profile
viewpoint
Daniel Micay thestinger Toronto, Ontario, Canada https://twitter.com/DanielMicay Security researcher

thestinger/termite 2623

A keyboard-centric VTE-based terminal, aimed at use within a window manager with tiling and/or tabbing support.

thestinger/playpen 290

A secure application sandbox built with modern Linux sandboxing features - no longer actively developed, but still works fine, use bubblewrap if you need more functionality

thestinger/vte-ng 111

enhanced vte terminal widget

thestinger/allocator 46

experimental high performance, low fragmentation memory allocator

thestinger/paxd-archive 42

PaX exception daemon - Temporarily abandoned due to the PaX and grsecurity patches becoming private

thestinger/hardening-wrapper-deprecated 27

Wrapper scripts for building hardened executables by default (deprecated, replaced by standard Arch Linux toolchain changes)

thestinger/wiki 9

toy wiki implementation

thestinger/util 6

various utility functions and classes

GrapheneOS/branding_extra 5

Branding for everything outside the OS. This is not used as part of the OS.

GrapheneOS/device_google_bonito 5

Pixel 3a and Pixel 3a XL device sources.

issue commentGrapheneOS/Vanadium

remove or replace learn more link on blank incognito tab

No, since the documentation would need to be written about it in order to link to it. Alternatively, it can just be removed for the time being. Doesn't make sense to have a link to generic, irrelevant documentation via the fallback.

thestinger

comment created time in 7 hours

push eventGrapheneOS/hardened_malloc

Daniel Micay

commit sha bcb93cab639176078b881911b7f7686c759f6052

avoid an ifdef

view details

push time in 8 hours

issue commentGrapheneOS/Vanadium

remove or replace learn more link on blank incognito tab

There is no URL configured for this or the others, so they use the fallback support URL which was changed in #39. It doesn't mean this issue is resolved. It only resolved generic cases where specific documentation is not really expected.

thestinger

comment created time in 8 hours

issue commentGrapheneOS/Vanadium

remove or replace learn more link on blank incognito tab

That's because the fallback URL has been configured to direct people to our documentation. All of these links to specific documentation still need to be either removed or replaced.

thestinger

comment created time in 8 hours

IssuesEvent

issue commentGrapheneOS/Vanadium

remove or replace learn more link on blank incognito tab

Yes there's now a fallback directing people to our site.

thestinger

comment created time in 8 hours

issue commentGrapheneOS/hardened_malloc

errors when compiling rust packages

Also, to clarify something, this is hardened_malloc detecting a memory corruption bug in C++ code in the code you're running. This feature sanity checks sizes used for sized deallocation in C++. Programs use sized deallocation as a performance boost but it's not uncommon for them to have memory corruption bugs where they pass an incorrect size. Other allocations do not check this and generally don't use the size for performance, or use it in a way that doesn't cause noticeable issues in most of these cases. It's still a memory corruption bug in the application and it's a good thing that hardened_malloc can detect it and abort. This catches real world type confusion bugs and prevents some of them from being exploited.

deathtrip

comment created time in 8 hours

issue commentGrapheneOS/hardened_malloc

errors when compiling rust packages

You need to report bugs detected by hardened_malloc to the developers of the application / library where it's detecting the bug, not as a hardened_malloc bug. If you build hardened_malloc with CONFIG_CXX_ALLOCATOR=false it won't detect sized deallocation mismatches. The program you're running will still have the bug occurring. It just won't be detected.

deathtrip

comment created time in 8 hours

issue closedGrapheneOS/hardened_malloc

errors when compiling rust packages

Using Arch Linux with glibc 2.31-5, rust 1.45.2-1 and hardened_malloc482+f214bd5-1 with LD_PRELOAD. I get this when trying to compile a rust program from the AUR with makepkg: fatal allocator error: sized deallocation mismatch (large) and this with another package: process didn't exit successfully: rustc --crate-name autocfg /home/deathtrip/.cargo/registry/src/github.com-1ecc6299db9ec823/autocfg-1.0.0/src/lib.rs --error-format=json --json=diagnostic-rendered-ansi --crate-type lib --emit=dep-info,metadata,link -C opt-level=3 -Cembed-bitcode=no -C metadata=01e52fd72c546e12 -C extra-filename=-01e52fd72c546e12 --out-dir /tmp/makepkg/tealdeer/src/tealdeer-1.3.0/target/release/deps -L dependency=/tmp/makepkg/tealdeer/src/tealdeer-1.3.0/target/release/deps --cap-lints allow (signal: 6, SIGABRT: process abort signal)

Happens when some crates for the packages are compiled. When i removed the preloading of hardened_malloc, it compiled fine.

closed time in 8 hours

deathtrip

issue commentGrapheneOS/hardened_malloc

errors when compiling rust packages

hardened_malloc is detecting dangerous undefined behavior indicating a type confusion bug / exploit and is aborting. It needs to be fixed in the program where it occurs. This is a feature of hardened_malloc.

deathtrip

comment created time in 8 hours

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha f7155326a9e9d36cd4cbf604e6e8258ef49380b0

release tag

view details

push time in 8 hours

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha ddfe87a94fb56ba1075cdfe57ed4aaa0b7b56e95

experimental -> less mature

view details

push time in 8 hours

created tagGrapheneOS/platform_manifest

tagQQ3A.200805.001.2020.08.03.22

Repo manifest for the GrapheneOS mobile privacy and security hardening project.

created time in 8 hours

created tagGrapheneOS/vendor_linaro

tagQQ3A.200805.001.2020.08.03.22

Minimal vendor files for testing on HiKey and HiKey 960. Not suitable for production usage.

created time in 9 hours

created tagGrapheneOS/Vanadium

tagQQ3A.200805.001.2020.08.03.22

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS repositories and doesn't include patches not relevant to the build targets used on GrapheneOS.

created time in 9 hours

created tagGrapheneOS/script

tagQQ3A.200805.001.2020.08.03.22

Scripting for generating signed production releases of AOSP and metadata for the Updater app along with partially automated maintenance of out-of-tree patch sets.

created time in 9 hours

created tagGrapheneOS/platform_packages_apps_Updater

tagQQ3A.200805.001.2020.08.03.22

Automatic background updater for Android. Primarily intended for use with A/B updates but has a fallback path for the legacy recovery system too. See https://github.com/GrapheneOS/script/blob/10/generate_metadata.py for the server metadata generation tool.

created time in 9 hours

created tagGrapheneOS/platform_external_seedvault

tagQQ3A.200805.001.2020.08.03.22

Prebuilt repository for https://github.com/stevesoltys/seedvault.

created time in 9 hours

created tagGrapheneOS/platform_external_vanadium

tagQQ3A.200805.001.2020.08.03.22

Vanadium integration for GrapheneOS. See https://github.com/GrapheneOS/Vanadium for the Vanadium build configuration and patches.

