When ashmem file is being mmapped the resulting vma->vm_file points to the
backing shmem file with the generic fops that do not check ashmem
permissions like fops of ashmem do. Fix that by disallowing mapping
operation for backing shmem file.
Bug: 142938932
Bug: 142903466
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I718dfca02c83845f8a41d88506871b0aa21326d7
Fixes compiler warning when a logical-not on a variable
is applied while comparing it with value zero.
Change-Id: I92aa16bd0d57a0d59ecd26eef1ac92220332998d
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Joe Maples <joe@frap129.org>
strlen is often used incorectly to get the length of strings
defined at compile time. In these cases, the behavior can be
replicated with sizeof(X) - 1, which is calculated at compile
time rather than runtime, reducing overhead. I've created a
simple macro to replace these instances and applied it to all
the files compiled into the angler kernel.
Signed-off-by: Joe Maples <joe@frap129.org>
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCW+DaGQAKCRDorT+BmrEO
eGKTAJ97G0+75IGVr/gbYlnLLLhbFmx/WgCfenCn3CPztVR4qXGqCeqehq4b3lM=
=aUQa
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEA2skEMxbPHNb/U7LbZVRKTMRJykFAlvlEuAACgkQbZVRKTMR
JykSbBAApb4dCJ5WqvQ2ZGzMfifau2+Vr2cjBa0r3B7VTPC8eRqShABHmZjSZ3w8
gM0v6LiYHerOMQT7I6ISULZabPv1aunHUC0nCDh3l3z9DVhVQ4o3vCz0wVJxKlvR
I5UHEje1DzT7stSl2kvcGbXOWXND5eVIb5ViGp2YtxoAHZk0UrAdXkDNWPSN/Ebb
3nosXTHN1Kmpq707iJ7uVrnnu7dmqQKPkxtSwTqYHbffEDY7X7Vii51qJUnMvAJm
qAts4+BGuTJCsbIy5pU6DWltYJyGyXI1VfC5MCQEAk93G2oQVFDDXoPjhokzZYzP
52igJg63/wd9IWejCZRUCgk0xJI4j9811hhsJTZC6ReCrfClQyLKBft0/hC4I5RD
BhXmGA5CX3rbv5Ulk8Ho3zC2qMDE4Db4oBrXNrSTIKS7m0/3SJrvifuUuCOOu9VH
fHaod5cjFdf/zYRgrKx6fKOb2rhWn1L+Eu6Gi+Pm7NOx1J1MPuOTHMZpt+bv8Qqo
+UsivVoL+7JWCKo8ogWaL8P1Z1FkhjA61Kk9cRcWyU+thyyKbj5H1vpYtwxhjJeV
K2Ti1DNtDryw/OKoRliTCpYkVl2rlim+V5Y1vx+0wAP2+Qg89lfkOP5E/poW5/z9
iqxns7p1T+dyKr6sPRdmRNH0H1vEtVVerZIQ3EZpIV7AjoeTVbI=
=bg5j
-----END PGP SIGNATURE-----
Merge tag 'android-8.1.0_r0.117' into lineage-15.1
Android 8.1.0 Release 0.117 (OPM7.181105.004,bullhead)
* tag 'android-8.1.0_r0.117': (26 commits)
Release 4.4.23.022
qcacld-2.0: Sanity check for ssid length in limLookupNaddHashEntry
qcacld-2.0: Merge extcapie before get dot11f payload size
qcacld-2.0: Clear the bits in Ext Cap IE if AP not support
qcacld-2.0: Use variable length for Ext Cap IE
Revert "Revert "qcacld-2.0: Check ie_len against 255 in function get_container_ies_len""
Revert "Revert "qcacld-2.0: Check the length of IE's before appending""
Revert "Revert "qcacld-2.0: Fix potential OOB read in dot11f.c""
qcacld-2.0: Fix buffer overwrite in csrRoamCheckForLinkStatusChange
qcacld-2.0: Add check for vdev_id
qcacld-2.0: use hdd request manager for ocb set config
qcacld-2.0: Use hdd request manager for get tsf timer
qcacld-2.0: Use HDD request manager for get dcc stats
qcacld-2.0: Use request manager for get temperature
qcacld-2.0: Use request manager for linkspeed
qcacld-2.0: Use request manager for enter bmps
qcacld-2.0: Use request manager to handle WE_SET_POWER requests.
qcacld-2.0: Use request manager for RSSI
qcacld-2.0: Use request manager for Class A stats
qcacld-2.0: Use request manager for get link status.
