Merge pull request #4 from Zennoe/master

Add 3.4 kernel folder with patches

Author: raymanfx

patches/3.4/CVE-2015-8943.patch

@@ -0,0 +1,59 @@
+From 8ee577ed10d44d5f05e11bb60d9b0d8679bcb614 Mon Sep 17 00:00:00 2001
+From: Jayant Shekhar <[email protected]>
+Date: Tue, 20 Jan 2015 16:12:43 +0530
+Subject: [PATCH] msm: mdss: Unmap only when buffer was mapped
+
+Currently buffer is unmapped if iommu is attached.
+This can lead to potential unmap issues if wrong
+addresses are sent and are tried to unmap without
+mapping. Hence ensure unmap is done only when
+buffer is mapped.
+
+Change-Id: I6d7f1eb1e951cd314a4c3c35551c87930af5118e
+Signed-off-by: Jayant Shekhar <[email protected]>
+---
+ drivers/video/msm/mdss/mdss_mdp.h      | 1 +
+ drivers/video/msm/mdss/mdss_mdp_util.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_mdp.h b/drivers/video/msm/mdss/mdss_mdp.h
+index 00b0cebc04b..6c65a1e62b0 100644
+--- a/drivers/video/msm/mdss/mdss_mdp.h
++++ b/drivers/video/msm/mdss/mdss_mdp.h
+@@ -300,6 +300,7 @@ struct mdss_mdp_img_data {
+ 	u32 len;
+ 	u32 flags;
+ 	int p_need;
++	bool mapped;
+ 	struct file *srcp_file;
+ 	struct ion_handle *srcp_ihdl;
+ };
+diff --git a/drivers/video/msm/mdss/mdss_mdp_util.c b/drivers/video/msm/mdss/mdss_mdp_util.c
+index 0b1a154a225..d25b1b65cc4 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_util.c
++++ b/drivers/video/msm/mdss/mdss_mdp_util.c
+@@ -522,7 +522,7 @@ int mdss_mdp_put_img(struct mdss_mdp_img_data *data)
+ 			pr_err("invalid ion client\n");
+ 			return -ENOMEM;
+ 		} else {
+-			if (is_mdss_iommu_attached()) {
++			if (data->mapped) {
+ 				int domain;
+ 				if (data->flags & MDP_SECURE_OVERLAY_SESSION)
+ 					domain = MDSS_IOMMU_DOMAIN_SECURE;
+@@ -535,6 +535,7 @@ int mdss_mdp_put_img(struct mdss_mdp_img_data *data)
+ 					msm_ion_unsecure_buffer(iclient,
+ 							data->srcp_ihdl);
+ 				}
++				data->mapped = false;
+ 			}
+ 			ion_free(iclient, data->srcp_ihdl);
+ 			data->srcp_ihdl = NULL;
+@@ -613,6 +614,7 @@ int mdss_mdp_get_img(struct msmfb_data *img, struct mdss_mdp_img_data *data)
+ 			if (ret && (domain == MDSS_IOMMU_DOMAIN_SECURE))
+ 				msm_ion_unsecure_buffer(iclient,
+ 						data->srcp_ihdl);
++			data->mapped = true;
+ 		} else {
+ 			ret = ion_phys(iclient, data->srcp_ihdl, start,
+ 				       (size_t *) len);

patches/3.4/CVE-2015-8944.patch

@@ -0,0 +1,30 @@
+From 465a6856bafc2f627753596c60894b0ec40310f2 Mon Sep 17 00:00:00 2001
+From: Biswajit Paul <[email protected]>
+Date: Mon, 9 Feb 2015 15:21:12 -0800
+Subject: [PATCH] kernel: Restrict permissions of /proc/iomem.
+
+The permissions of /proc/iomem currently are -r--r--r--. Everyone can
+see its content. As iomem contains information about the physical memory
+content of the device, restrict the information only to root.
+
+Change-Id: If0be35c3fac5274151bea87b738a48e6ec0ae891
+CRs-Fixed: 786116
+Signed-off-by: Biswajit Paul <[email protected]>
+Signed-off-by: Avijit Kanti Das <[email protected]>
+---
+ kernel/resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/resource.c b/kernel/resource.c
+index 7203c06273a..e9ba0770ec3 100644
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -142,7 +142,7 @@ static const struct file_operations proc_iomem_operations = {
+ static int __init ioresources_init(void)
+ {
+ 	proc_create("ioports", 0, NULL, &proc_ioports_operations);
+-	proc_create("iomem", 0, NULL, &proc_iomem_operations);
++	proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
+ 	return 0;
+ }
+ __initcall(ioresources_init);