created time in 9 hours

created tagGrapheneOS/platform_external_PdfViewer

tagQQ3A.200805.001.2020.08.03.22

PdfViewer app prebuilt using the latest official release of the PdfViewer app.

created time in 9 hours

created tagGrapheneOS/platform_external_Auditor

tagQQ3A.200805.001.2020.08.03.22

Auditor app prebuilt using the latest official release of the Auditor app.

created time in 9 hours

created tagGrapheneOS/kernel_google_coral_techpack_audio

tagQQ3A.200805.001.2020.08.03.22

Pixel 4 and Pixel 4 XL audio driver sources.

created time in 9 hours

created tagGrapheneOS/kernel_google_coral_drivers_staging_qcacld-3.0

tagQQ3A.200805.001.2020.08.03.22

Pixel 4 and Pixel 4 XL Wi-Fi kernel driver sources.

created time in 9 hours

created tagGrapheneOS/kernel_google_crosshatch_techpack_audio

tagQQ3A.200805.001.2020.08.03.22

Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL audio driver sources.

created time in 9 hours

created tagGrapheneOS/kernel_google_crosshatch_drivers_staging_qcacld-3.0

tagQQ3A.200805.001.2020.08.03.22

Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL Wi-Fi kernel driver sources.

created time in 9 hours

created tagGrapheneOS/hardened_malloc

tagQQ3A.200805.001.2020.08.03.22

Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-based platforms. It will gain more portability / integration over time.

created time in 9 hours

created tagGrapheneOS/device_google_coral-kernel

tagQQ3A.200805.001.2020.08.03.22

Pixel 4 and 4 XL kernel prebuilts.

created time in 9 hours

created tagGrapheneOS/branding

tagQQ3A.200805.001.2020.08.03.22

Stub repository for future branding of the OS including wallpapers, boot animations, etc.

created time in 9 hours

created tagGrapheneOS/android-prepare-vendor

tagQQ3A.200805.001.2020.08.03.22

Set of scripts to automate AOSP compatible vendor blobs generation from factory images

created time in 9 hours

created tagGrapheneOS/kernel_google_crosshatch

tagQQ3A.200805.001.2020.08.03.22

Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL kernel sources.

created time in 9 hours

created tagGrapheneOS/kernel_google_coral

tagQQ3A.200805.001.2020.08.03.22

Pixel 4 and Pixel 4 XL kernel sources.

created time in 9 hours

created tagGrapheneOS/kernel_google_wahoo

tagQQ3A.200805.001.2020.08.03.22

Pixel 2 and Pixel 2 XL kernel sources.

created time in 9 hours

created tagGrapheneOS/platform_system_sepolicy

tagQQ3A.200805.001.2020.08.03.22

Base SELinux policy

created time in 9 hours

created tagGrapheneOS/platform_packages_apps_Messaging

tagQQ3A.200805.001.2020.08.03.22

Messaging app

created time in 9 hours

created tagGrapheneOS/platform_packages_apps_Launcher3

tagQQ3A.200805.001.2020.08.03.22

GrapheneOS launcher app

created time in 9 hours

push eventGrapheneOS/platform_manifest

The Android Open Source Project

commit sha 458a84154e391e7d0cd4f87ab17955bcfb3b4310

Manifest for Android 10.0.0 Release 41 (QQ3A.200805.001) Change-Id: I1d39b174990930e45acf023e1cfe947e6475b5a0

view details

Daniel Micay

commit sha 2b45c560fe31dd65a814826d288d930eb79cfb73

set up AOSP remote

view details

Daniel Micay

commit sha 4be892df33634c3eb63b23d498fa167da07289ee

set up GrapheneOS remote

view details

Daniel Micay

commit sha 2ec77eca0b6c95e4289b2a7f544ce208d426eacb

add script

view details

Daniel Micay

commit sha 6f5267a915b015507e5f14dd369de4e5116c5fe4

add branding

view details

Daniel Micay

commit sha 9af245e13c4245647089e07d83788f5c2daf6cf3

drop support for macOS as a build environment The second tier macOS build support in AOSP is inappropriate for this project. It isn't worth buying expensive hardware and expending effort porting and testing toolchain changes just to preserve partial support for building on a platform poorly suited for use as a build environment in the first place.

view details

Daniel Micay

commit sha 878900d5cacfbc3807cb055f787b8949b063bc26

remove unused platform/packages/apps/LegacyCamera

view details

Daniel Micay

commit sha 1e761e9102b30785ba31a0a9d98933e3bc4c2f2a

use fork of device/google/wahoo

view details

Daniel Micay

commit sha c88c378f945e1ffb9712c5b108d3d3acd0fbab53

use fork of device/google/muskie

view details

Daniel Micay

commit sha 5b0a4f0a29c9951e99625796c151a185b0bf1d54

use fork of device/google/taimen

view details

Daniel Micay

commit sha fc7fc93dd8f9de1635b4f77310556e5f045ce3b8

use fork of device/google/crosshatch

view details

Daniel Micay

commit sha 3fdd3437580edfaac402f33a34c639cc4506ab88

use fork of device/google/crosshatch-sepolicy

view details

Daniel Micay

commit sha 05041371a4cce07158387c94f56410a1405d32a0

use fork of device/google/bonito

view details

Daniel Micay

commit sha 9a14ef383df0545b99f64f96671c6935df26e063

use fork of device/google/bonito-sepolicy

view details

Daniel Micay

commit sha 458159945d8edb8633f8b176a7af571a1fb53d6a

use fork of device/google/coral

view details

Daniel Micay

commit sha 9b80031a3aa953862c3eea4b4b4391b6beb3ad52

use fork of device/google/coral-sepolicy

view details

Daniel Micay

commit sha e90f76636855f063dca195e1367b48fe827ce1e7

add kernel/google/wahoo

view details

Daniel Micay

commit sha 0fac85b564beba0f0a91dfbb976747b90c132770

add kernel/google/crosshatch

view details

Daniel Micay

commit sha 12ab8b25d6dd42dd1ee102c0daa135b26131d9fc

add kernel/google/coral

view details

Daniel Micay

commit sha 376bb3e5bdb2a1112ef9d1d084b99798142eee63

use fork of platform/build

view details

push time in 9 hours

created tagGrapheneOS/platform_build

tagQQ3A.200805.001.2020.08.03.22

Make Build System (being phased out upstream)

created time in 9 hours

created tagGrapheneOS/platform_bionic

tagQQ3A.200805.001.2020.08.03.22

Hardened Android standard C library. Some of the past hardening has not yet been ported from Marshmallow, Nougat and Oreo to this Android Pie repository. Most is available via archived tags in https://github.com/AndroidHardeningArchive/platform_bionic (check both the most recent Oreo and Nougat tags).

created time in 9 hours

created tagGrapheneOS/kernel_configs

tagQQ3A.200805.001.2020.08.03.22

Base and recommended kernel configurations. The base configurations are enforced by the VTS and are modified to permit GrapheneOS changes.