...
Change-Id: I4c6ba79dd3e2a15606a817be656c7009fcc73714
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCW+DaGQAKCRDorT+BmrEO
eGKTAJ97G0+75IGVr/gbYlnLLLhbFmx/WgCfenCn3CPztVR4qXGqCeqehq4b3lM=
=aUQa
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlvg6BAACgkQmXOSYMts
txZrRRAAopNI6rVKe+OIRHWHvfhS3nt/gSx/X1x0d8LX2L153lPiJ8i9ZVVeV2AF
ox+2mRtM6C8WslrsYg7EoJkPBh8TgR05kbVvc9ZyU7Xj5PRkqmedm/xpQ6K8Zaha
Bf/2idI4D5CTzq5E0Rcx1RUeqFWUvz0D7XENG8ZxLThIQ4EjNYp3JXI4iZJ148+p
FXgPRVwlVxBZQCzCGaVlsH9p0A+6oHoY7M8/zst1VbFgFvAqpjUaaCAf6DV6af70
rhhUOufExicKPlh/ISrkVqrRFivKZgzY7yIzTyqdjO7iRDRg3dLyZvknYtjP5lWf
cPV6t7nMnE3IIUkpQvqx00IA2hIOAviAv/8UXgWsMxdWrWkWcNbnBYq2TgYTkQz8
i2gjuHB+ZBcpp1KYqjpRwdrzEynurvXc9hoqFm6vvnMGu/0nipkgwFKDxQ/d+gGx
vVCirkRlDyXATKdPzvtftcHVcmyHG7r/dLzeOuEFRZmfprFIuIvMwJu7XnAhWiTt
BUvoFFeTf6RTtO87YXfGl1FBMAewjdUXMZsyXrgN+SfP7+YdhF2I234nTOs76kID
4uCPxbt6iycdFyE+PDmzkMzSpPlNl36yVqKE3l6g31iS7YsBADdTB7ijSuwZgRFL
gS0vKJnMLYs8/FgZTVPfde9a9pz+sMG8RN4Wl5wBeHHq7n05X2E=
=s4en
-----END PGP SIGNATURE-----
Merge tag 'android-8.1.0_r0.117' into android-msm-bullhead-3.10
Android 8.1.0 Release 0.117 (OPM7.181105.004,bullhead)
* tag 'android-8.1.0_r0.117':
Release 4.4.23.022
qcacld-2.0: Sanity check for ssid length in limLookupNaddHashEntry
qcacld-2.0: Merge extcapie before get dot11f payload size
qcacld-2.0: Clear the bits in Ext Cap IE if AP not support
qcacld-2.0: Use variable length for Ext Cap IE
Revert "Revert "qcacld-2.0: Check ie_len against 255 in function get_container_ies_len""
Revert "Revert "qcacld-2.0: Check the length of IE's before appending""
Revert "Revert "qcacld-2.0: Fix potential OOB read in dot11f.c""
qcacld-2.0: Fix buffer overwrite in csrRoamCheckForLinkStatusChange
qcacld-2.0: Add check for vdev_id
qcacld-2.0: use hdd request manager for ocb set config
qcacld-2.0: Use hdd request manager for get tsf timer
qcacld-2.0: Use HDD request manager for get dcc stats
qcacld-2.0: Use request manager for get temperature
qcacld-2.0: Use request manager for linkspeed
qcacld-2.0: Use request manager for enter bmps
qcacld-2.0: Use request manager to handle WE_SET_POWER requests.
qcacld-2.0: Use request manager for RSSI
qcacld-2.0: Use request manager for Class A stats
qcacld-2.0: Use request manager for get link status.
qcacld-2.0: Use request manager for station stats
qcacld-2.0: Use request manager for SNR
qcacld-2.0: Use request manager for tsm metrics
qcacld-2.0: Use request manager for fw state.
