mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-25 23:49:32 -05:00
Overhaul CVE patches
This commit is contained in:
parent
ce59045163
commit
92a0187dfb
31
Patches/Linux_CVEs-New/CVE-2012-6703/ANY/1.patch
Normal file
31
Patches/Linux_CVEs-New/CVE-2012-6703/ANY/1.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 81ce573830e9d5531531b3ec778c58e6b9167bcd Mon Sep 17 00:00:00 2001
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Wed, 5 Sep 2012 15:32:18 +0300
|
||||
Subject: [PATCH] ALSA: compress_core: integer overflow in
|
||||
snd_compr_allocate_buffer()
|
||||
|
||||
These are 32 bit values that come from the user, we need to check for
|
||||
integer overflows or we could end up allocating a smaller buffer than
|
||||
expected.
|
||||
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/compress_offload.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
|
||||
index eb60cb8dbb8a6..68fe02c7400a2 100644
|
||||
--- a/sound/core/compress_offload.c
|
||||
+++ b/sound/core/compress_offload.c
|
||||
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
|
||||
unsigned int buffer_size;
|
||||
void *buffer;
|
||||
|
||||
+ if (params->buffer.fragment_size == 0 ||
|
||||
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
|
||||
if (stream->ops->copy) {
|
||||
buffer = NULL;
|
66
Patches/Linux_CVEs-New/CVE-2012-6703/ANY/2.patch
Normal file
66
Patches/Linux_CVEs-New/CVE-2012-6703/ANY/2.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From 4dc040a0b34890d2adc0d63da6e9bfb4eb791b19 Mon Sep 17 00:00:00 2001
|
||||
From: Vinod Koul <vinod.koul@linux.intel.com>
|
||||
Date: Mon, 17 Sep 2012 11:51:25 +0530
|
||||
Subject: [PATCH] ALSA: compress - move the buffer check
|
||||
|
||||
Commit ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
|
||||
added a new error check for input params.
|
||||
this add new routine for input checks and moves buffer overflow check to this
|
||||
new routine. This allows the error value to be propogated to user space
|
||||
|
||||
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/compress_offload.c | 20 ++++++++++++++++----
|
||||
1 file changed, 16 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
|
||||
index 68fe02c7400a2..bd7f28e892540 100644
|
||||
--- a/sound/core/compress_offload.c
|
||||
+++ b/sound/core/compress_offload.c
|
||||
@@ -407,10 +407,6 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
|
||||
unsigned int buffer_size;
|
||||
void *buffer;
|
||||
|
||||
- if (params->buffer.fragment_size == 0 ||
|
||||
- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
|
||||
- return -EINVAL;
|
||||
-
|
||||
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
|
||||
if (stream->ops->copy) {
|
||||
buffer = NULL;
|
||||
@@ -429,6 +425,16 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int snd_compress_check_input(struct snd_compr_params *params)
|
||||
+{
|
||||
+ /* first let's check the buffer parameter's */
|
||||
+ if (params->buffer.fragment_size == 0 ||
|
||||
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
|
||||
{
|
||||
@@ -447,11 +453,17 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
|
||||
retval = -EFAULT;
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
+ retval = snd_compress_check_input(params);
|
||||
+ if (retval)
|
||||
+ goto out;
|
||||
+
|
||||
retval = snd_compr_allocate_buffer(stream, params);
|
||||
if (retval) {
|
||||
retval = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
retval = stream->ops->set_params(stream, params);
|
||||
if (retval)
|
||||
goto out;
|
39
Patches/Linux_CVEs-New/CVE-2014-4656/3.2/1.patch
Normal file
39
Patches/Linux_CVEs-New/CVE-2014-4656/3.2/1.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From f7500568b7633324e7c4282bb8baa3ff3f17fd7a Mon Sep 17 00:00:00 2001
|
||||
From: Lars-Peter Clausen <lars@metafoo.de>
|
||||
Date: Wed, 18 Jun 2014 13:32:35 +0200
|
||||
Subject: ALSA: control: Make sure that id->index does not overflow
|
||||
|
||||
commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
|
||||
|
||||
The ALSA control code expects that the range of assigned indices to a control is
|
||||
continuous and does not overflow. Currently there are no checks to enforce this.
|
||||
If a control with a overflowing index range is created that control becomes
|
||||
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
|
||||
able to find it. This patch adds a check that makes sure that controls with a
|
||||
overflowing index range can not be created.
