Roman Kubiak [Fri, 13 May 2016 07:54:43 +0000 (16:54 +0900)]
netfilter: nfnetlink_queue: add security context information
This patch adds an additional attribute when sending
packet information via netlink in netfilter_queue module.
It will send additional security context data, so that
userspace applications can verify this context against
their own security databases.
Change-Id: I1f8e8bea84e05abfc78808f6fccc513aa5bb0a9f
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Casey Schaufler [Fri, 13 May 2016 07:47:26 +0000 (16:47 +0900)]
Smack: secmark connections
If the secmark is available us it on connection as
well as packet delivery.
Change-Id: I9015304ef62ab9a32c8e7740c5d70bd8842da7eb
Casey Schaufler [Fri, 13 May 2016 07:29:54 +0000 (16:29 +0900)]
Smack: secmark support for netfilter
Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.
As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.
The best part is that the netfilter tools use contexts that
are just strings, and they work just as well for Smack as they
do for SELinux.
All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[Jin-gyu Kim: Backported from mainline]
Signed-off-by: Jin-gyu Kim <jin-gyu.kim@samsung.com>
Change-Id: I0b30ccaaca61ebf52c4fb6e128863b156524c1b6
Zbigniew Jasinski [Fri, 13 May 2016 07:15:41 +0000 (16:15 +0900)]
Smack: limited capability for changing process label
This feature introduces new kernel interface:
- <smack_fs>/relabel-self - for setting transition labels list
This list is used to control smack label transition mechanism.
List is set by, and per process. Process can transit to new label only if
label is on the list. Only process with CAP_MAC_ADMIN capability can add
labels to this list. With this list, process can change it's label without
CAP_MAC_ADMIN but only once. After label changing, list is unset.
Changes in v2:
* use list_for_each_entry instead of _rcu during label write
* added missing description in security/Smack.txt
Changes in v3:
* squashed into one commit
Changes in v4:
* switch from global list to per-task list
* since the per-task list is accessed only by the task itself
there is no need to use synchronization mechanisms on it
Changes in v5:
* change smackfs interface of relabel-self to the one used for onlycap
multiple labels are accepted, separated by space, which
replace the previous list upon write
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[Jin-gyu Kim: Backported from mainline]
Signed-off-by: Jin-gyu Kim <jin-gyu.kim@samsung.com>
Change-Id: I4d50ca43463fe38184aa56ae3f275508eb60365b
Sooyoung Ha [Wed, 20 Apr 2016 09:43:03 +0000 (18:43 +0900)]
packging: build headers package only for emulator
This package is for emulator. It could cause a build error or conflict
if we build this out of emulator repository. So we should build this
conditionally to prevent build failure.
Change-Id: Iefef5fa2365a045bc0e4eb473c0dd0b689454a40
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
SeokYeon Hwang [Wed, 20 Apr 2016 02:45:40 +0000 (11:45 +0900)]
Merge branch 'tizen_spin' into tizen
Change-Id: Ie017deba0436825f723144e1b65eebb4011e6fb5
SeokYeon Hwang [Wed, 20 Apr 2016 02:44:04 +0000 (11:44 +0900)]
Merge branch 'tizen' into tizen_spin
Jinhyung Jo [Tue, 8 Mar 2016 08:10:05 +0000 (17:10 +0900)]
package: update version (3.14.16)
Change-Id: I2ef10eafd3fb476b8574a3c4bdcc0a99729d4577
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
Jinhyung Jo [Thu, 3 Mar 2016 09:05:34 +0000 (18:05 +0900)]
maru-tablet: improve use of virtio queue
Reduce the buffer size & the scatterlist size.
The size of tablet event is not large.
In addition, the number of generated event is not much.
So only use actually written value.
And fix the incorrect use of the virtio queue.
Change-Id: I9cf1f2cad8cd9f9b6e0ef7783beec48df4c48748
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
Jinhyung Jo [Tue, 23 Feb 2016 08:16:16 +0000 (17:16 +0900)]
rotary: correct use of virtioqueue to fix bug
When using the rotary device, the segmentation fault occurs in the host.
Its cause is due to use the virtioqueue in the wrong way.
So correct with the host side.