created time in 9 hours

created tagGrapheneOS/device_linaro_hikey

tagQQ3A.200805.001.2020.08.03.22

HiKey and HiKey 960 device sources.

created time in 9 hours

created tagGrapheneOS/device_google_wahoo

tagQQ3A.200805.001.2020.08.03.22

Common Pixel 2 and Pixel 2 XL device sources.

created time in 9 hours

created tagGrapheneOS/device_google_taimen

tagQQ3A.200805.001.2020.08.03.22

Pixel 2 XL device sources not shared with the Pixel 2.

created time in 9 hours

created tagGrapheneOS/device_google_muskie

tagQQ3A.200805.001.2020.08.03.22

Pixel 2 device sources not shared with the Pixel 2 XL.

created time in 9 hours

created tagGrapheneOS/device_google_crosshatch-sepolicy

tagQQ3A.200805.001.2020.08.03.22

Pixel 3 and Pixel 3 XL device SELinux policy extensions.

created time in 9 hours

created tagGrapheneOS/device_google_crosshatch

tagQQ3A.200805.001.2020.08.03.22

Pixel 3 and Pixel 3 XL device sources.

created time in 9 hours

created tagGrapheneOS/device_google_coral-sepolicy

tagQQ3A.200805.001.2020.08.03.22

Pixel 4 and Pixel 4 XL SELinux policy extensions.

created time in 9 hours

created tagGrapheneOS/device_google_coral

tagQQ3A.200805.001.2020.08.03.22

Common Pixel 4 and Pixel 4 XL device sources.

created time in 9 hours

created tagGrapheneOS/device_google_bonito-sepolicy

tagQQ3A.200805.001.2020.08.03.22

Pixel 3a and Pixel 3a XL SELinux policy extensions.

created time in 9 hours

created tagGrapheneOS/device_google_bonito

tagQQ3A.200805.001.2020.08.03.22

Pixel 3a and Pixel 3a XL device sources.

created time in 9 hours

created tagGrapheneOS/device_generic_goldfish

tagQQ3A.200805.001.2020.08.03.22

Temporary fork until Android 11 when the Python compatibility issue is resolved upstream.

created time in 9 hours

created tagGrapheneOS/device_common

tagQQ3A.200805.001.2020.08.03.22

Common device sources.

created time in 9 hours

issue closedGrapheneOS/PdfViewer

publish to f-droid?

Hey, would be great if you could publish the app also on the f-droid store. Thanks!

closed time in 9 hours

szaimen

issue commentGrapheneOS/PdfViewer

publish to f-droid?

Developers don't choose to publish their app in the main F-Droid repository. It's not up to me. Take it up with them. They published a poorly done, unmaintained fork of an early version of this code instead without security updates or a completed sandbox.

szaimen

comment created time in 9 hours

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha f43ad3dd499adb064a1ad37f7279bbd6c0baefd0

release notes

view details

Daniel Micay

commit sha bb7eb2f980a8045c6e30733af1bd0ff83b656b95

fix order in changelog section

view details

push time in 10 hours

issue commentGrapheneOS/os_issue_tracker

can't route audio via usb

I'm not able to reproduce any issues like this with audio routing on any of the supported devices. You may have changed something in developer settings or via adb shell which led to this issue. Backing up and doing a factory reset may be a good idea. You can use Seedvault to back up apps that do not disable backup support but you need to manually back up your home directory.

philonoistatriseupnet

comment created time in 11 hours

issue commentGrapheneOS/os_issue_tracker

can't route audio via usb

The DAC is irrelevant. It works with a stock Pixel 2.

If you won't provide necessary information, nothing can be done about your issue report.

philonoistatriseupnet

comment created time in 11 hours

issue commentGrapheneOS/os_issue_tracker

can't route audio via usb

Pixels don't have a DAC. Only digital audio is supported.

philonoistatriseupnet

comment created time in 11 hours

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha 83fa2aa830aa1b83d0f49356a73ead5857043603

August release notes

view details

push time in 18 hours

push eventGrapheneOS/script

Daniel Micay

commit sha 32c45fd8b0d73202a596e5488f6e088e8832691d

add missing .txt extension for build date

view details

push time in a day

push eventGrapheneOS/device_google_coral-kernel

Daniel Micay

commit sha 6422f8a5434961e5c5b3270137d9a9ce0d0e6ff7

August update

view details

push time in a day

push eventGrapheneOS/kernel_google_coral

Daniel Micay

commit sha 733065478565eaa7c1aaf1461a6e0a4c7867f0be

update drivers/staging/qcacld-3.0 for August

view details

push time in a day

push eventGrapheneOS/kernel_google_coral_drivers_staging_qcacld-3.0

Abhishek Ambure

commit sha d85e8a2ab13139550b6725bcead23ab1cda4b055

qcacld-3.0: Add max index check for dscp_to_up_map array In SME layer, boundary check for dscp_to_up_map array is not present. The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions are used to index dscpmapping. The indices are not validated to be less than 0x40. The dscp_exceptions array is received from association response frame. A malicious AP can send values up to 0xff, causing OOB write of dscpmapping array. Hence, max index check is added to avoid OOB write of dscpmapping array. Bug: 153345312 Test: Regression test Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e CRs-Fixed: 2569764

view details

Ashish Kumar Dhanotiya

commit sha dc0323d743d82ea15802a092c7c2a96de6ba7534

qcacld-3.0: Validate assoc response IE len before copy When host sends assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Bug: 153344687 Test: Regression test Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439 CRs-Fixed: 2583124

view details

Harrison Lingren

commit sha 6972e1915dee23f09528995868f202b142f79e78

Merge 'android-msm-floral-4.14-qt-security-next' into android-msm-floral-4.14-qt JUL 2020.1 Bug: 155195872 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: I5c230d00dc745dbcfe13dfcbac7647ef5c3f88fa

view details

SecurityBot AutoMerger

commit sha 507ab41f37dd6e4e061fdd50e965668a78d598a0

Merge android-msm-floral-4.14-qt into android-msm-floral-4.14-qt-qpr1 SBMerger: 284775313 Change-Id: Icf6d12dd215a0713692b0f3b23f3b5ab0d867e7e Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 73d3553944a28e719bf56ef3ca0b8b18d12c17ac

Merge android-msm-floral-4.14-qt-qpr1 into android-msm-floral-4.14-qt-qpr2 SBMerger: 284775313 Change-Id: I11dccf1350203fe54480d64090511dc924f5213f Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha c0b3c408bbfb3987875f575a335d7cdc465ed06a

Merge android-msm-floral-4.14-qt-qpr2 into android-msm-floral-4.14-qt-qpr3 SBMerger: 284775313 Change-Id: I823fdc146a7907cf8eaedc3491a1b7bfd5536d8d Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