qcacld-2.0: Use request manager for get_peer_rssi
qcacld-2.0: Introduce and enable HDD Request Manager infrastructure
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCW48UjgAKCRDorT+BmrEO
eM3uAJ4rqJ3N9CFF8T0r6BvCBvqWGJ4tHACcDYFq1SGprHRkbQsHWKKPLhfg/As=
=1a/f
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAluPGGkACgkQmXOSYMts
txaO6xAAmpz1MVhqTLXIrUJCDKP3jVeqFhW6jgAoFVwbGUS+lpuOz91NMxeFw32e
9z3EgZqutxsO41AIogn4x2cx8YrwSL1IlXscMiIVCSJnppB0ZLJ/Pkt6j5r/T2fT
5cFuW1Tj9mXzP/YJeCbO+6V1nxA5qs1Ihoac44qrSg22VZnjyW8SuljYuzDEpNMj
HzIXnOc7qWs7WdhgUdT2I9cF5jzAQ2SvADGalsq14spKTAXlPPOb69YnFHj3ynts
QS5mWtcFUpeqnK0WhCISw05IeSmXWnKNF55yJOMqk+yn6X1epRxZNHqnAp6E06x8
Ri356+glNfQAaq7A1vJprDhCgQZgNJep47pfqsZTwLhuuzjKNv932OZRXQSB1Qyu
6XgBOX9B1OZKrfKGMtBu+OgBLJufyOIpt6ATp+3QOvTu9dGBkw/rH1eHaYgqhCT3
3qYiAnveDUBHd98xuixygwhmBBf4rpquQNotYaIr6yFDXcLB/4Qgu40fLcozGOtX
UHaPeJBXVqdxQYkENIPNkghQgEmAub+seLqmV26Kf1q9itw7t3hrH4ZZs+OrpXdn
k4AuGsc4kEtB55dRsXsHOd5iGq+jIwnAcXV4Q8kQf5a4QhtQ7hmwE0V2H0HlImY/
Cdq9HtF4VCluLV7xn4XeyGSeaEknGICctzKm44jmFwvAM4IVICw=
=RwYM
-----END PGP SIGNATURE-----
Merge tag 'android-8.1.0_r0.102' into android-msm-bullhead-3.10
Android 8.1.0 Release 0.102 (OPM6.171019.030.K1,bullhead)
* tag 'android-8.1.0_r0.102':
Revert "arm64: move sp_el0 and tpidr_el1 into cpu_suspend_ctx"
Revert "arm64: Add macro for Cortex A72 primary part number"
Revert "arm64: Delay ELF HWCAP initialisation until all CPUs are up"
Revert "arm64: Move post_ttbr_update_workaround to C code"
Revert "drivers/firmware: Expose psci_get_version through psci_ops structure"
Revert "arm64: Add skeleton to harden the branch predictor against aliasing attacks"
Revert "arm64: Implement branch predictor hardening for cortex A57, A72"
Revert "arm64: PSCI Wrapper for branch predictor flush"
arm64: PSCI Wrapper for branch predictor flush
arm64: Implement branch predictor hardening for cortex A57, A72
arm64: Add skeleton to harden the branch predictor against aliasing attacks
drivers/firmware: Expose psci_get_version through psci_ops structure
arm64: Move post_ttbr_update_workaround to C code
arm64: Delay ELF HWCAP initialisation until all CPUs are up
arm64: Add macro for Cortex A72 primary part number
arm64: move sp_el0 and tpidr_el1 into cpu_suspend_ctx
NFC: llcp: Limit size of SDP URI
qcacld-2.0: Fix UAF in WLAN HDD
qcacld-2.0: Fix OOB write in wma_passpoint_match_event_handler
qcacld-2.0: Fix buffer overflow in ol_rx_in_order_indication_handler
msm: ipa: Fix to handle NULL pointer dereference
ASoC: msm: qdspv2: initialize variables before use
ASoC: msm: qdspv2: add spin lock to protect ac
ANDROID: HID: debug: check length in hid_debug_events_read() before copy_to_user()
voice_svc: Avoid double free in voice_svc driver
qcacld-2.0: Fix UAF in the function wlan_hdd_execute_remain_on_channel
usb: dwc3: dbm: Fix double free in msm_dbm_probe
qcacld-2.0: Resolve possible OOB while posting SET PASSPOINT WMA event
qcacld-2.0: Fix information leak issue during memcpy
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Commit I910edfddf3ea64bc3000b6e7803dc57a50399dbb use variable length
for extcapie, which may cause extcapie length increase. If get
dot11f payload size first, then merge extcapie, when the extcapie
size inceases, the payload size is smaller than real packet size,
due to which dot11f packet pack will fail.
This change is to merge extcapie before get dot11f payload size.
Bug: 111135102
Change-Id: I17ea8d54930681401b62ff4b8a73c5cb19989046
CRs-Fixed: 1076370
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
Some specific AP will send assoc reject if DUT set the bits in
Ext Cap IE which AP not advertise in beacon or probe response.
