Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-08-04 12:24:27 -04:00
Code Issues Projects Releases Packages Wiki Activity

Overhaul CVE patches

Browse source
This commit is contained in:
Tad 2017-10-29 14:23:02 -04:00
parent ce59045163
commit 92a0187dfb
907 changed files with 301921 additions and 3819 deletions
Download patch file Download diff file Expand all files Collapse all files

65
Patches/Linux_CVEs/CVE-2016-8477/0.patch
View file

@ -1,65 +0,0 @@
From 33c9042e38506b04461fa99e304482bc20923508 Mon Sep 17 00:00:00 2001
From: guyang <guyang@codeaurora.org>
Date: Tue, 6 Dec 2016 18:30:38 +0800
Subject: msm: camera: sensor: Validate eeprom_name string length
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.
CRs-Fixed: 1090007
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Yang Guang <guyang@codeaurora.org>
---
.../media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c | 11 +++++++++--
include/media/msm_cam_sensor.h | 2 +-
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
index 059780d..13ad58e 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
@@ -140,15 +140,22 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
struct msm_eeprom_cfg_data *cdata =
(struct msm_eeprom_cfg_data *)argp;
int rc = 0;
+ size_t length = 0;
CDBG("%s E\n", __func__);
switch (cdata->cfgtype) {
case CFG_EEPROM_GET_INFO:
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
cdata->is_supported = e_ctrl->is_supported;
+ length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
+ if (length > MAX_EEPROM_NAME) {
+ pr_err("%s:%d invalid eeprom_name length %d\n",
+ __func__,__LINE__, (int)length);
+ rc = -EINVAL;
+ break;
+ }
memcpy(cdata->cfg.eeprom_name,
- e_ctrl->eboard_info->eeprom_name,
- sizeof(cdata->cfg.eeprom_name));
+ e_ctrl->eboard_info->eeprom_name, length);
break;
case CFG_EEPROM_GET_CAL_DATA:
CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
diff --git a/include/media/msm_cam_sensor.h b/include/media/msm_cam_sensor.h
index 9497875..7ff89a4 100644
--- a/include/media/msm_cam_sensor.h
+++ b/include/media/msm_cam_sensor.h
@@ -446,7 +446,7 @@ struct msm_eeprom_cfg_data {
enum eeprom_cfg_type_t cfgtype;
uint8_t is_supported;
union {
- char eeprom_name[MAX_SENSOR_NAME];
+ char eeprom_name[MAX_EEPROM_NAME];
struct eeprom_get_t get_data;
struct eeprom_read_t read_data;
struct eeprom_write_t write_data;
--
cgit v1.1

92
Patches/Linux_CVEs/CVE-2016-8477/1.patch
View file

@ -1,92 +0,0 @@
From 96145eb5f0631f0e105d47abebc8f940f7621eeb Mon Sep 17 00:00:00 2001
From: Rajesh Bondugula <rajeshb@codeaurora.org>
Date: Tue, 15 Nov 2016 13:52:49 -0800
Subject: msm: camera: sensor: Validate eeprom_name string length
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.
This change will fix the issue.
CRs-Fixed: 1090007
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
---
.../msm/camera_v2/sensor/eeprom/msm_eeprom.c | 22 ++++++++++++++++++----
include/uapi/media/msm_cam_sensor.h | 2 +-
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
index 1f891ac..037e8b5 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
@@ -617,6 +617,7 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
struct msm_eeprom_cfg_data *cdata =
(struct msm_eeprom_cfg_data *)argp;
int rc = 0;
+ size_t length = 0;
CDBG("%s E\n", __func__);
switch (cdata->cfgtype) {
@@ -629,9 +630,15 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
}
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
cdata->is_supported = e_ctrl->is_supported;
+ length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
+ if (length > MAX_EEPROM_NAME) {
+ pr_err("%s:%d invalid eeprom_name length %d\n",
+ __func__, __LINE__, (int)length);
+ rc = -EINVAL;
+ break;
+ }
memcpy(cdata->cfg.eeprom_name,
- e_ctrl->eboard_info->eeprom_name,
- sizeof(cdata->cfg.eeprom_name));
+ e_ctrl->eboard_info->eeprom_name, length);
break;
case CFG_EEPROM_GET_CAL_DATA:
CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
@@ -1479,6 +1486,7 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
struct msm_eeprom_cfg_data32 *cdata =
(struct msm_eeprom_cfg_data32 *)argp;
int rc = 0;
+ size_t length = 0;
CDBG("%s E\n", __func__);
switch (cdata->cfgtype) {
@@ -1491,9 +1499,15 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
}
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
cdata->is_supported = e_ctrl->is_supported;
+ length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
+ if (length > MAX_EEPROM_NAME) {
+ pr_err("%s:%d invalid eeprom_name length %d\n",
+ __func__, __LINE__, (int)length);
+ rc = -EINVAL;
+ break;
+ }
memcpy(cdata->cfg.eeprom_name,
- e_ctrl->eboard_info->eeprom_name,
- sizeof(cdata->cfg.eeprom_name));
+ e_ctrl->eboard_info->eeprom_name, length);
break;
case CFG_EEPROM_GET_CAL_DATA:
CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
diff --git a/include/uapi/media/msm_cam_sensor.h b/include/uapi/media/msm_cam_sensor.h
index 540a96c..b8f4b41 100644
--- a/include/uapi/media/msm_cam_sensor.h
+++ b/include/uapi/media/msm_cam_sensor.h
@@ -290,7 +290,7 @@ struct msm_eeprom_cfg_data {
enum eeprom_cfg_type_t cfgtype;
uint8_t is_supported;
union {
- char eeprom_name[MAX_SENSOR_NAME];
+ char eeprom_name[MAX_EEPROM_NAME];
struct eeprom_get_t get_data;
struct eeprom_read_t read_data;
struct eeprom_write_t write_data;
--
cgit v1.1