Pragaspathi Thilagaraj

commit sha a6ccae05ac2ad4c1f55c2da5c40b9fbc2244f4cb

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 byte and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe. Validate the len against total IE length to avoid overflow. Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2573329 Bug: 155653491 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

view details

Gururaj Pandurangi

commit sha 9fccb7d5f3cf3f9d6ba2ffb153caaf7d5b7536d0

qcacld-3.0: Fix while condition in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, do while loop is checked for BcnNumIes if it is greater than IE length 0. Fix the check to be greater than 2 as the first two bytes is IE header(element ID and IE length fields both 1 byte each.) Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4 CRs-Fixed: 2626729 Bug: 155654263 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

view details

Ashish Kumar Dhanotiya

commit sha c43f8339d2b46c33656198d592147a59d4809d9f

qcacld-3.0: Validate assoc response IE len before copy When host sends ft assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78 CRs-Fixed: 2575144 Bug: 155654321 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

view details

Harrison Lingren

commit sha ed007124fcb07a2c7199ce32fa73bb85f0665765

Merge branch 'android-msm-floral-4.14-qt-security-next' into android-msm-floral-4.14-qt AUG 2020.1 Bug: 157953751 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: Id6925721081beb69dad67b37531497e160f7d7d7

view details

SecurityBot AutoMerger

commit sha 7cea59ce256738bffa518e5b941acdfe37f7160a

Merge android-msm-floral-4.14-qt into android-msm-floral-4.14-qt-qpr1 SBMerger: 284775313 Change-Id: I459272f81c773184853dfc261278095a277d79ff Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 1e3f8ce9249d13a81a69c9fa87afbc719ec4f431

Merge android-msm-floral-4.14-qt-qpr1 into android-msm-floral-4.14-qt-qpr2 SBMerger: 284775313 Change-Id: I04c634c00ca85e79396bd4ff4f2093012c1ba1ce Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha ca7e7e68a0e53888e2f5550f6b6f16eb7ad44be4

Merge android-msm-floral-4.14-qt-qpr2 into android-msm-floral-4.14-qt-qpr3 SBMerger: 284775313 Change-Id: I9796368224ee5f72eb2e9bfeb3cc5af57b5fe133 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

Daniel Micay

commit sha 7795af0948fd9858e5139427eaea0cd3181b332e

set TARGET_BUILD_VARIANT to user when unset

view details

Daniel Micay

commit sha f495a7b5e4504ee0c7426d1a39845a3e84e34aba

fix WLAN_ROOT Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>

view details

Daniel Micay

commit sha 3e2108c2df98ab2e4a63ef378a2ec590ee017c68

disable broken Kconfig support Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>

view details

Luca Stefani

commit sha 33f9f91430b9b0f01e7bac56a61f5fc2a1b1f2b7

qcacld: Disable build timestamp Change-Id: I8b917928671f14caedf2401eeb92ea07a184f351 Signed-off-by: Danny Lin <danny@kdrag0n.dev> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>

view details

push time in a day

push eventGrapheneOS/kernel_google_crosshatch

Daniel Micay

commit sha c5a1fea4240e75528f8f4efd57bd32e583bc0259

update drivers/staging/qcacld-3.0 for August

view details

push time in a day

push eventGrapheneOS/kernel_google_crosshatch_drivers_staging_qcacld-3.0

Ashish Kumar Dhanotiya

commit sha 614a30b3c2388e2b3325377ef60d5d122aa41aec

qcacld-3.0: Validate assoc response IE len before copy When host sends assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Bug: 153344687 Test: Regression test Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439 CRs-Fixed: 2583124

view details

Abhishek Ambure

commit sha 6e094d3e5c3544ff04f75454979025a2f4795e40

qcacld-3.0: Add max index check for dscp_to_up_map array In SME layer, boundary check for dscp_to_up_map array is not present. The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions are used to index dscpmapping. The indices are not validated to be less than 0x40. The dscp_exceptions array is received from association response frame. A malicious AP can send values up to 0xff, causing OOB write of dscpmapping array. Hence, max index check is added to avoid OOB write of dscpmapping array. Bug: 153345312 Test: Regression test Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e CRs-Fixed: 2569764

view details

Harrison Lingren

commit sha a2b31c76ff9609997e81d3f88601a9dd10debcc2

Merge 'android-msm-pixel-4.9-qt-security-next' into android-msm-pixel-4.9-qt JUL 2020.1 Bug: 155195707 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: I7cf4254f80bba478b7755f7d42ef40562eeea112

view details

SecurityBot AutoMerger

commit sha e515b965340b03ce3d88cfee6aefc2be58f78b48

Merge android-msm-pixel-4.9-qt into android-msm-pixel-4.9-qt-qpr1 SBMerger: 284775313 Change-Id: Ia01b61ae8445daaec5540a17191b2973de1350da Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha d4df0084d3997af0dc435214f7b5ca940c0fadf6

Merge android-msm-pixel-4.9-qt-qpr1 into android-msm-pixel-4.9-qt-qpr2 SBMerger: 284775313 Change-Id: Id67342a31d51a7b2c047449c175ddad3beb360d6 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha aa076ee9c69e4e294295635e964c1d75e2f4f138

Merge android-msm-pixel-4.9-qt-qpr2 into android-msm-pixel-4.9-qt-qpr3 SBMerger: 284775313 Change-Id: I2837d212e9139f74a21bf6ee062cfd900b16cf94 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

Ashish Kumar Dhanotiya

commit sha 725e65c70af7878f9cfdf779ce53bf93fd0e8a5b

qcacld-3.0: Validate assoc response IE len before copy When host sends ft assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Bug: 155654321 Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78 CRs-Fixed: 2575144

view details

Pragaspathi Thilagaraj

commit sha fa4f0754b2f8e2f1712abe3f0f835b024e769b13

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 byte and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe. Validate the len against total IE length to avoid overflow. Bug: 155653491 Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2573329

view details

Gururaj Pandurangi

commit sha 6b04742bda039bd3a19858f8c05cf92d95a67a82

qcacld-3.0: Fix while condition in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, do while loop is checked for BcnNumIes if it is greater than IE length 0. Fix the check to be greater than 2 as the first two bytes is IE header(element ID and IE length fields both 1 byte each.) Bug: 155654263 Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4 CRs-Fixed: 2626729

view details

Harrison Lingren

commit sha ae55a6e8546070f4f0d666aa668039d2ccda715d

Merge branch 'android-msm-pixel-4.9-qt-security-next' into android-msm-pixel-4.9-qt AUG 2020.1 Bug: 157954141 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: I78b3bf5fcd9d56f26dc22d6b2b1c12f6b89c3309

view details

SecurityBot AutoMerger

commit sha dff5411a4587060b2a3feb8f1c6de05bcdd3db4b

Merge android-msm-pixel-4.9-qt into android-msm-pixel-4.9-qt-qpr1 SBMerger: 284775313 Change-Id: If7e19d45847f1932736c291d174c8c68c0ae44d3 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 9e6fe3400564dc0f10e82ce91591ee6f46bc0170

