diff options
| author | Tao Huang <huangtao@rock-chips.com> | 2019-06-07 12:26:20 +0800 |
|---|---|---|
| committer | Tao Huang <huangtao@rock-chips.com> | 2019-06-10 09:16:03 +0800 |
| commit | 91ad3ad86f550fa8af6d00763c784935c5e5efdd (patch) | |
| tree | 0c81b623f842369b350a45892923cf65ead14fee /security | |
| parent | 2cd57789550b9867c8ce9711446863c64dd2b869 (diff) | |
| parent | 152bacdd85c46f0c76b00c4acc253e414513634c (diff) | |
Merge branch 'android-4.4' of https://android.googlesource.com/kernel/common
* android-4.4: (3220 commits)
ANDROID: Communicates LMK events to userland where they can be logged
Linux 4.4.179
kernel/sysctl.c: fix out-of-bounds access when setting file-max
Revert "locking/lockdep: Add debug_locks check in __lock_downgrade()"
ALSA: info: Fix racy addition/deletion of nodes
mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
device_cgroup: fix RCU imbalance in error case
sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup
Revert "kbuild: use -Oz instead of -Os when using clang"
mac80211: do not call driver wake_tx_queue op during reconfig
kprobes: Fix error check when reusing optimized probes
kprobes: Mark ftrace mcount handler functions nokprobe
x86/kprobes: Verify stack frame on kretprobe
arm64: futex: Restore oldval initialization to work around buggy compilers
crypto: x86/poly1305 - fix overflow during partial reduction
ALSA: core: Fix card races between register and disconnect
staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf
staging: comedi: ni_usb6501: Fix use of uninitialized mutex
staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf
staging: comedi: vmk80xx: Fix use of uninitialized semaphore
...
Conflicts:
Documentation/arm64/silicon-errata.txt
Documentation/kernel-parameters.txt
Makefile
arch/arm/Kconfig
arch/arm/configs/ranchu_defconfig
arch/arm64/Kconfig
arch/arm64/Makefile
arch/arm64/configs/cuttlefish_defconfig
arch/arm64/configs/ranchu64_defconfig
arch/arm64/include/asm/cacheflush.h
arch/arm64/include/asm/cpufeature.h
arch/arm64/include/asm/cputype.h
arch/arm64/include/asm/hardirq.h
arch/arm64/include/asm/kvm_host.h
arch/arm64/include/asm/module.h
arch/arm64/include/asm/pgtable.h
arch/arm64/include/asm/smp.h
arch/arm64/include/asm/spinlock.h
arch/arm64/include/asm/suspend.h
arch/arm64/include/asm/sysreg.h
arch/arm64/kernel/Makefile
arch/arm64/kernel/arm64ksyms.c
arch/arm64/kernel/asm-offsets.c
arch/arm64/kernel/cpufeature.c
arch/arm64/kernel/efi-entry.S
arch/arm64/kernel/efi.c
arch/arm64/kernel/entry.S
arch/arm64/kernel/head.S
arch/arm64/kernel/image.h
arch/arm64/kernel/module-plts.c
arch/arm64/kernel/module.c
arch/arm64/kernel/module.lds
arch/arm64/kernel/process.c
arch/arm64/kernel/stacktrace.c
arch/arm64/kernel/suspend.c
arch/arm64/kernel/traps.c
arch/arm64/kernel/vmlinux.lds.S
arch/arm64/kvm/hyp.S
arch/arm64/kvm/hyp/fpsimd.S
arch/arm64/mm/dma-mapping.c
arch/arm64/mm/fault.c
arch/arm64/mm/hugetlbpage.c
arch/arm64/mm/init.c
arch/arm64/mm/mmu.c
arch/arm64/mm/pageattr.c
arch/arm64/mm/proc.S
arch/x86/configs/i386_ranchu_defconfig
arch/x86/configs/x86_64_cuttlefish_defconfig
arch/x86/configs/x86_64_ranchu_defconfig
arch/x86/entry/vdso/Makefile
arch/x86/include/asm/thread_info.h
arch/x86/include/asm/uaccess.h
arch/x86/include/asm/uaccess_32.h
arch/x86/include/asm/uaccess_64.h
build.config.cuttlefish.aarch64
build.config.cuttlefish.x86_64
drivers/Kconfig
drivers/Makefile
drivers/android/Kconfig
drivers/android/binder.c
drivers/block/loop.c
drivers/cpufreq/cpufreq-dt.c
drivers/cpufreq/cpufreq_interactive.c
drivers/firmware/Kconfig
drivers/firmware/efi/libstub/Makefile
drivers/firmware/efi/libstub/arm64-stub.c
drivers/firmware/psci.c
drivers/gpu/drm/rockchip/rockchip_drm_drv.c
drivers/hwtracing/coresight/coresight-etm4x.c
drivers/hwtracing/coresight/coresight-funnel.c
drivers/hwtracing/coresight/coresight-tmc.c
drivers/hwtracing/coresight/coresight-tpiu.c
drivers/hwtracing/stm/Kconfig
drivers/hwtracing/stm/core.c
drivers/irqchip/Kconfig
drivers/md/Kconfig
drivers/misc/Kconfig
drivers/misc/Makefile
drivers/misc/uid_sys_stats.c
drivers/mmc/core/mmc.c
drivers/net/ethernet/realtek/r8169.c
drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
drivers/net/wireless/virt_wifi.c
drivers/platform/goldfish/goldfish_pipe_v2.c
drivers/staging/android/fiq_debugger/Kconfig
drivers/switch/Kconfig
drivers/switch/Makefile
drivers/switch/switch_class.c
