Add files via upload

Author: ZenNoe

patches/3.4/CVE-2016-10289.patch

@@ -0,0 +1,83 @@
+From 413bcc259f0cf49b838dec8a6fdcaf7b9bfd663a Mon Sep 17 00:00:00 2001
+From: Zhen Kong <[email protected]>
+Date: Tue, 31 Jan 2017 12:07:10 -0800
+Subject: [PATCH] crypto: msm: check length before copying to buf in
+ _debug_stats_read
+
+Make sure that `len` is not larger than `count` before copying data
+to userspace `buf` in _debug_stats_read().
+
+Change-Id: Ibea429889629916424f0e0a6e07c475f13de32c3
+Signed-off-by: Zhen Kong <[email protected]>
+---
+ drivers/crypto/msm/ota_crypto.c | 8 ++++----
+ drivers/crypto/msm/qcedev.c     | 4 ++--
+ drivers/crypto/msm/qcrypto.c    | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/crypto/msm/ota_crypto.c b/drivers/crypto/msm/ota_crypto.c
+index 6ecf5b2b4cce..3f73c0b594d2 100644
+--- a/drivers/crypto/msm/ota_crypto.c
++++ b/drivers/crypto/msm/ota_crypto.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -743,9 +743,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
+ 	int rc = -EINVAL;
+ 	int len;
+ 
+-	len = _disp_stats();
+-
+-	rc = simple_read_from_buffer((void __user *) buf, len,
++	len = _disp_stats(qcota);
++	if (len <= count)
++		rc = simple_read_from_buffer((void __user *) buf, len,
+ 			ppos, (void *) _debug_read_buf, len);
+ 
+ 	return rc;
+diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
+index 2c3eae74e2e8..e9dddaa377ea 100644
+--- a/drivers/crypto/msm/qcedev.c
++++ b/drivers/crypto/msm/qcedev.c
+@@ -2236,9 +2236,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
+ 
+ 	len = _disp_stats(qcedev);
+ 
+-	rc = simple_read_from_buffer((void __user *) buf, len,
++	if (len <= count)
++		rc = simple_read_from_buffer((void __user *) buf, len,
+ 			ppos, (void *) _debug_read_buf, len);
+-
+ 	return rc;
+ }
+ 
+diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
+index eb4cb3a8a775..1bb06ea15cae 100644
+--- a/drivers/crypto/msm/qcrypto.c
++++ b/drivers/crypto/msm/qcrypto.c
+@@ -1,6 +1,6 @@
+ /* Qualcomm Crypto driver
+  *
+- * Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -4771,9 +4771,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
+ 
+ 	len = _disp_stats(qcrypto);
+ 
+-	rc = simple_read_from_buffer((void __user *) buf, len,
++	if (len <= count)
++		rc = simple_read_from_buffer((void __user *) buf, len,
+ 			ppos, (void *) _debug_read_buf, len);
+-
+ 	return rc;
+ }
+ 
+-- 
+2.13.3
+

patches/3.4/CVE-2016-3934.patch

@@ -0,0 +1,72 @@
+From a131535aa0918d334ed09c151cd6dc868f8f876c Mon Sep 17 00:00:00 2001
+From: Vasko Kalanoski <[email protected]>
+Date: Tue, 3 Feb 2015 13:17:44 +0200
+Subject: [PATCH] msm: camera: restructure data handling to be more robust
+
+add dynamic array allocation instead of static to prevent
+stack overflow.
+
+Change-Id: I01d225a4bc1c74606475adc5eb8eb76048c24eb7
+Signed-off-by: Vasko Kalanoski <[email protected]>
+---
+ .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   | 23 +++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+index 1f9f5ad3ab28..7819532cc644 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+@@ -148,17 +148,29 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
+ 	int32_t rc = -EFAULT;
+ 	uint8_t i = 0;
+ 	struct msm_camera_cci_ctrl cci_ctrl;
+-	struct msm_camera_i2c_reg_array reg_conf_tbl[num_byte];
++	struct msm_camera_i2c_reg_array *reg_conf_tbl = NULL;
+ 
+ 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
+ 		&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
+ 		|| num_byte == 0)
+ 		return rc;
+ 
++	if (num_byte > I2C_SEQ_REG_DATA_MAX) {
++		pr_err("%s: num_byte=%d clamped to max supported %d\n",
++			__func__, num_byte, I2C_SEQ_REG_DATA_MAX);
++		return rc;
++	}
++
+ 	S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",
+-			  __func__, addr, num_byte);
+-	memset(reg_conf_tbl, 0,
+-		num_byte * sizeof(struct msm_camera_i2c_reg_array));
++		__func__, addr, num_byte);
++
++	reg_conf_tbl = kzalloc(num_byte *
++		(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);
++	if (!reg_conf_tbl) {
++		pr_err("%s:%d no memory\n", __func__, __LINE__);
++		return -ENOMEM;
++	}
++
+ #if defined(CONFIG_MACH_MSM8226_E7WIFI) || defined(CONFIG_MACH_MSM8226_E8WIFI)
+ 	for (i = 0; i < num_byte; i++) {
+ 		reg_conf_tbl[i].reg_addr = addr+i;
+@@ -172,7 +184,6 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
+ 		reg_conf_tbl[i].delay = 0;
+ 	}
+ #endif
+-	cci_ctrl.cmd = MSM_CCI_I2C_WRITE_SEQ;
+ 	cci_ctrl.cci_info = client->cci_client;
+ 	cci_ctrl.cfg.cci_i2c_write_cfg.reg_setting = reg_conf_tbl;
+ 	cci_ctrl.cfg.cci_i2c_write_cfg.data_type = MSM_CAMERA_I2C_BYTE_DATA;
+@@ -182,6 +193,8 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
+ 			core, ioctl, VIDIOC_MSM_CCI_CFG, &cci_ctrl);
+ 	CDBG("%s line %d rc = %d\n", __func__, __LINE__, rc);
+ 	rc = cci_ctrl.status;
++	kfree(reg_conf_tbl);
++	reg_conf_tbl = NULL;
+ 	return rc;
+ }
+ 
+-- 
+2.13.3
+