
git apply $cvePatches"CVE-2016-8417"/*.patch && echo 'Applied fix for CVE-2016-8417'
git apply $cvePatches"CVE-2016-8444"/*.patch && echo 'Applied fix for CVE-2016-8444'
git apply $cvePatches"CVE-2016-8479"/*.patch && echo 'Applied fix for CVE-2016-8479'
git apply $cvePatches"CVE-2016-8650"/*.patch && echo 'Applied fix for CVE-2016-8650'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404'
git apply $cvePatches"CVE-2017-0436"/*.patch && echo 'Applied fix for CVE-2017-0436'
git apply $cvePatches"CVE-2017-0452"/*.patch && echo 'Applied fix for CVE-2017-0452'
git apply $cvePatches"CVE-2017-0460"/*.patch && echo 'Applied fix for CVE-2017-0460'
git apply $cvePatches"CVE-2017-0463"/*.patch && echo 'Applied fix for CVE-2017-0463'
git apply $cvePatches"CVE-2017-0516"/*.patch && echo 'Applied fix for CVE-2017-0516'
git apply $cvePatches"CVE-2017-0523"/*.patch && echo 'Applied fix for CVE-2017-0523'
git apply $cvePatches"CVE-2017-0537"/*.patch && echo 'Applied fix for CVE-2017-0537'
git apply $cvePatches"CVE-2017-0604"/*.patch && echo 'Applied fix for CVE-2017-0604'
git apply $cvePatches"CVE-2017-0606"/*.patch && echo 'Applied fix for CVE-2017-0606'
git apply $cvePatches"CVE-2017-0611"/*.patch && echo 'Applied fix for CVE-2017-0611'
git apply $cvePatches"CVE-2017-0627"/*.patch && echo 'Applied fix for CVE-2017-0627'
git apply $cvePatches"CVE-2017-0631"/*.patch && echo 'Applied fix for CVE-2017-0631'
git apply $cvePatches"CVE-2017-0746"/*.patch && echo 'Applied fix for CVE-2017-0746'
git apply $cvePatches"CVE-2017-0748"/*.patch && echo 'Applied fix for CVE-2017-0748'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751'
git apply $cvePatches"CVE-2017-0794"/*.patch && echo 'Applied fix for CVE-2017-0794'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-10997"/*.patch && echo 'Applied fix for CVE-2017-10997'
git apply $cvePatches"CVE-2017-10998"/*.patch && echo 'Applied fix for CVE-2017-10998'
git apply $cvePatches"CVE-2017-11048"/*.patch && echo 'Applied fix for CVE-2017-11048'
git apply $cvePatches"CVE-2017-11056"/*.patch && echo 'Applied fix for CVE-2017-11056'
git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-2671"/*.patch && echo 'Applied fix for CVE-2017-2671'
git apply $cvePatches"CVE-2017-5669"/*.patch && echo 'Applied fix for CVE-2017-5669'
git apply $cvePatches"CVE-2017-5970"/*.patch && echo 'Applied fix for CVE-2017-5970'
git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-6951"/*.patch && echo 'Applied fix for CVE-2017-6951'
git apply $cvePatches"CVE-2017-7369"/*.patch && echo 'Applied fix for CVE-2017-7369'
git apply $cvePatches"CVE-2017-7472"/*.patch && echo 'Applied fix for CVE-2017-7472'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-8242"/*.patch && echo 'Applied fix for CVE-2017-8242'
git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247'
git apply $cvePatches"CVE-2017-8251"/*.patch && echo 'Applied fix for CVE-2017-8251'
git apply $cvePatches"CVE-2017-8260"/*.patch && echo 'Applied fix for CVE-2017-8260'
git apply $cvePatches"CVE-2017-8265"/*.patch && echo 'Applied fix for CVE-2017-8265'
git apply $cvePatches"CVE-2017-8280"/*.patch && echo 'Applied fix for CVE-2017-8280'