To avoid the IoT issue, clear the bits in Ext Cap IE if AP not
support.
Bug: 111135102
Change-Id: I632f5474331abf51257cacdcce412d7a110d2433
CRs-Fixed: 1052140
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
Ext Cap IE is defined as fixed length in driver. But some
AP sends beacon or probe resp with variable length of
Ext Cap IE, then dot11f will decode it to invalid value.
To fix this, use variable length for Ext Cap IE.
Bug: 111135102
Change-Id: I910edfddf3ea64bc3000b6e7803dc57a50399dbb
CRs-Fixed: 1052140
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_get_temperature() and hdd_GetTemperatureCB() to this
framework.
Bug: 111128007
Change-Id: I3b828827acaa16a64a8a6cfd1c0665da7be166de
CRs-Fixed: 2207693
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
We are transitioning to the new request manager framework.
Change wlan_hdd_get_linkspeed_for_peermac() to this framework.
Note that this framework provides the infrastructure to pass data
from the response thread to the request thread and hence
eliminates the need to maintain tSirLinkSpeedInfo in the HDD adapter
struct.
Bug: 111128836
Change-Id: Ie0c84c271cee188e8bd1663095022daefd703f97
CRs-Fixed: 2207694
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
We are transitioning to the new request manager framework. Change
the wlan_hdd_enter_bmps to this framework.
Bug: 111127854
Change-Id: Ia1ac62b97230a3e4240a039b5c8280c051245579
CRs-Fixed: 2207576
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Use the new request manager framework for handling WE_SET_POWER
related iw requests.
Bug: 111127947
Change-Id: I1d833ced2096a92b855cc861c84a448029e592b7
CRs-Fixed: 2208402
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_get_rssi() and hdd_get_rssi_cb() to this framework.
Bug: 111126462
Change-Id: Ib0b74e288ad3dc4588440f0de7cfbebc9f88a49a
CRs-Fixed: 2207558
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_get_classAstats() and hdd_get_class_a_statistics_cb() to
this framework.
Bug: 111127063
Change-Id: I6cfa2155187e3d9ac4099f1e4480835917fd9ca6
CRs-Fixed: 2207553
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_get_link_status() and hdd_get_link_status_cb() to adapte.
Bug: 111128638
Change-Id: I697eecf6afc6bf26c5b708f35280344138e3a132
CRs-Fixed: 2207627
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_get_station_stats() and hdd_get_station_statistics_cb() to
this framework.
Bug: 111127792
Change-Id: I4f0255975e8c37fa91215bcddc7896bb8d309cf8
CRs-Fixed: 2207548
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_get_snr() and hdd_get_snr_cb() to this framework.
Bug: 111127985
Change-Id: Ib7628ee6931450b3b1ee73a0ede6c21ba6427407
CRs-Fixed: 2207562
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
hdd_get_tsm_stats() and hdd_GetTsmStatsCB() to this framework. Note
that this framework provides the infrastructure to pass data from the
response thread to the request thread and hence eliminates the need to
maintain temporary tsmStats in the HDD adapter struct.
Bug: 111127986
Change-Id: I799ec4eb32a37a1edaef6d3c1fcaa10a7a9130af
CRs-Fixed: 2207636
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_get_fw_state() and hdd_get_fw_state_cb() to this framework.
Bug: 111127907
Change-Id: Ibd450d5c50caf6c7c94457e67d1b3a18a30e3955
CRs-Fixed: 2207624
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager
framework. Change wlan_hdd_get_peer_rssi,
hdd_get_peer_rssi_cb, __iw_get_peer_rssi.
Bug: 111128835
Change-Id: I4d5350b4046063fe27cb68dea03408ca672b728f
CRs-Fixed: 2207614
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
List qcacld-3.0 changes as following:
"Change-Id: I4e598e51983475318bc668e786aca690a934bd6c",
"Change-Id: I31e268ca02b4b5c2831c540933ee059a27bd9c7e",
"Change-Id: If4d5912710f8a3b5e87adf76f828a646b7cc2983".
Many operations within the wlan driver occur in an asynchronous
manner. Requests are received by HDD via one of the kernel interfaces
(ioctl, nl80211, virtual file system, etc.). The requests are
translated to an internal format and are then passed to lower layers
for processing. For requests which require a response, that response
comes up from the lower layers in a separate thread of execution,
ultimately resulting in a call to a callback function that was
provided by HDD as part of the initial request. So a mechanism is
needed to synchronize the request and response.