drivers/tee/optee/rpc.c
drivers/tee/optee/shm_pool.h
drivers/usb/dwc3/gadget.c
drivers/usb/gadget/function/f_audio_source.c
drivers/usb/gadget/function/f_mtp.c
drivers/usb/gadget/function/u_ether.c
drivers/usb/host/xhci-ring.c
fs/exec.c
fs/pnode.c
include/linux/cpufreq.h
include/linux/dcache.h
include/linux/memblock.h
include/linux/power/bq25700-charge.h
include/linux/uid_stat.h
include/net/activity_stats.h
include/uapi/linux/android/binder.h
kernel/events/ring_buffer.c
kernel/sched/fair.c
kernel/time/timer.c
mm/memblock.c
mm/slab.c
net/ipv4/tcp_ipv4.c
net/socket.c
scripts/dtc/checks.c
scripts/dtc/dtc-lexer.lex.c_shipped
scripts/dtc/dtc-parser.tab.c_shipped
scripts/dtc/dtc.c
scripts/dtc/dtc.h
scripts/dtc/dtx_diff
scripts/dtc/libfdt/fdt_wip.c
scripts/dtc/libfdt/libfdt.h
scripts/dtc/livetree.c
scripts/dtc/srcpos.h
scripts/dtc/util.h
scripts/dtc/version_gen.h
scripts/sortextable.c
Change-Id: Ic327e4bbeb99e98724bb626fa9df2d31b0abc003
Diffstat (limited to 'security')
| -rw-r--r-- | security/device_cgroup.c | 2 | ||||
| -rw-r--r-- | security/keys/key.c | 4 | ||||
| -rw-r--r-- | security/keys/keyring.c | 4 | ||||
| -rw-r--r-- | security/keys/proc.c | 11 | ||||
| -rw-r--r-- | security/keys/request_key.c | 1 | ||||
| -rw-r--r-- | security/keys/request_key_auth.c | 2 | ||||
| -rw-r--r-- | security/lsm_audit.c | 10 | ||||
| -rw-r--r-- | security/security.c | 7 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.c | 3 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 12 | ||||
| -rw-r--r-- | security/tomoyo/domain.c | 3 | ||||
| -rw-r--r-- | security/yama/yama_lsm.c | 4 |
12 files changed, 38 insertions, 25 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 03c1652c9a1f..db3bdc91c520 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -568,7 +568,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root, devcg->behavior == DEVCG_DEFAULT_ALLOW) { rc = dev_exception_add(devcg, ex); if (rc) - break; + return rc; } else { /* * in the other possible cases: diff --git a/security/keys/key.c b/security/keys/key.c index 4d971bf88ac3..03160f1f1aa2 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -260,8 +260,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, spin_lock(&user->lock); if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { - if (user->qnkeys + 1 >= maxkeys || - user->qnbytes + quotalen >= maxbytes || + if (user->qnkeys + 1 > maxkeys || + user->qnbytes + quotalen > maxbytes || user->qnbytes + quotalen < user->qnbytes) goto no_quota; } diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d5264f950ce1..737e60b3d4bd 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -628,9 +628,6 @@ static bool search_nested_keyrings(struct key *keyring, BUG_ON((ctx->flags & STATE_CHECKS) == 0 || (ctx->flags & STATE_CHECKS) == STATE_CHECKS); - if (ctx->index_key.description) - ctx->index_key.desc_len = strlen(ctx->index_key.description); - /* Check to see if this top-level keyring is what we are looking for * and whether it is valid or not. */ @@ -888,6 +885,7 @@ key_ref_t keyring_search(key_ref_t keyring, struct keyring_search_context ctx = { .index_key.type = type, .index_key.description = description, + .index_key.desc_len = strlen(description), .cred = current_cred(), .match_data.cmp = key_default_cmp, .match_data.raw_data = description, diff --git a/security/keys/proc.c b/security/keys/proc.c index 036128682463..f2c7e090a66d 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -186,9 +186,8 @@ static int proc_keys_show(struct seq_file *m, void *v) int rc; struct keyring_search_context ctx = { - .index_key.type = key->type, - .index_key.description = key->description, - .cred = current_cred(), + .index_key = key->index_key, + .cred = m->file->f_cred, .match_data.cmp = lookup_user_key_possessed, .match_data.raw_data = key, .