git apply $cvePatches"CVE-2017-9075"/*.patch && echo 'Applied fix for CVE-2017-9075'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches"CVE-2017-9693"/*.patch && echo 'Applied fix for CVE-2017-9693'
git apply $cvePatches"CVE-2017-9694"/*.patch && echo 'Applied fix for CVE-2017-9694'
git apply $cvePatches"CVE-2017-9720"/*.patch && echo 'Applied fix for CVE-2017-9720'
git apply $cvePatches"CVE-2017-9724"/*.patch && echo 'Applied fix for CVE-2017-9724'
git apply $cvePatches"CVE-2017-9725"/*.patch && echo 'Applied fix for CVE-2017-9725'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2016-0758/0.patch
git apply $cvePatches/CVE-2016-10200/0.patch
git apply $cvePatches/CVE-2016-10230/0.patch
git apply $cvePatches/CVE-2016-2063/0.patch
git apply $cvePatches/CVE-2016-3070/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3672/0.patch
git apply $cvePatches/CVE-2016-3865/0.patch
git apply $cvePatches/CVE-2016-3865/1.patch
git apply $cvePatches/CVE-2016-3902/0.patch
git apply $cvePatches/CVE-2016-3907/0.patch
git apply $cvePatches/CVE-2016-5346/0.patch
git apply $cvePatches/CVE-2016-5347/0.patch
git apply $cvePatches/CVE-2016-5853/0.patch
git apply $cvePatches/CVE-2016-5858/0.patch
git apply $cvePatches/CVE-2016-5858/1.patch
git apply $cvePatches/CVE-2016-5859/0.patch
git apply $cvePatches/CVE-2016-5867/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2016-6682/0.patch
git apply $cvePatches/CVE-2016-6751/0.patch
git apply $cvePatches/CVE-2016-6753/0.patch
git apply $cvePatches/CVE-2016-8417/0.patch
git apply $cvePatches/CVE-2016-8444/0.patch
git apply $cvePatches/CVE-2016-8479/0.patch
git apply $cvePatches/CVE-2016-8650/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0404/0.patch
git apply $cvePatches/CVE-2017-0452/0.patch
git apply $cvePatches/CVE-2017-0460/0.patch
git apply $cvePatches/CVE-2017-0463/0.patch
git apply $cvePatches/CVE-2017-0516/0.patch
git apply $cvePatches/CVE-2017-0523/0.patch
git apply $cvePatches/CVE-2017-0537/0.patch
git apply $cvePatches/CVE-2017-0604/0.patch
git apply $cvePatches/CVE-2017-0606/0.patch
git apply $cvePatches/CVE-2017-0611/0.patch
git apply $cvePatches/CVE-2017-0627/0.patch
git apply $cvePatches/CVE-2017-0631/0.patch
git apply $cvePatches/CVE-2017-0746/0.patch
git apply $cvePatches/CVE-2017-0748/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0751/0.patch
git apply $cvePatches/CVE-2017-0794/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-10997/0.patch
git apply $cvePatches/CVE-2017-10998/0.patch
git apply $cvePatches/CVE-2017-11048/0.patch
git apply $cvePatches/CVE-2017-11056/0.patch
git apply $cvePatches/CVE-2017-11059/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-2671/0.patch
git apply $cvePatches/CVE-2017-5669/0.patch
git apply $cvePatches/CVE-2017-5970/0.patch
git apply $cvePatches/CVE-2017-6074/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-6951/0.patch
git apply $cvePatches/CVE-2017-7369/0.patch
git apply $cvePatches/CVE-2017-7472/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-8242/0.patch
git apply $cvePatches/CVE-2017-8247/0.patch
git apply $cvePatches/CVE-2017-8251/0.patch
git apply $cvePatches/CVE-2017-8260/0.patch
git apply $cvePatches/CVE-2017-8265/0.patch
git apply $cvePatches/CVE-2017-8280/0.patch
git apply $cvePatches/CVE-2017-9075/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