Merge android-msm-pixel-4.9-qt-qpr1 into android-msm-pixel-4.9-qt-qpr2 SBMerger: 284775313 Change-Id: I9f428cfe9b69bc74553e4454435acd5ce5c67c70 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha e93c969b99c7cfb8d3533fa3acb50be9e65a1d25

Merge android-msm-pixel-4.9-qt-qpr2 into android-msm-pixel-4.9-qt-qpr3 SBMerger: 284775313 Change-Id: Iced89e0c48cf34e4d49071832c9c692cbe46b4af Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

Daniel Micay

commit sha da8cdf0c99a29ed98785a66b43c750cb4796c00f

set TARGET_BUILD_VARIANT to user when unset

view details

Daniel Micay

commit sha f549e3bed759b798676bc3a3090e7394403422f4

fix WLAN_ROOT

view details

Daniel Micay

commit sha 784c96503b5cf359757bfeba9eb7715ebb64c4a1

disable broken Kconfig support

view details

Daniel Micay

commit sha a057606c92a27edb68fec3a41854290b4c86f58e

disable build tag for deterministic builds

view details

push time in a day

push eventGrapheneOS/kernel_google_crosshatch

Alan Stern

commit sha 2b57e75447ceb20eee81313bc9dd2ce9d949bc66

USB: core: Fix free-while-in-use bug in the USB S-Glibrary commit 056ad39ee9253873522f6469c3364964a322912b upstream. FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: scsi_tmf_2 scmd_eh_abort_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x153/0x1cb mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657 usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602 usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937 This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The bug is caused by the fact that usb_sg_cancel() does not take any sort of reference to the transfer, and so there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Bug: 156071259 Change-Id: I073b942a9bb87fa4fc2f94e1ca245ff50f919b4f Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com> CC: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

view details

Paul Moore

commit sha f7bb27625e17363b5292be6b4a66bafb587bc2a2

selinux: properly handle multiple messages in selinux_netlink_send() commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream. Fix the SELinux netlink_send hook to properly handle multiple netlink messages in a single sk_buff; each message is parsed and subject to SELinux access control. Prior to this patch, SELinux only inspected the first message in the sk_buff. Cc: stable@vger.kernel.org Reported-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 155485360 Change-Id: Ic0678017384c584e7a0a9f75a384673e843cdded Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

Harrison Lingren

commit sha ecb6b79d2aad544f99b23c771c987efdc33a8ef9

Merge branch 'android-msm-pixel-4.9-qt-security-next' into android-msm-pixel-4.9-qt AUG 2020.1 Bug: 157954141 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: I89c5c4573e5da5c6b55b46b3174526ca3f0f4507

view details

SecurityBot AutoMerger

commit sha 722fc2cafadd2610ac847ac9c67bbfbfacf13049

Merge android-msm-pixel-4.9-qt into android-msm-pixel-4.9-qt-qpr1 SBMerger: 284775313 Change-Id: Ib13ac371f42ee9aa5286190828952611c1d2bdbb Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 3193ab976092f6c3fe922acc49b194dd1aa93b11

Merge android-msm-pixel-4.9-qt-qpr1 into android-msm-pixel-4.9-qt-qpr2 SBMerger: 284775313 Change-Id: Ibdb0ed13ae55d8df06eeadecfe1db80cc600fd7e Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha dee0d123b122058c6eeeee7cec14548e2c037131

Merge android-msm-pixel-4.9-qt-qpr2 into android-msm-pixel-4.9-qt-qpr3 SBMerger: 284775313 Change-Id: I958a42c50c68942531adb73a0781b50baf2f74a3 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

Daniel Micay

commit sha d13d8075ad28ddae681291fcc7b2dec621aca4e1

avoid Android build system conflicts

view details

Daniel Micay

commit sha 33b9d05f7193aa36dc65367d91919db894315677

split blueline / crosshatch kernel configuration

view details

Daniel Micay

commit sha eab1d74f6c1d1dddba05cb0e79ce83adae5c5f4a

build in crosshatch kernel modules

view details

Daniel Micay

commit sha f0e9447683f04098fd4c730f25d2e333cf763f21

build in blueline kernel modules

view details

Daniel Micay

commit sha 9e6bdd6313ffded97daa37e650ffb1f6a7619469

build in bonito kernel modules

view details

Daniel Micay

commit sha e99f24c878d7de7912ea4ce19e80642450179433

add qcacld submodules

view details

Daniel Micay

commit sha 62acc0d87230eddeb41c411cc85552ba6833c8be

add qcacld-3.0 driver to staging

view details

Daniel Micay

commit sha 740aa140cb5a23af1cd23f23cb2fd0ef6fbe8f6f

enable CONFIG_QCA_CLD_WLAN

view details

Daniel Micay

commit sha cbeeeba6381a56ae3880701f05b922f6e1b8bfe5

remove techpack gitignore rules

view details

Daniel Micay

commit sha 60efb6a4216cdbed5abf018bf467ee871e7f7bb9

add techpack/audio submodule

view details

Artem Labazov

commit sha 21f9ca9b38c09567b294c4b6ee16a2dbad4d5386

Revert "input: touchscreen: sec_ts: flash firmware before probe returns" With this patch, driver halts kernel if firmware is not (yet) available. This reverts commit 44b86147c13e50fa9da9ab8cdb1f0b8d94392d44.

view details

Daniel Micay

commit sha 338b521e4a902ed28186a3a01962ecf1f3ce5f9f

disable LCD_CLASS_DEVICE

view details

Daniel Micay

commit sha 94790912a7fcdc7e27a7e4d51605347eaff47c1d

mark functions with address taken via assembly This fixes compatibility with CFI in a build with !CONFIG_MODULES.

view details

Daniel Micay

commit sha 85951234ac1cf070234ddd2f24ce7e2b1cbf8f45

disable module support This substantially improves the granularity of CFI by allowing the compiler to identify that a massive number of functions called be indirectly called due to never having their address taken. The CONFIG_KPROBES option depends on CONFIG_MODULES so it gets disabled too. The CONFIG_DIAG_CHAR, CONFIG_HW_RANDOM and CONFIG_BACKLIGHT_CLASS_DEVICE options use 'default m' and no longer need that overridden since they get built-in by default now.

view details

push time in a day

push eventGrapheneOS/kernel_google_crosshatch

Alan Stern

commit sha 2b57e75447ceb20eee81313bc9dd2ce9d949bc66

USB: core: Fix free-while-in-use bug in the USB S-Glibrary commit 056ad39ee9253873522f6469c3364964a322912b upstream. FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: scsi_tmf_2 scmd_eh_abort_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x153/0x1cb mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657 usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602 usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937 This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The bug is caused by the fact that usb_sg_cancel() does not take any sort of reference to the transfer, and so there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Bug: 156071259 Change-Id: I073b942a9bb87fa4fc2f94e1ca245ff50f919b4f Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com> CC: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

view details

Paul Moore

commit sha f7bb27625e17363b5292be6b4a66bafb587bc2a2

selinux: properly handle multiple messages in selinux_netlink_send() commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream. Fix the SELinux netlink_send hook to properly handle multiple netlink messages in a single sk_buff; each message is parsed and subject to SELinux access control. Prior to this patch, SELinux only inspected the first message in the sk_buff. Cc: stable@vger.kernel.org Reported-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 155485360 Change-Id: Ic0678017384c584e7a0a9f75a384673e843cdded Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