Change-Id: Ib9143a6ccaa6dff2778ce5e71984b2e673e4912f
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
(cherry picked from commit
deb6addb80d83ba75baaa32e2becd13266c3bb7c)
Jinhyung Jo [Tue, 23 Feb 2016 05:28:43 +0000 (14:28 +0900)]
maru_inputs: correct argument for virtioqueue
The fourth argument of the virtqueue_add_inbuf() is a 'data' token
handled to virtqueue_get_buf().
So change to clear targets instead of constant values typecasted.
Change-Id: Ibc3aef906568cff4e9a2b809d72c1eb0c15b73cf
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
(cherry picked from commit
8a5e857387d3e1106c22f239e7f898658c01dbc2)
Jinhyung Jo [Wed, 2 Mar 2016 09:20:59 +0000 (18:20 +0900)]
package: update version (3.14.15)
Change-Id: I11bbb01678a5f1ed6bcdf950510c087efe2e7f98
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
Roman Kubiak [Thu, 17 Dec 2015 12:24:35 +0000 (13:24 +0100)]
Smack: type confusion in smak sendmsg() handler
Smack security handler for sendmsg() syscall
is vulnerable to type confusion issue what
can allow to privilege escalation into root
or cause denial of service.
A malicious attacker can create socket of one
type for example AF_UNIX and pass is into
sendmsg() function ensuring that this is
AF_INET socket.
Remedy
Do not trust user supplied data.
Proposed fix below.
Change-Id: I6d8b3a3eb9560c0e6d6bfef59e56d6ec659e2d3d
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Mateusz Fruba <m.fruba@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[Backport from linux-next of v4.5-rc]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
(cherry picked from commit
1b2b4d7c1b75ba28133e76296f7ff2d5c7e51d07)
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Casey Schaufler [Mon, 7 Dec 2015 22:34:32 +0000 (14:34 -0800)]
Smack: File receive for sockets
The existing file receive hook checks for access on
the file inode even for UDS. This is not right, as
the inode is not used by Smack to make access checks
for sockets. This change checks for an appropriate
access relationship between the receiving (current)
process and the socket. If the process can't write
to the socket's send label or the socket's receive
label can't write to the process fail.
This will allow the legitimate cases, where the
socket sender and socket receiver can freely communicate.
Only strangly set socket labels should cause a problem.
Change-Id: Id37df53243264ac843f9c6693ba99aba9779f05e
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[backport to 3.10 from smack-next commit
79be093500791cc25cc31bcaec5a4db62e21497b]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
(cherry picked from commit
4306b30a4c4c787144fb7ff71ffe44799c9386dd)
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Roman Kubiak [Mon, 5 Oct 2015 10:27:16 +0000 (12:27 +0200)]
Smack: pipefs fix in smack_d_instantiate
This fix writes the task label when
smack_d_instantiate is called, before the
label of the superblock was written on the
pipe's inode.
Change-Id: I3d4fcf5b8e652d6f2abfe5ef0dfd96306f2c8219
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
(cherry picked from commit
ad52be06a2cf0dc547008c811577d0a5a1b3053b)
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Łukasz Stelmach [Tue, 16 Dec 2014 15:53:08 +0000 (16:53 +0100)]
smack: introduce a special case for tmpfs in smack_d_instantiate()
Files created with __shmem_file_stup() appear to have somewhat fake
dentries which make them look like root directories and not get
the label the current process or ("*") star meant for tmpfs files.
Change-Id: Id97004f2a5090cee9c16778109d849d433bd39c9
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
(cherry picked from commit
7141e6be730e637255b1c75789ca67d309cbce95)
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Sooyoung Ha [Wed, 27 Jan 2016 08:06:59 +0000 (17:06 +0900)]
package: update version (3.14.14)
Change-Id: I15906d50e0248ea6a038573f64e3fc0c24064cff
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
sungmin ha [Thu, 21 Jan 2016 07:51:30 +0000 (16:51 +0900)]
camera: support PAT
PAT (Page Attribute Table) allows for different types of memory attributes.
We modified APIs about PAT from non-cached to write-combined.
