Patches & improvements

check_patches.py

@@ -86,7 +86,7 @@ def main():
     print("missing patchfiles:\n")
     for subdir in missing_patches:
         print(subdir)
-        for patch in missing_patches[subdir]:
+        for patch in sorted(missing_patches[subdir]):
             print("\t" + patch)
         print("")
 

cve_check.py

@@ -26,7 +26,7 @@ def load_patches(path):
         if node.endswith(patch_suffix):
             patches.append(os.path.abspath(path) + '/' + node)
 
-    return patches
+    return sorted(patches)
 
 
 """
@@ -111,7 +111,7 @@ def basic_check(kernel_repo, cve_patch):
 
 def print_usage():
 
-    print("usage: pycve.py <OPTIONS> cve_dir kernel_repo")
+    print("usage: cve_check.py <OPTIONS> cve_dir kernel_repo")
     print("\noutput:")
     print("\t<AC> The CVE patch applies cleanly.")
     print("\t<AR> The CVE patch applies in reverse.")

patches/3.10/CVE-2012-6701.patch

@@ -0,0 +1,105 @@
+From a70b52ec1aaeaf60f4739edb1b422827cb6f3893 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <[email protected]>
+Date: Mon, 21 May 2012 16:06:20 -0700
+Subject: vfs: make AIO use the proper rw_verify_area() area helpers
+
+We had for some reason overlooked the AIO interface, and it didn't use
+the proper rw_verify_area() helper function that checks (for example)
+mandatory locking on the file, and that the size of the access doesn't
+cause us to overflow the provided offset limits etc.
+
+Instead, AIO did just the security_file_permission() thing (that
+rw_verify_area() also does) directly.
+
+This fixes it to do all the proper helper functions, which not only
+means that now mandatory file locking works with AIO too, we can
+actually remove lines of code.
+
+Reported-by: Manish Honap <[email protected]>
+Cc: [email protected]
+Signed-off-by: Linus Torvalds <[email protected]>
+---
+ fs/aio.c | 30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 67a6db3..e7f2fad 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1456,6 +1456,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
+ 	if (ret < 0)
+ 		goto out;
+
++	ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret);
++	if (ret < 0)
++		goto out;
++
+ 	kiocb->ki_nr_segs = kiocb->ki_nbytes;
+ 	kiocb->ki_cur_seg = 0;
+ 	/* ki_nbytes/left now reflect bytes instead of segs */
+@@ -1467,11 +1471,17 @@ out:
+ 	return ret;
+ }
+
+-static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
++static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb)
+ {
++	int bytes;
++
++	bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left);
++	if (bytes < 0)
++		return bytes;
++
+ 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
+ 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
+-	kiocb->ki_iovec->iov_len = kiocb->ki_left;
++	kiocb->ki_iovec->iov_len = bytes;
+ 	kiocb->ki_nr_segs = 1;
+ 	kiocb->ki_cur_seg = 0;
+ 	return 0;
+@@ -1496,10 +1506,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
+ 		if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
+ 			kiocb->ki_left)))
+ 			break;
+-		ret = security_file_permission(file, MAY_READ);
+-		if (unlikely(ret))
+-			break;
+-		ret = aio_setup_single_vector(kiocb);
++		ret = aio_setup_single_vector(READ, file, kiocb);
+ 		if (ret)
+ 			break;
+ 		ret = -EINVAL;
+@@ -1514,10 +1521,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
+ 		if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
+ 			kiocb->ki_left)))
+ 			break;
+-		ret = security_file_permission(file, MAY_WRITE);
+-		if (unlikely(ret))
+-			break;
+-		ret = aio_setup_single_vector(kiocb);
++		ret = aio_setup_single_vector(WRITE, file, kiocb);
+ 		if (ret)
+ 			break;
+ 		ret = -EINVAL;
+@@ -1528,9 +1532,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
+ 		ret = -EBADF;
+ 		if (unlikely(!(file->f_mode & FMODE_READ)))
+ 			break;
+-		ret = security_file_permission(file, MAY_READ);
+-		if (unlikely(ret))
+-			break;
+ 		ret = aio_setup_vectored_rw(READ, kiocb, compat);
+ 		if (ret)
+ 			break;
+@@ -1542,9 +1543,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
+ 		ret = -EBADF;
+ 		if (unlikely(!(file->f_mode & FMODE_WRITE)))
+ 			break;
+-		ret = security_file_permission(file, MAY_WRITE);
+-		if (unlikely(ret))
+-			break;
+ 		ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
+ 		if (ret)
+ 			break;
+-- 
+cgit v1.1

patches/3.10/CVE-2012-6703.1.patch

@@ -0,0 +1,31 @@
+From b35cc8225845112a616e3a2266d2fde5ab13d3ab Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <[email protected]>
+Date: Wed, 5 Sep 2012 15:32:18 +0300
+Subject: [PATCH] ALSA: compress_core: integer overflow in
+ snd_compr_allocate_buffer()
+
+These are 32 bit values that come from the user, we need to check for
+integer overflows or we could end up allocating a smaller buffer than
+expected.
+
+Signed-off-by: Dan Carpenter <[email protected]>
+Signed-off-by: Takashi Iwai <[email protected]>
+---
+ sound/core/compress_offload.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index eb60cb8dbb8a6..68fe02c7400a2 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
+ 	unsigned int buffer_size;
+ 	void *buffer;
+
++	if (params->buffer.fragment_size == 0 ||
++	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
++		return -EINVAL;
++
+ 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
+ 	if (stream->ops->copy) {
+ 		buffer = NULL;