Harrison Lingren

commit sha ecb6b79d2aad544f99b23c771c987efdc33a8ef9

Merge branch 'android-msm-pixel-4.9-qt-security-next' into android-msm-pixel-4.9-qt AUG 2020.1 Bug: 157954141 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: I89c5c4573e5da5c6b55b46b3174526ca3f0f4507

view details

SecurityBot AutoMerger

commit sha 722fc2cafadd2610ac847ac9c67bbfbfacf13049

Merge android-msm-pixel-4.9-qt into android-msm-pixel-4.9-qt-qpr1 SBMerger: 284775313 Change-Id: Ib13ac371f42ee9aa5286190828952611c1d2bdbb Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 3193ab976092f6c3fe922acc49b194dd1aa93b11

Merge android-msm-pixel-4.9-qt-qpr1 into android-msm-pixel-4.9-qt-qpr2 SBMerger: 284775313 Change-Id: Ibdb0ed13ae55d8df06eeadecfe1db80cc600fd7e Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha dee0d123b122058c6eeeee7cec14548e2c037131

Merge android-msm-pixel-4.9-qt-qpr2 into android-msm-pixel-4.9-qt-qpr3 SBMerger: 284775313 Change-Id: I958a42c50c68942531adb73a0781b50baf2f74a3 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

push time in a day

push eventGrapheneOS/kernel_google_coral

Alan Stern

commit sha 38e9cf2f87772e19c9d48b0f8123786529d8a03d

USB: core: Fix free-while-in-use bug in the USB S-Glibrary commit 056ad39ee9253873522f6469c3364964a322912b upstream. FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: scsi_tmf_2 scmd_eh_abort_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x153/0x1cb mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657 usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602 usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937 This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The bug is caused by the fact that usb_sg_cancel() does not take any sort of reference to the transfer, and so there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Bug: 156071259 Change-Id: I59a634e0a588e0175d4405a408c7d3e2106a61ee Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com> CC: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

view details

Paul Moore

commit sha b31f2ff5673b7651d7519228959eed89ce944a89

selinux: properly handle multiple messages in selinux_netlink_send() commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream. Fix the SELinux netlink_send hook to properly handle multiple netlink messages in a single sk_buff; each message is parsed and subject to SELinux access control. Prior to this patch, SELinux only inspected the first message in the sk_buff. Cc: stable@vger.kernel.org Reported-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 155485360 Change-Id: Ic0678017384c584e7a0a9f75a384673e843cdded Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

Harrison Lingren

commit sha a11d92804a9bfbbe9c64ccd4f02b9f0cc371a4a8

Merge branch 'android-msm-floral-4.14-qt-security-next' into android-msm-floral-4.14-qt AUG 2020.1 Bug: 157953751 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: I3b00af5291c5bb462599abcdb7f491e828dd294f

view details

SecurityBot AutoMerger

commit sha e237a31a0fb467c1b0c08fd6405e101decee25da

Merge android-msm-floral-4.14-qt into android-msm-floral-4.14-qt-qpr1 SBMerger: 284775313 Change-Id: I9be4e814abd590be435d5267d8479d5de1e7bf73 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 275a8e738f44393d948390e453627b57fd239545

Merge android-msm-floral-4.14-qt-qpr1 into android-msm-floral-4.14-qt-qpr2 SBMerger: 284775313 Change-Id: I6930bbb052e9f61d95ea96520bd14c7467ed14c7 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 5513138224ab748c32ff20187aa5ef667f117674

Merge android-msm-floral-4.14-qt-qpr2 into android-msm-floral-4.14-qt-qpr3 SBMerger: 284775313 Change-Id: Iab16f51adba83fc6c92174a162d4bb1174073330 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

Dmitry Dmitriev

commit sha f493f92954577377ba4684a3672eda6b05285eb3

avoid Android build system conflicts

view details

Dmitry Dmitriev

commit sha 949be025ebb3ff471db3df002e46e33366200054

build in coral kernel modules

view details

Dmitry Dmitriev

commit sha 4756bfe7aa384f25325f4621ef39efd940d13134

add qcacld submodules

view details

Daniel Micay

commit sha 2e7e003359eedc60400d68576d33c79df8a1136b

add qcacld-3.0 driver to staging

view details

Dmitry Dmitriev

commit sha 76d8dea2a72357c29d99829c4fccc18fba9107bf

enable CONFIG_QCA_CLD_WLAN

view details

Daniel Micay

commit sha 0e0e50a1e236040b124a9e33c3ff7d2bdc474342

remove techpack gitignore rules

view details

Dmitry Dmitriev

commit sha daa3db7d13df09f1e915820eb043f4f1a5428d78

add techpack/audio submodule

view details

Dmitry Dmitriev

commit sha 06a7f22a2b913d9af59d557837a46c6f442e1e6d

add fts_touch submodule

view details

Dmitry Dmitriev

commit sha d6874ffff0da00ad7f52d3b5d251e21f57acc8ca

add fts_touch driver to input/touchscreen

view details

Dmitry Dmitriev

commit sha 9f732603a44a2af3d8fefd18bf36f2f14e9a9baa

enable CONFIG_TOUCHSCREEN_FTS

view details

Dmitry Dmitriev

commit sha 63d0285834ffb173755f0f9f77c2d50b4111b8ac

disable module support

view details

Daniel Micay

commit sha 254ac3e9c76387ad5efa718c5bfc8691239c97df

disable LKDTM

view details

Daniel Micay

commit sha 0db9e0e1909ec42a1bd46f4dc8e269436a058de7

add build script

view details

Daniel Micay

commit sha aec3bdb2a0f2c0d968f147f0b87717a0ac5ad61e

mark qcedev data const

view details

push time in a day

push eventGrapheneOS/kernel_google_coral

Alan Stern

commit sha 38e9cf2f87772e19c9d48b0f8123786529d8a03d

USB: core: Fix free-while-in-use bug in the USB S-Glibrary commit 056ad39ee9253873522f6469c3364964a322912b upstream. FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: scsi_tmf_2 scmd_eh_abort_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x153/0x1cb mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657 usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602 usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937 This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The bug is caused by the fact that usb_sg_cancel() does not take any sort of reference to the transfer, and so there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Bug: 156071259 Change-Id: I59a634e0a588e0175d4405a408c7d3e2106a61ee Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com> CC: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

view details

Paul Moore

commit sha b31f2ff5673b7651d7519228959eed89ce944a89

selinux: properly handle multiple messages in selinux_netlink_send() commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream. Fix the SELinux netlink_send hook to properly handle multiple netlink messages in a single sk_buff; each message is parsed and subject to SELinux access control. Prior to this patch, SELinux only inspected the first message in the sk_buff. Cc: stable@vger.kernel.org Reported-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 155485360 Change-Id: Ic0678017384c584e7a0a9f75a384673e843cdded Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