git apply $cvePatches/CVE-2017-9693/0.patch
git apply $cvePatches/CVE-2017-9694/0.patch
git apply $cvePatches/CVE-2017-9720/0.patch
git apply $cvePatches/CVE-2017-9724/0.patch
git apply $cvePatches/CVE-2017-9725/0.patch
cd $base

11
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_nextbit_msm8992.sh

@ -1,8 +1,9 @@
#!/bin/bash
cd $base"kernel/nextbit/msm8992"
git apply $cvePatches"CVE-2014-9904"/*.patch && echo 'Applied fix for CVE-2014-9904'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9904/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
cd $base

41
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh

@ -1,23 +1,24 @@
#!/bin/bash
cd $base"kernel/oneplus/msm8974"
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2014-9880"/*.patch && echo 'Applied fix for CVE-2014-9880'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-3672"/*.patch && echo 'Applied fix for CVE-2016-3672'
git apply $cvePatches"CVE-2016-6672"/*.patch && echo 'Applied fix for CVE-2016-6672'
git apply $cvePatches"CVE-2016-8404"/*.patch && echo 'Applied fix for CVE-2016-8404'
git apply $cvePatches"CVE-2017-0750"/*.patch && echo 'Applied fix for CVE-2017-0750'
git apply $cvePatches"CVE-2017-0751"/*.patch && echo 'Applied fix for CVE-2017-0751'
git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-11000"/*.patch && echo 'Applied fix for CVE-2017-11000'
git apply $cvePatches"CVE-2017-11048"/*.patch && echo 'Applied fix for CVE-2017-11048'
git apply $cvePatches"CVE-2017-11059"/*.patch && echo 'Applied fix for CVE-2017-11059'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches"CVE-2017-8247"/*.patch && echo 'Applied fix for CVE-2017-8247'
git apply $cvePatches"CVE-2017-9242"/*.patch && echo 'Applied fix for CVE-2017-9242'
git apply $cvePatches"CVE-2017-9706"/*.patch && echo 'Applied fix for CVE-2017-9706'
git apply $cvePatches"CVE-2017-9725"/*.patch && echo 'Applied fix for CVE-2017-9725'
git apply $cvePatches/CVE-2012-6703/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2014-9880/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-3672/0.patch
git apply $cvePatches/CVE-2016-6672/0.patch
git apply $cvePatches/CVE-2016-8404/0.patch
git apply $cvePatches/CVE-2017-0750/0.patch
git apply $cvePatches/CVE-2017-0751/0.patch
git apply $cvePatches/CVE-2017-0786/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-11000/0.patch
git apply $cvePatches/CVE-2017-11048/0.patch
git apply $cvePatches/CVE-2017-11059/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
git apply $cvePatches/CVE-2017-8247/0.patch
git apply $cvePatches/CVE-2017-9242/0.patch
git apply $cvePatches/CVE-2017-9706/0.patch
git apply $cvePatches/CVE-2017-9725/0.patch
cd $base

56
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_smdk4412.sh

@ -1,31 +1,31 @@
#!/bin/bash
cd $base"kernel/samsung/smdk4412"
git apply $cvePatches"CVE-2014-1739"/*.patch && echo 'Applied fix for CVE-2014-1739'
git apply $cvePatches"CVE-2014-4656"/*.patch && echo 'Applied fix for CVE-2014-4656'
git apply $cvePatches"CVE-2014-7822"/*.patch && echo 'Applied fix for CVE-2014-7822'
git apply $cvePatches"CVE-2014-9420"/*.patch && echo 'Applied fix for CVE-2014-9420'
git apply $cvePatches"CVE-2014-9781"/*.patch && echo 'Applied fix for CVE-2014-9781'