patches/3.10/CVE-2012-6703.2.patch

@@ -0,0 +1,66 @@
+From 4dc040a0b34890d2adc0d63da6e9bfb4eb791b19 Mon Sep 17 00:00:00 2001
+From: Vinod Koul <[email protected]>
+Date: Mon, 17 Sep 2012 11:51:25 +0530
+Subject: [PATCH] ALSA: compress - move the buffer check
+
+Commit ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
+added a new error check for input params.
+this add new routine for input checks and moves buffer overflow check to this
+new routine. This allows the error value to be propogated to user space
+
+Signed-off-by: Vinod Koul <[email protected]>
+Signed-off-by: Takashi Iwai <[email protected]>
+---
+ sound/core/compress_offload.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index 68fe02c7400a2..bd7f28e892540 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -407,10 +407,6 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
+ 	unsigned int buffer_size;
+ 	void *buffer;
+
+-	if (params->buffer.fragment_size == 0 ||
+-	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+-		return -EINVAL;
+-
+ 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
+ 	if (stream->ops->copy) {
+ 		buffer = NULL;
+@@ -429,6 +425,16 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
+ 	return 0;
+ }
+
++static int snd_compress_check_input(struct snd_compr_params *params)
++{
++	/* first let's check the buffer parameter's */
++	if (params->buffer.fragment_size == 0 ||
++			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
++		return -EINVAL;
++
++	return 0;
++}
++
+ static int
+ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
+ {
+@@ -447,11 +453,17 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
+ 			retval = -EFAULT;
+ 			goto out;
+ 		}
++
++		retval = snd_compress_check_input(params);
++		if (retval)
++			goto out;
++
+ 		retval = snd_compr_allocate_buffer(stream, params);
+ 		if (retval) {
+ 			retval = -ENOMEM;
+ 			goto out;
+ 		}
++
+ 		retval = stream->ops->set_params(stream, params);
+ 		if (retval)
+ 			goto out;

patches/3.10/CVE-2014-9869.1.patch

@@ -0,0 +1,73 @@
+From 8d1f7531ff379befc129a6447642061e87562bca Mon Sep 17 00:00:00 2001
+From: Hariram Purushothaman <[email protected]>
+Date: Tue, 23 Jul 2013 15:39:09 -0700
+Subject: msm: camera: Check stats index MAX in ISP driver
+
+Add a check for the stats index MAX using
+MSM_ISP_STATS_MAX before accessing stream info
+using that index to avoid any invalid memory access.
+
+Change-Id: Iaade2af5d0e3e073e9519961a0f84a93038284bf
+CRs-Fixed: 514711
+Signed-off-by: Hariram Purushothaman <[email protected]>
+---
+ .../msm/camera_v2/isp/msm_isp_stats_util.c         | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+index d857a14..33f63b3 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+@@ -150,6 +150,12 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev,
+ 	stats_idx = vfe_dev->hw_info->vfe_ops.stats_ops.
+ 		get_stats_idx(stream_req_cmd->stats_type);
+
++	if ((stats_idx > MSM_ISP_STATS_MAX) ||
++		(stats_idx == -EINVAL)) {
++		pr_err("%s: Stats idx Error\n", __func__);
++		return rc;
++	}
++
+ 	stream_info = &stats_data->stream_info[stats_idx];
+ 	if (stream_info->state != STATS_AVALIABLE) {
+ 		pr_err("%s: Stats already requested\n", __func__);
+@@ -188,7 +194,7 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev,
+
+ int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg)
+ {
+-	int rc = 0;
++	int rc = -1;
+ 	struct msm_vfe_stats_stream_request_cmd *stream_req_cmd = arg;
+ 	struct msm_vfe_stats_stream *stream_info = NULL;
+ 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
+@@ -202,6 +208,11 @@ int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg)
+ 	}
+
+ 	stats_idx = STATS_IDX(stream_req_cmd->stream_handle);
++	if (stats_idx > MSM_ISP_STATS_MAX) {
++		pr_err("%s: Stats idx Error\n", __func__);
++		return rc;
++	}
++
+ 	stream_info = &stats_data->stream_info[stats_idx];
+
+ 	framedrop_period = msm_isp_get_framedrop_period(
+@@ -228,9 +239,14 @@ int msm_isp_release_stats_stream(struct vfe_device *vfe_dev, void *arg)
+ 	struct msm_vfe_stats_stream_release_cmd *stream_release_cmd = arg;
+ 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
+ 	int stats_idx = STATS_IDX(stream_release_cmd->stream_handle);
+-	struct msm_vfe_stats_stream *stream_info =
+-		&stats_data->stream_info[stats_idx];
++	struct msm_vfe_stats_stream *stream_info = NULL;
++
++	if (stats_idx > MSM_ISP_STATS_MAX) {
++		pr_err("%s: Stats idx Error\n", __func__);
++		return rc;
++	}
+
++	stream_info = &stats_data->stream_info[stats_idx];
+ 	if (stream_info->state == STATS_AVALIABLE) {
+ 		pr_err("%s: stream already release\n", __func__);
+ 		return rc;
+-- 
+cgit v1.1