Change-Id: Ifa15061098b58a3f305fe692ba244fec4e2604e6
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
(cherry picked from commit
e13e3c5ae5c7b0e9d10152375fc0551023e0b763)
Vasiliy Ulyanov [Wed, 9 Dec 2015 14:00:38 +0000 (17:00 +0300)]
x86, pat: workaround to force PAT usage
When run under haxm certain CPU features appear inaccesible from guest
and at the moment there seems to be no proper way to set them up from the
host side. The patch allows to forcefully enable x86 Page Attribute
Table and therefore use different memory caching policies at the page
level granularity. PAT significantly improves performance when mmaped
device buffers are accessed.
WARNING: once a proper solution is figured out for haxm case the patch
should be reverted. Currently it is more like a hack to avoid terrible
performance on certain scenarios like decoding high resolution video
directly into the mmaped video buffer.
Change-Id: Ie810a29d61379e57ed10efc0697f9fc010f85f33
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
(cherry picked from commit
7aaf8838c358d7e745727e0281ae3acbd9e81afd)
Vasiliy Ulyanov [Wed, 9 Dec 2015 13:54:15 +0000 (16:54 +0300)]
VIGS: use write-combine caching for video memory
x86 PAT + write-combine should improve performance when
mmaped gems are directly accessed by CPU.
Change-Id: I4fcb41c207161f87a3f3d9ee60f773675c5f028d
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
(cherry picked from commit
d89f3c6e059c6f51a5dd9945f2fb58b1fdff76c2)
ChulHo Song [Wed, 23 Sep 2015 08:50:54 +0000 (17:50 +0900)]
sensor: modify the proximity value appropriately
Change-Id: I84e0a5690eca420e221da35c1c7aac463504c0a3
Signed-off-by: ChulHo Song <ch81.song@samsung.com>
(cherry picked from commit
7aa00ee546292b2ee02d90493d8226c2a358f4f3)
Sooyoung Ha [Fri, 8 Jan 2016 07:36:33 +0000 (16:36 +0900)]
packging: build header package only for emulator
This package is for emulator. It could cause a build error or conflict
if we build this out of emulator repository. So we should build this
conditionally to prevent build failure.
Change-Id: Ie85564289c0c97774fb45685239e5f8bda7ca00f
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Sooyoung Ha [Thu, 24 Dec 2015 08:58:50 +0000 (17:58 +0900)]
packaging: modify spec file to build header package
Change-Id: I0ab956dc139cf7cff15804694778b247fdcdf012
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Jinhyung Jo [Mon, 23 Nov 2015 01:56:08 +0000 (10:56 +0900)]
package: update version (3.14.13)
Change-Id: Icf1d1cc73e2d596de546377249e947395d0867bb
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
jinhyung.jo [Fri, 4 Sep 2015 03:19:17 +0000 (12:19 +0900)]
VIGS: Correct the physical screen size
Use the correct value instead multiplied by 10.
Change-Id: I7f3145c6d7700f39b15b6890b7048044a9ef4c26
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
(cherry picked from commit
90b49e93c265b1d88e047f20705cc8f0f48a75fd)
Khem Raj [Fri, 22 May 2015 16:56:29 +0000 (09:56 -0700)]
Input: sentelic - use "static inline" instead of "inline"
gcc-5 defaults to gnu11 which used c99 inline semantics in c99 'inline' is
not externally visible unlike gnu89, therefore we use 'static inline' which
has same semantics between gnu89 and c99
Change-Id: I0ed40faba9f9148b220b125e1c9798c9313d0d72
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
jinhyung.jo [Fri, 6 Nov 2015 05:24:14 +0000 (14:24 +0900)]
package: version up(3.14.12)
version update to 3.14.12
Change-Id: Idbe2052c995d01617ba512c88aadd6c0da739a54
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
jinhyung.jo [Fri, 6 Nov 2015 05:16:54 +0000 (14:16 +0900)]
YaGL: Version bump
For the 64bit addressing.
Be sure synchronize with the QEMU & platform yagl packages.
Change-Id: I9ba3b5c58481999b47212eabb68221580226e690
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
SeokYeon Hwang [Wed, 21 Oct 2015 08:51:00 +0000 (17:51 +0900)]
build: clean DIBS build scripts up
Remove some redundant scripts.