|
||||
|
||||
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
|
||||
Acked-by: Jaroslav Kysela <perex@perex.cz>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
sound/core/control.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/sound/core/control.c b/sound/core/control.c
|
||||
index d3f17de..9210594 100644
|
||||
--- a/sound/core/control.c
|
||||
+++ b/sound/core/control.c
|
||||
@@ -341,6 +341,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
|
||||
if (snd_BUG_ON(!card || !kcontrol->info))
|
||||
goto error;
|
||||
id = kcontrol->id;
|
||||
+ if (id.index > UINT_MAX - kcontrol->count)
|
||||
+ goto error;
|
||||
+
|
||||
down_write(&card->controls_rwsem);
|
||||
if (snd_ctl_find_id(card, &id)) {
|
||||
up_write(&card->controls_rwsem);
|
||||
--
|
||||
cgit v1.1
|
||||
|
0
Patches/Linux_CVEs-New/CVE-2014-8709/ANY/0.patch
Normal file
0
Patches/Linux_CVEs-New/CVE-2014-8709/ANY/0.patch
Normal file
52
Patches/Linux_CVEs-New/CVE-2014-9420/ANY/0.patch
Normal file
52
Patches/Linux_CVEs-New/CVE-2014-9420/ANY/0.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Mon, 15 Dec 2014 14:22:46 +0100
|
||||
Subject: [PATCH] isofs: Fix infinite looping over CE entries
|
||||
|
||||
Rock Ridge extensions define so called Continuation Entries (CE) which
|
||||
define where is further space with Rock Ridge data. Corrupted isofs
|
||||
image can contain arbitrarily long chain of these, including a one
|
||||
containing loop and thus causing kernel to end in an infinite loop when
|
||||
traversing these entries.
|
||||
|
||||
Limit the traversal to 32 entries which should be more than enough space
|
||||
to store all the Rock Ridge data.
|
||||
|
||||
Reported-by: P J P <ppandit@redhat.com>
|
||||
CC: stable@vger.kernel.org
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
---
|
||||
fs/isofs/rock.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
|
||||
index f488bbae541ac..bb63254ed8486 100644
|
||||
--- a/fs/isofs/rock.c
|
||||
+++ b/fs/isofs/rock.c
|
||||
@@ -30,6 +30,7 @@ struct rock_state {
|
||||
int cont_size;
|
||||
int cont_extent;
|
||||
int cont_offset;
|
||||
+ int cont_loops;
|
||||
struct inode *inode;
|
||||
};
|
||||
|
||||
@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
|
||||
rs->inode = inode;
|
||||
}
|
||||
|
||||
+/* Maximum number of Rock Ridge continuation entries */
|
||||
+#define RR_MAX_CE_ENTRIES 32
|
||||
+
|
||||
/*
|
||||
* Returns 0 if the caller should continue scanning, 1 if the scan must end
|
||||
* and -ve on error.
|
||||
@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
|
||||
goto out;
|
||||
}
|
||||
ret = -EIO;
|
||||
+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
|
||||
+ goto out;
|
||||
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
|
||||
if (bh) {
|
||||
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
|
37
Patches/Linux_CVEs-New/CVE-2014-9683/3.2/1.patch
Normal file
37
Patches/Linux_CVEs-New/CVE-2014-9683/3.2/1.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From f2d130454e46c3989af1b4f882b6a666d24fa2e0 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Halcrow <mhalcrow@google.com>
|
||||
Date: Wed, 26 Nov 2014 09:09:16 -0800
|
||||
Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
|
||||
routine
|
||||
|
||||
commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
|
||||
|
||||
Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
|
||||
end of the allocated buffer during encrypted filename decoding. This
|
||||
fix corrects the issue by getting rid of the unnecessary 0 write when
|
||||
the current bit offset is 2.
|
||||
|
||||
Signed-off-by: Michael Halcrow <mhalcrow@google.com>
|
||||
Reported-by: Dmitry Chernenkov <dmitryc@google.com>
|
||||
Suggested-by: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
fs/ecryptfs/crypto.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
|
||||
index 68b19ab..dceedec 100644
|
||||
--- a/fs/ecryptfs/crypto.c
|
||||
+++ b/fs/ecryptfs/crypto.c
|
||||
@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
|
||||
break;
|
||||
case 2:
|
||||
dst[dst_byte_offset++] |= (src_byte);
|
||||
- dst[dst_byte_offset] = 0;
|
||||
current_bit_offset = 0;
|
||||
break;
|
||||
}
|
||||
--
|
||||
cgit v1.1
|
||||
|
56
Patches/Linux_CVEs-New/CVE-2014-9715/3.2/1.patch
Normal file
56
Patches/Linux_CVEs-New/CVE-2014-9715/3.2/1.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From 33eedfe8ecbaabcdc38be63901cb2b79e3190fda Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Vagin <avagin@openvz.org>
|
||||
Date: Fri, 28 Mar 2014 13:54:32 +0400
|
||||
Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
|
||||
|
||||
commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.