Harrison Lingren

commit sha a11d92804a9bfbbe9c64ccd4f02b9f0cc371a4a8

Merge branch 'android-msm-floral-4.14-qt-security-next' into android-msm-floral-4.14-qt AUG 2020.1 Bug: 157953751 Signed-off-by: Harrison Lingren <hlingren@google.com> Change-Id: I3b00af5291c5bb462599abcdb7f491e828dd294f

view details

SecurityBot AutoMerger

commit sha e237a31a0fb467c1b0c08fd6405e101decee25da

Merge android-msm-floral-4.14-qt into android-msm-floral-4.14-qt-qpr1 SBMerger: 284775313 Change-Id: I9be4e814abd590be435d5267d8479d5de1e7bf73 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 275a8e738f44393d948390e453627b57fd239545

Merge android-msm-floral-4.14-qt-qpr1 into android-msm-floral-4.14-qt-qpr2 SBMerger: 284775313 Change-Id: I6930bbb052e9f61d95ea96520bd14c7467ed14c7 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 5513138224ab748c32ff20187aa5ef667f117674

Merge android-msm-floral-4.14-qt-qpr2 into android-msm-floral-4.14-qt-qpr3 SBMerger: 284775313 Change-Id: Iab16f51adba83fc6c92174a162d4bb1174073330 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

push time in a day

push eventGrapheneOS/kernel_google_wahoo

David Mosberger

commit sha edd9e79df4106265aed533d977508fb15ebbf0b3

drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit. usb_submit_urb() may take quite long to execute. For example, a single sg list may have 30 or more entries, possibly leading to that many calls to DMA-map pages. This can cause interrupt latency of several hundred micro-seconds. Avoid the problem by releasing the io->lock spinlock and re-enabling interrupts before calling usb_submit_urb(). This opens races with usb_sg_cancel() and sg_complete(). Handle those races by using usb_block_urb() to stop URBs from being submitted after usb_sg_cancel() or sg_complete() with error. Note that usb_unlink_urb() is guaranteed to return -ENODEV if !io->urbs[i]->dev and since the -ENODEV case is already handled, we don't have to check for !io->urbs[i]->dev explicitly. Before this change, reading 512MB from an ext3 filesystem on a USB memory stick showed a throughput of 12 MB/s with about 500 missed deadlines. With this change, reading the same file gave the same throughput but only one or two missed deadlines. Bug: 156071259 Signed-off-by: David Mosberger <davidm@egauge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I47b14ffdcea148744e72649d558e2166fca21670

view details

David Mosberger

commit sha 3d6cd622f0652c72cb17e991e2a7cddf9287dd10

drivers: usb: core: Minimize irq disabling in usb_sg_cancel() Restructure usb_sg_cancel() so we don't have to disable interrupts while cancelling the URBs. Bug: 156071259 Suggested-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: David Mosberger <davidm@egauge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I599dc5accde07c7385976f5c89f5c01fa5deedec

view details

Alan Stern

commit sha cd1e46e21aab3fd99572bd2c9df48bc061677ae6

USB: core: Fix free-while-in-use bug in the USB S-Glibrary commit 056ad39ee9253873522f6469c3364964a322912b upstream. FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: scsi_tmf_2 scmd_eh_abort_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x153/0x1cb mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657 usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602 usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937 This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The bug is caused by the fact that usb_sg_cancel() does not take any sort of reference to the transfer, and so there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Bug: 156071259 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com> CC: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ifb2ca5ea0580230eb8344fe4bcce380f7b641e7c

view details

Ashish Kumar Dhanotiya

commit sha 576060a0d7ee72b6ab0986ac7c88521cf34d8153

qcacld-3.0: Validate assoc response IE len before copy When host sends ft assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Bug: 155654321 Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78 CRs-Fixed: 2575144

view details

Pragaspathi Thilagaraj

commit sha 9432510d597769c24c8d99e19a76f432c151e415

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 byte and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe. Validate the len against total IE length to avoid overflow. Bug: 155653491 Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2573329

view details

Gururaj Pandurangi

commit sha 474861186e92a1958bf9cd5116e60cda634ed162

qcacld-3.0: Fix while condition in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, do while loop is checked for BcnNumIes if it is greater than IE length 0. Fix the check to be greater than 2 as the first two bytes is IE header(element ID and IE length fields both 1 byte each.) Bug: 155654263 Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4 CRs-Fixed: 2626729

view details

Paul Moore

commit sha 58ed7b6f30dfd143e788ab82cb619e324ca402d2

selinux: properly handle multiple messages in selinux_netlink_send() commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream. Fix the SELinux netlink_send hook to properly handle multiple netlink messages in a single sk_buff; each message is parsed and subject to SELinux access control. Prior to this patch, SELinux only inspected the first message in the sk_buff. Cc: stable@vger.kernel.org Reported-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 155485360 Change-Id: Ic0678017384c584e7a0a9f75a384673e843cdded Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

Harrison Lingren

commit sha 6cf293945a89fec249d9d989b4af806792143e44

Merge branch 'android-msm-wahoo-4.4-qt-security-next' into android-msm-wahoo-4.4-qt AUG 2020.1 Bug: 157953689 Change-Id: I97bbccefc3f70a5bf19a48cffe99e74b2ff53e79 Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

SecurityBot AutoMerger

commit sha 95b165e154ca79415a1ab0651c35ba8bf780ac99

Merge android-msm-wahoo-4.4-qt into android-msm-wahoo-4.4-qt-qpr1 SBMerger: 284775313 Change-Id: I6208ae8e472242b5b61cd33d5c484be5815100e4 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 3f41b8161e1df807e88bb43f88f239175f647976

Merge android-msm-wahoo-4.4-qt-qpr1 into android-msm-wahoo-4.4-qt-qpr2 SBMerger: 284775313 Change-Id: I5aeebe35f85de9b943a02dc83bb41cf68447afa5 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 4fecde07e68d06a964647476fb1e7940719d44a0

Merge android-msm-wahoo-4.4-qt-qpr2 into android-msm-wahoo-4.4-qt-qpr3 SBMerger: 284775313 Change-Id: I3b644a8f6cf2c3344af7c512dc469da26c41dac3 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

Daniel Micay

commit sha e0afcac2612cf2b7af505c5f7c2208cc640c2b15

split taimen / walleye configuration

view details

Daniel Micay

commit sha cd4086facbbbf76c6cca92da242b3b154d5ef7fc

build in taimen kernel modules

view details

Daniel Micay

commit sha 54bc0cea04ed5c5766213d32f1bcf8742623f6da

build in walleye kernel modules

view details

Daniel Micay

commit sha 7256ef0fa179b6ff86c48da2a9f11a4981a60517

disable module support The CONFIG_DIAG_CHAR and CONFIG_HW_RANDOM options use 'default m' and no longer need that overridden since they get built-in by default now.