Linux kernel can be compiled both 32 bit and 64 bit linux host. So,
extension of script can be ".linux".
Change-Id: I97aacfad1fc94ba95e1c5d837d055bd1b5139876
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Munkyu Im [Fri, 18 Sep 2015 06:46:57 +0000 (15:46 +0900)]
config: ready for vhost-net
Vhost-net provides virtio device emulation on host.
Linux kernel needs to enable Message Signaled Interrupt(MSI)
to handle this device emulation code on guest.
(http://www.linux-kvm.org/page/UsingVhost)
Change-Id: I419b718b2591c0574483c77027a3f54af594113a
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
SeokYeon Hwang [Thu, 10 Sep 2015 06:46:25 +0000 (15:46 +0900)]
Merge branch 'tizen_2.4_develop' into tizen_3.0_develop
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Change-Id: I723188c29b751843acc06e848f6d2fa129a5e8c3
bk0121.shin [Wed, 9 Sep 2015 10:46:13 +0000 (19:46 +0900)]
audio: support extension build for intel8x0 driver
Change-Id: Iee2b6da786bc6a2846426c19d85af71b331d6e99
Signed-off-by: bk0121.shin <bk0121.shin@samsung.com>
Jinhyung Choi [Fri, 28 Aug 2015 04:14:50 +0000 (13:14 +0900)]
Revert "VIGS: Temporary W/A for the extension"
This reverts commit
e915d17c9296e93456f2c30ae4715a207e40bc01.
Change-Id: Ie54023e2e8237c6d56790716a14dc32a308d6308
Signed-off-by: Jinhyung Choi <jinh0.choi@samsung.com>
Roman Kubiak [Mon, 24 Aug 2015 07:34:11 +0000 (16:34 +0900)]
Kernel threads excluded from smack checks
Adds an ignore case for kernel tasks,
so that they can access all resources.
Since kernel worker threads are spawned with
floor label, they are severely restricted by
Smack policy. It is not an issue without onlycap,
as these processes also run with root,
so CAP_MAC_OVERRIDE kicks in. But with onlycap
turned on, there is no way to change the label
for these processes.
Change-Id: Ic0b9c0d9d5874f0299e0aba74d01c180e2722d48
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Roman Kubiak [Mon, 24 Aug 2015 07:34:11 +0000 (16:34 +0900)]
Kernel threads excluded from smack checks
Adds an ignore case for kernel tasks,
so that they can access all resources.
Since kernel worker threads are spawned with
floor label, they are severely restricted by
Smack policy. It is not an issue without onlycap,
as these processes also run with root,
so CAP_MAC_OVERRIDE kicks in. But with onlycap
turned on, there is no way to change the label
for these processes.
Change-Id: Ic0b9c0d9d5874f0299e0aba74d01c180e2722d48
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Vasiliy Ulyanov [Mon, 17 Aug 2015 14:07:37 +0000 (17:07 +0300)]
VIGS: change min dpi constraint
This is a workaround for output phys dimensions computation. In some
cases we need a smaller dpi in order to make Xorg calculate display
coordinates properly.
Change-Id: I40b7215d1aefcc7e63a98239501a937466ac5579
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
Sooyoung Ha [Wed, 19 Aug 2015 13:03:52 +0000 (22:03 +0900)]
package: version up
version update to 3.14.10
Change-Id: I7ef0ec4698c1f41c96bf185ad28b785f07c19d89
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Sooyoung Ha [Wed, 19 Aug 2015 13:00:05 +0000 (22:00 +0900)]
package: version up
version update to 3.14.10
Change-Id: I621a5b01bd35a3eb7fe43414729fe7d3126908c2
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
SeokYeon Hwang [Wed, 19 Aug 2015 07:26:09 +0000 (16:26 +0900)]
Merge branch 'tizen_2.4_develop' into tizen_3.0_develop
Change-Id: I9dad6217804fbe612b54889499ecc527b3812e0e
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Sooyoung Ha [Mon, 3 Aug 2015 06:00:09 +0000 (15:00 +0900)]
package: version up
version update to 3.14.8
Change-Id: Iafb2ef3752cbfcc261e28f60b01c5af3df27b4d4
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Sooyoung Ha [Mon, 3 Aug 2015 05:45:02 +0000 (14:45 +0900)]
package: modify pkginfo.manifest file
modify platform version 2.4 -> 3.0
Change-Id: I15bb78a08a41c2f5d5f314d2504d38bc5e4fc8c5
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
sungmin ha [Thu, 30 Jul 2015 03:09:09 +0000 (12:09 +0900)]
tablet: added input buffer to virtqueue
Change-Id: I279e54dba3405fc0659de93540e5066715f4762d
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
jinhyung.jo [Wed, 29 Jul 2015 07:53:42 +0000 (16:53 +0900)]
VIGS: Temporary W/A for the extension
For the extension booting, modified the version of vigs drm.