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, @@ -208,11 +207,7 @@ static int proc_keys_show(struct seq_file *m, void *v) } } - /* check whether the current task is allowed to view the key (assuming - * non-possession) - * - the caller holds a spinlock, and thus the RCU read lock, making our - * access to __current_cred() safe - */ + /* check whether the current task is allowed to view the key */ rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW); if (rc < 0) return 0; diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 3ae3acf473c8..88172c163953 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -544,6 +544,7 @@ struct key *request_key_and_link(struct key_type *type, struct keyring_search_context ctx = { .index_key.type = type, .index_key.description = description, + .index_key.desc_len = strlen(description), .cred = current_cred(), .match_data.cmp = key_default_cmp, .match_data.raw_data = description, diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 217775fcd0f3..8882b729924d 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -254,7 +254,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id) struct key *authkey; key_ref_t authkey_ref; - sprintf(description, "%x", target_id); + ctx.index_key.desc_len = sprintf(description, "%x", target_id); authkey_ref = search_process_keyrings(&ctx); diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 45d927ab807d..d0b74c12d56d 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -308,6 +308,7 @@ static void dump_common_audit_data(struct audit_buffer *ab, if (a->u.net->sk) { struct sock *sk = a->u.net->sk; struct unix_sock *u; + struct unix_address *addr; int len = 0; char *p = NULL; @@ -338,14 +339,15 @@ static void dump_common_audit_data(struct audit_buffer *ab, #endif case AF_UNIX: u = unix_sk(sk); + addr = smp_load_acquire(&u->addr); + if (!addr) + break; if (u->path.dentry) { audit_log_d_path(ab, " path=", &u->path); break; } - if (!u->addr) - break; - len = u->addr->len-sizeof(short); - p = &u->addr->name->sun_path[0]; + len = addr->len-sizeof(short); + p = &addr->name->sun_path[0]; audit_log_format(ab, " path="); if (*p) audit_log_untrustedstring(ab, p); diff --git a/security/security.c b/security/security.c index ae05ab153c5a..42c4cb0cb122 100644 --- a/security/security.c +++ b/security/security.c @@ -862,6 +862,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) void security_cred_free(struct cred *cred) { + /* + * There is a failure case in prepare_creds() that + * may result in a call here with ->security being NULL. + */ + if (unlikely(cred->security == NULL)) + return; + call_void_hook(cred_free, cred); } diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 992a31530825..965a55eacaba 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -726,7 +726,8 @@ static int sens_destroy(void *key, void *datum, void *p) kfree(key); if (datum) { levdatum = datum; - ebitmap_destroy(&levdatum->level->cat); + if (levdatum->level) + ebitmap_destroy(&levdatum->level->cat); kfree(levdatum->level); } kfree(datum); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c73361859d11..9db7c80a74aa 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4311,6 +4311,12 @@ static int smack_key_permission(key_ref_t key_ref, int request = 0; int rc; + /* + * Validate requested permissions + */ + if (perm & ~KEY_NEED_ALL) + return -EINVAL; + keyp = key_ref_to_ptr(key_ref); if (keyp == NULL) return -EINVAL; @@ -4330,10 +4336,10 @@ static int smack_key_permission(key_ref_t key_ref, ad.a.u.key_struct.key = keyp->serial; ad.a.u.key_struct.key_desc = keyp->description; #endif - if (perm & KEY_NEED_READ) - request = MAY_READ; + if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) + request |= MAY_READ; if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) - request = MAY_WRITE; + request |= MAY_WRITE; rc = smk_access(tkp, keyp->security, request, &ad); rc = smk_bu_note("key access", tkp, keyp->security, request, rc); return rc; diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 38651454ed08..6f388e77999c 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -874,7 +874,8 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos, } /* Same with get_arg_page(bprm, pos, 0) in fs/exec.c */ #ifdef CONFIG_MMU - if (get_user_pages(current, bprm->mm, pos, 1, 0, 1, &page, NULL) <= 0) + if (get_user_pages(current, bprm->mm, pos, 1, + FOLL_FORCE, &page, NULL) <= 0) return false; #else page = bprm->page[pos / PAGE_SIZE]; diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index cb6ed10816d4..0a8808954bd8 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -288,7 +288,9 @@ static int yama_ptrace_access_check(struct task_struct *child, break; case YAMA_SCOPE_RELATIONAL: rcu_read_lock(); - if (!task_is_descendant(current, child) && + if (!pid_alive(child)) + rc = -EPERM; + if (!rc && !task_is_descendant(current, child) && !ptracer_exception_found(current, child) && !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) rc = -EPERM; |