view details

Nathan Chancellor

commit sha 3cf41560f126d2a86f0d17577c20b8edc4a76de4

lge_battery: Use EPROBE_DEFER instead of ENODEV during probe When this driver is built into the kernel image, it is loaded during device_initcall; however, this is too early because the parallel power supply is not up yet and the driver fails to load (as verified with logging). While this normally wouldn't be a problem with a platform driver due to the probe function, it is here because LG returns -ENODEV instead of -EPROBE_DEFER so the driver never attempts to reload. Without this driver, fast charging does not work, leading to a poor user experience. One other solution is to move to a later initcall, like late_initcall as was done in commit 32d86fe33640 ("power: {lge,htc}_battery: Use late_initcall instead of module_initcall") but I believe this is the better one as the probe functionality specifically works for this use case. Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

view details

Nathan Chancellor

commit sha 4c9280ddab8c5889af2c93cf1f617ae81cb0a2f5

lge_battery: Defer probe if battery ID is zero A battery ID is only going to be zero if the resistance is returned as zero by fg_get_battery_resistance, which appears to only happen when the battery ID hasn't been loaded, according to logging on boot. This avoids the -EINVAL return trigger below since commit 0277be04135e ("qpnp-fg-gen3: Move getting battery id and profile to profile_load_work") delays the battery ID getting loaded. Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

view details

Daniel Micay

commit sha 304aa46f8ed36d65e0abee1c7f57be021c07b959

add build script

view details

Scott Bauer

commit sha 484b235d7e1ab76f67cc82e69955a60ca023380c

crypto: qce50: Init sg don't just add pages to it Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>

view details

Daniel Micay

commit sha 2dd7ae8ddd6d8a459bf70c6c61af80354bc83324

mark qcedev data const

view details

push time in a day

push eventGrapheneOS/kernel_google_wahoo

David Mosberger

commit sha edd9e79df4106265aed533d977508fb15ebbf0b3

drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit. usb_submit_urb() may take quite long to execute. For example, a single sg list may have 30 or more entries, possibly leading to that many calls to DMA-map pages. This can cause interrupt latency of several hundred micro-seconds. Avoid the problem by releasing the io->lock spinlock and re-enabling interrupts before calling usb_submit_urb(). This opens races with usb_sg_cancel() and sg_complete(). Handle those races by using usb_block_urb() to stop URBs from being submitted after usb_sg_cancel() or sg_complete() with error. Note that usb_unlink_urb() is guaranteed to return -ENODEV if !io->urbs[i]->dev and since the -ENODEV case is already handled, we don't have to check for !io->urbs[i]->dev explicitly. Before this change, reading 512MB from an ext3 filesystem on a USB memory stick showed a throughput of 12 MB/s with about 500 missed deadlines. With this change, reading the same file gave the same throughput but only one or two missed deadlines. Bug: 156071259 Signed-off-by: David Mosberger <davidm@egauge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I47b14ffdcea148744e72649d558e2166fca21670

view details

David Mosberger

commit sha 3d6cd622f0652c72cb17e991e2a7cddf9287dd10

drivers: usb: core: Minimize irq disabling in usb_sg_cancel() Restructure usb_sg_cancel() so we don't have to disable interrupts while cancelling the URBs. Bug: 156071259 Suggested-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: David Mosberger <davidm@egauge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I599dc5accde07c7385976f5c89f5c01fa5deedec

view details

Alan Stern

commit sha cd1e46e21aab3fd99572bd2c9df48bc061677ae6

USB: core: Fix free-while-in-use bug in the USB S-Glibrary commit 056ad39ee9253873522f6469c3364964a322912b upstream. FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: scsi_tmf_2 scmd_eh_abort_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x153/0x1cb mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657 usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602 usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937 This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The bug is caused by the fact that usb_sg_cancel() does not take any sort of reference to the transfer, and so there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Bug: 156071259 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com> CC: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ifb2ca5ea0580230eb8344fe4bcce380f7b641e7c

view details

Ashish Kumar Dhanotiya

commit sha 576060a0d7ee72b6ab0986ac7c88521cf34d8153

qcacld-3.0: Validate assoc response IE len before copy When host sends ft assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Bug: 155654321 Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78 CRs-Fixed: 2575144

view details

Pragaspathi Thilagaraj

commit sha 9432510d597769c24c8d99e19a76f432c151e415

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 byte and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe. Validate the len against total IE length to avoid overflow. Bug: 155653491 Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2573329

view details

Gururaj Pandurangi

commit sha 474861186e92a1958bf9cd5116e60cda634ed162

qcacld-3.0: Fix while condition in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, do while loop is checked for BcnNumIes if it is greater than IE length 0. Fix the check to be greater than 2 as the first two bytes is IE header(element ID and IE length fields both 1 byte each.) Bug: 155654263 Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4 CRs-Fixed: 2626729

view details

Paul Moore

commit sha 58ed7b6f30dfd143e788ab82cb619e324ca402d2

selinux: properly handle multiple messages in selinux_netlink_send() commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream. Fix the SELinux netlink_send hook to properly handle multiple netlink messages in a single sk_buff; each message is parsed and subject to SELinux access control. Prior to this patch, SELinux only inspected the first message in the sk_buff. Cc: stable@vger.kernel.org Reported-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 155485360 Change-Id: Ic0678017384c584e7a0a9f75a384673e843cdded Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

Harrison Lingren

commit sha 6cf293945a89fec249d9d989b4af806792143e44

Merge branch 'android-msm-wahoo-4.4-qt-security-next' into android-msm-wahoo-4.4-qt AUG 2020.1 Bug: 157953689 Change-Id: I97bbccefc3f70a5bf19a48cffe99e74b2ff53e79 Signed-off-by: Harrison Lingren <hlingren@google.com>

view details

SecurityBot AutoMerger

commit sha 95b165e154ca79415a1ab0651c35ba8bf780ac99

Merge android-msm-wahoo-4.4-qt into android-msm-wahoo-4.4-qt-qpr1 SBMerger: 284775313 Change-Id: I6208ae8e472242b5b61cd33d5c484be5815100e4 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 3f41b8161e1df807e88bb43f88f239175f647976

Merge android-msm-wahoo-4.4-qt-qpr1 into android-msm-wahoo-4.4-qt-qpr2 SBMerger: 284775313 Change-Id: I5aeebe35f85de9b943a02dc83bb41cf68447afa5 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

SecurityBot AutoMerger

commit sha 4fecde07e68d06a964647476fb1e7940719d44a0

Merge android-msm-wahoo-4.4-qt-qpr2 into android-msm-wahoo-4.4-qt-qpr3 SBMerger: 284775313 Change-Id: I3b644a8f6cf2c3344af7c512dc469da26c41dac3 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

view details

push time in a day

more