git apply $cvePatches"CVE-2014-9870"/*.patch && echo 'Applied fix for CVE-2014-9870'
git apply $cvePatches"CVE-2014-9900"/*.patch && echo 'Applied fix for CVE-2014-9900'
git apply $cvePatches"CVE-2015-8944"/*.patch && echo 'Applied fix for CVE-2015-8944'
git apply $cvePatches"CVE-2016-0819"/*.patch && echo 'Applied fix for CVE-2016-0819'
git apply $cvePatches"CVE-2016-2185"/*.patch && echo 'Applied fix for CVE-2016-2185'
git apply $cvePatches"CVE-2016-2186"/*.patch && echo 'Applied fix for CVE-2016-2186'
git apply $cvePatches"CVE-2016-2544"/*.patch && echo 'Applied fix for CVE-2016-2544'
git apply $cvePatches"CVE-2016-3134"/*.patch && echo 'Applied fix for CVE-2016-3134'
git apply $cvePatches"CVE-2016-6753"/*.patch && echo 'Applied fix for CVE-2016-6753'
git apply $cvePatches"CVE-2016-9604"/*.patch && echo 'Applied fix for CVE-2016-9604'
git apply $cvePatches"CVE-2017-0403"/*.patch && echo 'Applied fix for CVE-2017-0403'
git apply $cvePatches"CVE-2017-0404"/*.patch && echo 'Applied fix for CVE-2017-0404'
git apply $cvePatches"CVE-2017-0430"/*.patch && echo 'Applied fix for CVE-2017-0430'
git apply $cvePatches"CVE-2017-0786"/*.patch && echo 'Applied fix for CVE-2017-0786'
git apply $cvePatches"CVE-2017-1000365"/*.patch && echo 'Applied fix for CVE-2017-1000365'
git apply $cvePatches"CVE-2017-10662"/*.patch && echo 'Applied fix for CVE-2017-10662'
git apply $cvePatches"CVE-2017-12153"/*.patch && echo 'Applied fix for CVE-2017-12153'
git apply $cvePatches"CVE-2017-15265"/*.patch && echo 'Applied fix for CVE-2017-15265'
git apply $cvePatches"CVE-2017-2618"/*.patch && echo 'Applied fix for CVE-2017-2618'
git apply $cvePatches"CVE-2017-6074"/*.patch && echo 'Applied fix for CVE-2017-6074'
git apply $cvePatches"CVE-2017-6345"/*.patch && echo 'Applied fix for CVE-2017-6345'
git apply $cvePatches"CVE-2017-6348"/*.patch && echo 'Applied fix for CVE-2017-6348'
git apply $cvePatches"CVE-2017-7487"/*.patch && echo 'Applied fix for CVE-2017-7487'
git apply $cvePatches/CVE-2014-1739/0.patch
git apply $cvePatches/CVE-2014-4656/0.patch
git apply $cvePatches/CVE-2014-7822/0.patch
git apply $cvePatches/CVE-2014-9420/0.patch
git apply $cvePatches/CVE-2014-9781/0.patch
git apply $cvePatches/CVE-2014-9870/0.patch
git apply $cvePatches/CVE-2014-9900/0.patch
git apply $cvePatches/CVE-2015-8944/0.patch
git apply $cvePatches/CVE-2016-0819/0.patch
git apply $cvePatches/CVE-2016-2185/0.patch
git apply $cvePatches/CVE-2016-2186/0.patch
git apply $cvePatches/CVE-2016-2544/0.patch
git apply $cvePatches/CVE-2016-3134/0.patch
git apply $cvePatches/CVE-2016-6753/0.patch
git apply $cvePatches/CVE-2016-9604/0.patch
git apply $cvePatches/CVE-2017-0403/0.patch
git apply $cvePatches/CVE-2017-0404/0.patch
git apply $cvePatches/CVE-2017-0430/0.patch
git apply $cvePatches/CVE-2017-0786/0.patch
git apply $cvePatches/CVE-2017-1000365/0.patch
git apply $cvePatches/CVE-2017-10662/0.patch
git apply $cvePatches/CVE-2017-12153/0.patch
git apply $cvePatches/CVE-2017-15265/0.patch
git apply $cvePatches/CVE-2017-2618/0.patch
git apply $cvePatches/CVE-2017-6074/0.patch
git apply $cvePatches/CVE-2017-6345/0.patch
git apply $cvePatches/CVE-2017-6348/0.patch
git apply $cvePatches/CVE-2017-7487/0.patch
cd $base