patches/3.4/CVE-2015-8955.patch

@@ -0,0 +1,113 @@
+From 0bbcfb08a2e3a6d5fe83c1e58fca23d01fd88a21 Mon Sep 17 00:00:00 2001
+From: "Suzuki K. Poulose" <[email protected]>
+Date: Tue, 17 Mar 2015 18:14:58 +0000
+Subject: [PATCH] ARM: perf: reject groups spanning multiple hardware PMUs
+
+The perf core implicitly rejects events spanning multiple HW PMUs, as in
+these cases the event->ctx will differ. However this validation is
+performed after pmu::event_init() is called in perf_init_event(), and
+thus pmu::event_init() may be called with a group leader from a
+different HW PMU.
+
+The ARM PMU driver does not take this fact into account, and when
+validating groups assumes that it can call to_arm_pmu(event->pmu) for
+any HW event. When the event in question is from another HW PMU this is
+wrong, and results in dereferencing garbage.
+
+This patch updates the ARM PMU driver to first test for and reject
+events from other PMUs, moving the to_arm_pmu and related logic after
+this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
+a CCI PMU present:
+
+ ---
+CPU: 0 PID: 1527 Comm: perf_fuzzer Not tainted 4.0.0-rc2 #57
+Hardware name: ARM-Versatile Express
+task: bd8484c0 ti: be676000 task.ti: be676000
+PC is at 0xbf1bbc90
+LR is at validate_event+0x34/0x5c
+pc : [<bf1bbc90>]    lr : [<80016060>]    psr: 00000013
+...
+[<80016060>] (validate_event) from [<80016198>] (validate_group+0x28/0x90)
+[<80016198>] (validate_group) from [<80016398>] (armpmu_event_init+0x150/0x218)
+[<80016398>] (armpmu_event_init) from [<800882e4>] (perf_try_init_event+0x30/0x48)
+[<800882e4>] (perf_try_init_event) from [<8008f544>] (perf_init_event+0x5c/0xf4)
+[<8008f544>] (perf_init_event) from [<8008f8a8>] (perf_event_alloc+0x2cc/0x35c)
+[<8008f8a8>] (perf_event_alloc) from [<8009015c>] (SyS_perf_event_open+0x498/0xa70)
+[<8009015c>] (SyS_perf_event_open) from [<8000e420>] (ret_fast_syscall+0x0/0x34)
+Code: bf1be000 bf1bb380 802a2664 00000000 (00000002)
+---[ end trace 01aff0ff00926a0a ]---
+
+Also cleans up the code to use the arm_pmu only when we know that
+we are dealing with an arm pmu event.
+
+Change-Id: I890a2a685d1ecd462287f19907c3de8bedee2c70
+Cc: Will Deacon <[email protected]>
+Acked-by: Mark Rutland <[email protected]>
+Acked-by: Peter Ziljstra (Intel) <[email protected]>
+Signed-off-by: Suzuki K. Poulose <[email protected]>
+Signed-off-by: Will Deacon <[email protected]>
+---
+ arch/arm/kernel/perf_event.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
+index 5989418ca04..15d45df3fd3 100644
+--- a/arch/arm/kernel/perf_event.c
++++ b/arch/arm/kernel/perf_event.c
+@@ -343,19 +343,31 @@ out:
+ }
+ 
+ static int
+-validate_event(struct pmu_hw_events *hw_events,
++validate_event(struct pmu *pmu, struct pmu_hw_events *hw_events,
+ 	       struct perf_event *event)
+ {
+-	struct arm_pmu *armpmu = to_arm_pmu(event->pmu);
++	struct arm_pmu *armpmu;
+ 	struct hw_perf_event fake_event = event->hw;
+ 	struct pmu *leader_pmu = event->group_leader->pmu;
+ 
+ 	if (is_software_event(event))
+ 		return 1;
+ 
+-	if (event->pmu != leader_pmu || event->state <= PERF_EVENT_STATE_OFF)
++	/*
++	 * Reject groups spanning multiple HW PMUs (e.g. CPU + CCI). The
++	 * core perf code won't check that the pmu->ctx == leader->ctx
++	 * until after pmu->event_init(event).
++	 */
++	if (event->pmu != pmu)
++		return 0;
++
++	if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
++		return 1;
++
++	if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec)
+ 		return 1;
+ 
++	armpmu = to_arm_pmu(event->pmu);
+ 	return armpmu->get_event_idx(hw_events, &fake_event) >= 0;
+ }
+ 
+@@ -373,15 +385,15 @@ validate_group(struct perf_event *event)
+ 	memset(fake_used_mask, 0, sizeof(fake_used_mask));
+ 	fake_pmu.used_mask = fake_used_mask;
+ 
+-	if (!validate_event(&fake_pmu, leader))
++	if (!validate_event(event->pmu, &fake_pmu, leader))
+ 		return -EINVAL;
+ 
+ 	list_for_each_entry(sibling, &leader->sibling_list, group_entry) {
+-		if (!validate_event(&fake_pmu, sibling))
++		if (!validate_event(event->pmu, &fake_pmu, sibling))
+ 			return -EINVAL;
+ 	}
+ 
+-	if (!validate_event(&fake_pmu, event))
++	if (!validate_event(event->pmu, &fake_pmu, event))
+ 		return -EINVAL;
+ 
+ 	return 0;
+-- 
+2.13.3
+