Currently there are various mechanisms which perform these
synchronizations, but experience with them has revealed some flaws.
So an universal mechanism is needed to synchronize the request and
response which addresses all of the known flaws. This framework
provides that mechanism. Enable the HDD Request Manager by invoking
the init() and deinit() APIs as appropriate.
Bug: 111135102
Change-Id: Ic4267507dcdbe550d49422bf3e75450ba66021aa
CRs-Fixed: 2205626
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
UAF issue is in function hdd_open_adapter:
pAdapter is freed by calling free_netdev(pAdapter->dev),
but pAdapter->macAddressCurrent.bytes is referenced afterwards.
Fix the issue by swapping these two statements.
Bug: 65423852
Change-Id: I6910a56f9a204fdd8eaad54d8443867ee6a37fdb
CRs-Fixed: 2213280
Signed-off-by: Ecco Park <eccopark@google.com>
Propagation from cld3.0 to cld2.0.
In the function wma_passpoint_match_event_handler, fixed param event data
from firmware is filled in the destination buffer and indication is sent
to upper layers. The buffer allocation is done for the size
(wmi_passpoint_event_hdr*) + event->ie_length + event->anqp_length. The
maximum firmware event message size is WMI_SVC_MSG_MAX_SIZE. If either,
ie_length and anqp_length combined is greater than WMI_SVC_MSG_MAX_SIZE or
either of the two exceeds WMI_SVC_MSG_MAC_SIZE, an OOB write will occur in
wma_passpoint_match_event_handler.
Add check to ensure either of the values ie_length or anqp_lenth or
(ie_length + anqp_length) doesnt exceed the WMI_SVC_MAX_SIZE. Return
failure if it exceeds.
Bug: 109741911
Change-Id: I21f473ca0b99ebb8488f2cca3c0774817ea97c3a
CRs-Fixed: 2212696
Signed-off-by: Ecco Park <eccopark@google.com>
Propagation from cld3.0 to cld2.0.
Currently variable "tid" is from message, which is used directly
as array size which causes buffer over-write.
To address this issue, add check for the array size.
Bug: 109741886
Change-Id: Idb6bd8ceaa217620a60bc04f2e84a551113e6edb
CRs-Fixed: 2204463
Signed-off-by: Ecco Park <eccopark@google.com>
In function wlan_hdd_execute_remain_on_channel after calling
sme_remain_on_channel Buffer pointed by "pRemainChanCtx" may be freed
in other thread "wlan_hdd_remain_on_channel_callback". UAF will happen
on when accessing "pRemainChanCtx->rem_on_chan_request".
Access pRemainChanCtx only when it is not NULL.
Change-Id: I32696ca9d88bc55f7c9841c7d602f363c35ed49f
CRs-Fixed: 2189054
Bug: 109741735
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
qcacld-3.0 to qcacld-2.0 propagation
Presently, while processing SET_PASSPOINT_LIST vendor command
HDD is not making sure realm string passed by upper-layer is NULL
terminated, this may lead to buffer overflow as strlen is used
to get realm string length to construct PASSPOINT WMA command.
Make sure realm is NULL terminated before passing the same to
down layers.
Bug: 109741777
Change-Id: I417f2b89dc219664afe5deac00dc361cac4048d6
CRs-Fixed: 2217476
Signed-off-by: Kumar Anand <kumaranand@google.com>
The buffer allocated with lenth "ATH6KL_FWLOG_PAYLOAD_SIZE "
is not initialized, this may lead to information leak during
memcpy when len < ATH6KL_FWLOG_PAYLOAD_SIZE.