|
||||
|
||||
"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
|
||||
case it can contain all extensions. Bellow you can find sizes for all
|
||||
types of extensions. Their sum is definitely bigger than 256.
|
||||
|
||||
nf_ct_ext_types[0]->len = 24
|
||||
nf_ct_ext_types[1]->len = 32
|
||||
nf_ct_ext_types[2]->len = 24
|
||||
nf_ct_ext_types[3]->len = 32
|
||||
nf_ct_ext_types[4]->len = 152
|
||||
nf_ct_ext_types[5]->len = 2
|
||||
nf_ct_ext_types[6]->len = 16
|
||||
nf_ct_ext_types[7]->len = 8
|
||||
|
||||
I have seen "len" up to 280 and my host has crashes w/o this patch.
|
||||
|
||||
The right way to fix this problem is reducing the size of the ecache
|
||||
extension (4) and Florian is going to do this, but these changes will
|
||||
be quite large to be appropriate for a stable tree.
|
||||
|
||||
Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
|
||||
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Cc: Patrick McHardy <kaber@trash.net>
|
||||
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
||||
Cc: "David S. Miller" <davem@davemloft.net>
|
||||
Signed-off-by: Andrey Vagin <avagin@openvz.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
include/net/netfilter/nf_conntrack_extend.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
|
||||
index 2dcf317..d918074 100644
|
||||
--- a/include/net/netfilter/nf_conntrack_extend.h
|
||||
+++ b/include/net/netfilter/nf_conntrack_extend.h
|
||||
@@ -33,8 +33,8 @@ enum nf_ct_ext_id {
|
||||
/* Extensions: optional stuff which isn't permanently in struct. */
|
||||
struct nf_ct_ext {
|
||||
struct rcu_head rcu;
|
||||
- u8 offset[NF_CT_EXT_NUM];
|
||||
- u8 len;
|
||||
+ u16 offset[NF_CT_EXT_NUM];
|
||||
+ u16 len;
|
||||
char data[0];
|
||||
};
|
||||
|
||||
--
|
||||
cgit v1.1
|
||||
|
48
Patches/Linux_CVEs-New/CVE-2014-9778/ANY/0.patch
Normal file
48
Patches/Linux_CVEs-New/CVE-2014-9778/ANY/0.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001
|
||||
From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
|
||||
Date: Fri, 1 Nov 2013 21:06:37 +0530
|
||||
Subject: msm: vidc: Validate userspace buffer count
|
||||
|
||||
Makesure the number of buffers count is less than
|
||||
the maximum limit to avoid structure overflow errors.
|
||||
|
||||
Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
|
||||
CRs-fixed: 563694
|
||||
Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
|
||||
---
|
||||
drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
|
||||
include/media/msm/vidc_init.h | 1 +
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
|
||||
index a843889..b45100f 100644
|
||||
--- a/drivers/video/msm/vidc/common/dec/vdec.c
|
||||
+++ b/drivers/video/msm/vidc/common/dec/vdec.c
|
||||
@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx,
|
||||
vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
|
||||
vcd_h264_mv_buffer->offset = mv_data->offset;
|
||||
|
||||
+ if (mv_data->count > MAX_MV_BUFFERS) {
|
||||
+ ERR("MV buffers maximum count reached, count = %d",
|
||||
+ mv_data->count);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
if (!vcd_get_ion_status()) {
|
||||
if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd,
|
||||
(unsigned long *) (&(vcd_h264_mv_buffer->
|
||||
diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
|
||||
index c35f770..5df0c3e 100644
|
||||
--- a/include/media/msm/vidc_init.h
|
||||
+++ b/include/media/msm/vidc_init.h
|
||||
@@ -20,6 +20,7 @@
|
||||
#define VIDC_MAX_NUM_CLIENTS 4
|
||||
#define MAX_VIDEO_NUM_OF_BUFF 100
|
||||
#define MAX_META_BUFFERS 32
|
||||
+#define MAX_MV_BUFFERS 32
|
||||
|
||||
enum buffer_dir {
|
||||
BUFFER_TYPE_INPUT,
|
||||
--
|
||||
cgit v1.1
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user