patches/3.4/CVE-2016-0774.patch

@@ -0,0 +1,60 @@
+From f6447b2c1c4846d61c8d5cbc9d9586f2408880e4 Mon Sep 17 00:00:00 2001
+From: Jeff Vander Stoep <[email protected]>
+Date: Wed, 23 Mar 2016 15:32:14 -0700
+Subject: [PATCH] pipe: iovec: Fix OOB read in pipe_read()
+
+Previous upstream *stable* fix 14f81062 was incomplete.
+
+A local process can trigger a system crash with an OOB read on buf.
+This occurs when the state of buf gets out of sync. After an error in
+pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset
+but not buf->len. Upon retrying pipe_read() while in
+pipe_iov_copy_to_user() *remaining will be larger than the space left
+after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE,
+buf->offset = 0x300.
+
+This is fixed by not updating the state of buf->offset until after the
+full copy is completed, similar to how pipe_write() is implemented.
+
+For stable kernels < 3.16.
+
+Bug: 27721803
+Change-Id: Iefffbcc6cfd159dba69c31bcd98c6d5c1f21ff2e
+Signed-off-by: Jeff Vander Stoep <[email protected]>
+---
+ fs/pipe.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index edd1c636bf1..c1ddb284357 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -395,7 +395,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 			const struct pipe_buf_operations *ops = buf->ops;
+ 			void *addr;
+ 			size_t chars = buf->len, remaining;
+-			int error, atomic;
++			int error, atomic, offset;
+ 
+ 			if (chars > total_len)
+ 				chars = total_len;
+@@ -409,9 +409,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
+ 			remaining = chars;
++			offset = buf->offset;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++			error = pipe_iov_copy_to_user(iov, addr, &offset,
+ 						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+@@ -427,6 +428,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 				break;
+ 			}
+ 			ret += chars;
++			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */

patches/3.4/CVE-2016-0805.patch

@@ -0,0 +1,55 @@
+From 1e7cf1e770aa8693452bb6c7dda7f43bfc026bf7 Mon Sep 17 00:00:00 2001
+From: Swetha Chikkaboraiah <[email protected]>
+Date: Wed, 27 Jan 2016 11:46:54 +0530
+Subject: [PATCH] msm: perf: Protect buffer overflow due to malicious user
+
+In function krait_pmu_disable_event, parameter hwc comes from
+userspace and is untrusted.The function krait_clearpmu is called
+after the function get_krait_evtinfo.
+Function get_krait_evtinfo as parameter krait_evt_type variable
+which is used to extract the groupcode(reg) which is bound to
+KRAIT_MAX_L1_REG (is 3). After validation,one code path modifies
+groupcode(reg):If this code path executes, groupcode(reg) can be
+3,4, 5, or 6. In krait_clearpmu groupcode used to access array
+krait_functions whose size is 3. Since groupcode can be 3,4,5,6
+accessing array krait_functions lead to bufferoverlflow.
+This change will validate groupcode not to exceed 3 .
+
+Change-Id: I48c92adda137d8a074b4e1a367a468195a810ca1
+CRs-fixed: 962450
+Signed-off-by: Swetha Chikkaboraiah <[email protected]>
+---
+ arch/arm/kernel/perf_event_msm_krait.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/kernel/perf_event_msm_krait.c b/arch/arm/kernel/perf_event_msm_krait.c
+index 1c338f79bab..3f09c4c0754 100644
+--- a/arch/arm/kernel/perf_event_msm_krait.c
++++ b/arch/arm/kernel/perf_event_msm_krait.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2011-2012, 2014 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2011-2012, 2014,2016 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -219,9 +219,6 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
+ 	code = (krait_evt_type & 0x00FF0) >> 4;
+ 	group = krait_evt_type & 0x0000F;
+ 
+-	if ((group > 3) || (reg > krait_max_l1_reg))
+-		return -EINVAL;
+-
+ 	if (prefix != KRAIT_EVT_PREFIX && prefix != KRAIT_VENUMEVT_PREFIX)
+ 		return -EINVAL;
+ 
+@@ -232,6 +229,9 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
+ 			reg += VENUM_BASE_OFFSET;
+ 	}
+ 
++	if ((group > 3) || (reg > krait_max_l1_reg))
++		return -EINVAL;
++
+ 	evtinfo->group_setval = 0x80000000 | (code << (group * 8));
+ 	evtinfo->groupcode = reg;
+ 	evtinfo->armv7_evt_type = evt_type_base[evt_index][reg] | group;