To resolve this issue, memset the buffer for length
(ATH6KL_FWLOG_PAYLOAD_SIZE - len) to 0
Bug: 73885536
Change-Id: If4a49347d674ad2af0438b408a4a4b9308c61026
CRs-Fixed: 2253103
Signed-off-by: Ecco Park <eccopark@google.com>
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCWxWzwwAKCRDorT+BmrEO
eEmGAJ9Y4YMBAgQmIsz5GjbvNk3Kqu3RGACdEcAsk2is8cSq1kKvF6Hmlappr3w=
=pyl6
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlsVt6IACgkQmXOSYMts
txaWWg//bg+TS8zJixr4WwRjFL/eMLtLVKViMQX5p7ZEaaKZzzV178fG/yICUEGa
TIDjR9RIFU2P17y7NJCN/Jwn3qSNgf1gxuSSUboNAPYUK3L9qFIGTmUZHGQ0nGMc
q6eVO+leIF38+aePzD6utysAzrCO3rd7MKFyHaukQUVX0z46ObUZYUkNlxcalVfL
/+8rzUOX5JnuD0iUaU1LwgxY/Kox2IDkmJCiI1mnexUGJ7fCDOZN5HLG+7bsRw2r
+YiKzzOqsoAIiXNlZOL7K4fnB3kt0pslcsv4apt75547xqSl1guVM3qUOLhvgpKL
yn2C0DLwi7QP5WOJjiyT7dNlmRBE1d5X/cWZZGffUbhMMcvFDxXO9yXmI9cS2nB9
2tfhlvEjf4COtmoai/5LwsyoLfJn+gtiAzQ2J7D+/FqMSYcF4p+cj0nKNNu5+aN7
od5RFOnodKIeGoGf6XJcPQtOZnCu+TpUe+xMaACTnolT/xHlcyCV5xCL+E6waNg5
0mGCOEOyXM3+LlFul8o++dd8UFDQr83Sq9VJ+S6flKIM/ShIle9bxvsO3TSu9Uy/
QlmP9/NBdnLmPqdabauq1HNINpQAFAnPFtP8MqHYGEdZczpAGf9ihJWFtAEPRWSw
/KoFtUWCMsvFMnIz3EDAr2i3afb2/vE1seQc/X44uErwqsng8M8=
=PN63
-----END PGP SIGNATURE-----
Merge tag 'android-8.1.0_r0.62' into android-msm-bullhead-3.10
Android 8.1.0 Release 0.62
* tag 'android-8.1.0_r0.62':
Revert "ion: ensure CMO target is valid"
msm: ADSPRPC: Use ID in response to get context pointer
qcacld-2.0: Fix potential buffer overwrite in the htt_t2h_lp_msg_handler
qcacld-2.0: Add data_len check to avoid OOB access
BACKPORT: ASN.1: fix out-of-bounds read when parsing indefinite length item
UPSTREAM: KEYS: fix out-of-bounds read during ASN.1 parsing
qcacld-2.0: Fix potential buffer overflow
ion: ensure CMO target is valid
crypto: hmac - require that the underlying hash algorithm is unkeyed
qcacld-2.0: Move NBUF_UPDATE_TX_PKT_COUNT before freeing netbuf
diag: dci: check signed values for negativity
diag: Add conditional check for len in dci_process_ctrl_status()
diag: Validate copying length against source buffer length
mm-camera2:isp2: Handle use after free buffer
ANDROID: Bluetooth: hidp: buffer overflow in hidp_process_report
UPSTREAM: HID: Bluetooth: hidp: make sure input buffers are big enough
qcacld-2.0: Remove FW memory dump feature
BACKPORT: ipv6: fix udpv6 sendmsg crash caused by too small MTU
UPSTREAM: ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
msm: ADSPRPC: use access_ok to validate pointers
ASoC: wcd_cpe_core: Add mutex lock for CPE session
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Currently, there is no check of:
1) Firmware event parameters in dbglog_parse_debug_logs(), which can
result in integer underflow.
2) Number of dbg log args against the total length, which can result in
buffer over-read.
To fix this, compare size of firmware event parameters and number of
dbg log args with total buffer length.
Bug: 77528512
Change-Id: I981441ecf8e866afc00cf2e0e316779c8cc803c6
CRs-Fixed: 2205372
Signed-off-by: Ecco Park <eccopark@google.com>
Add sanity check for wmi TLV header length before padding/shrinking
elements in a wmi which has a variable length for its TLV structure.
Currently, the TLV length is not checked so its maximum value could
be 65535 which results in a hugh count for elements. Number of elements
is used to terminate the loop for padding/shrinking. If the number
was too large, there would be memory overflow.
CRs-Fixed: 2169157
Bug: 77527719
Change-Id: I99c700d62f8c0db84cbd95fc6efcb5249b89eb1d
Signed-off-by: Ecco Park <eccopark@google.com>
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Bug: 74237532
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2157917
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
Fragment count will be larger than the upper limit of
cvg_nbuf_cb->extra_flag.num which would lead to an overread
of fragment length. Upper limit check for fragment count
is added in this change.
Change-Id: Icc078b2efee554ac84377b5edd90d0a5c7a61f98
CRs-Fixed: 2129566
Bug: 72957387
Signed-off-by: Ecco Park <eccopark@google.com>