This should be removed when the proper extension image is released.
Change-Id: I94e424f76212a228e273418b21143c818a1fa1b9
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
bk0121.shin [Wed, 29 Jul 2015 06:00:35 +0000 (15:00 +0900)]
tuner: separate dvb_frontend build for tv extension
Change-Id: I121033a9834a738bb866b0b07649805287f28674
Signed-off-by: bk0121.shin <bk0121.shin@samsung.com>
sungmin ha [Sun, 26 Jul 2015 10:27:39 +0000 (19:27 +0900)]
tablet: removed unused codes
Change-Id: I9c232b065474abcfc936892c57fea7a2bc744d89
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
sungmin ha [Sun, 26 Jul 2015 07:14:17 +0000 (16:14 +0900)]
tablet: added maru tablet driver
Change-Id: Icf76a5533af62b73ac39ad0c79182ad6c6170398
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
bk0121.shin [Fri, 24 Jul 2015 12:22:16 +0000 (21:22 +0900)]
package: version up (3.14.9)
support security extension
Change-Id: I9b5b303685f729e3244f42cd7ed8884444de331b
Signed-off-by: bk0121.shin <bk0121.shin@samsung.com>
bk0121.shin [Fri, 24 Jul 2015 12:16:30 +0000 (21:16 +0900)]
security: support extension build
Change-Id: I0f05f0d6f0a74c97d6703185297201b931b97cea
Signed-off-by: bk0121.shin <bk0121.shin@samsung.com>
jinhyung.jo [Thu, 23 Jul 2015 07:37:55 +0000 (16:37 +0900)]
maru-camera: Except the camera driver when build with the extension
The camera driver will be built using the source of the extension owns.
Change-Id: I219d54ea13eca3a1eed70b24175c73dd7de51d04
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
Jinhyung Choi [Tue, 21 Jul 2015 04:59:14 +0000 (13:59 +0900)]
build: package version up (3.14.8)
Change-Id: I62f5f7cde62dc23bc08269f828557b4e705002e3
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
Jinhyung Choi [Fri, 17 Jul 2015 06:05:07 +0000 (15:05 +0900)]
ac97: supports codec extension for product
ac97_codec.c and ac97_pcm.c will not be built if maru extension is set.
Change-Id: I57e1671db09c646fc86d18c7706d51ed721277ce
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
SeokYeon Hwang [Sat, 18 Jul 2015 07:46:14 +0000 (16:46 +0900)]
arch: introduced 64bit kernel
Change-Id: I17255b0f5220ba1e10902d0c1c478513747c1427
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Park Kyoung Won [Mon, 20 Jul 2015 07:53:37 +0000 (16:53 +0900)]
brillcodec: reslove casting warning for a 64bit target
changed uint32_t into uintptr_t in functions(context_add, task_add, task_remove)
Change-Id: Iee0f1da8896a1e70175b8d8a794de0ee3288bc81
Signed-off-by: Park Kyoung Won <kw0712.park@samsung.com>
(cherry picked from commit
fd20e5600d1ab30411c48864d58e9e9ea19680ca)
Park Kyoung Won [Mon, 20 Jul 2015 07:53:37 +0000 (16:53 +0900)]
brillcodec: reslove casting warning for a 64bit target
changed uint32_t into uintptr_t in functions(context_add, task_add, task_remove)
Change-Id: Iee0f1da8896a1e70175b8d8a794de0ee3288bc81
Signed-off-by: Park Kyoung Won <kw0712.park@samsung.com>
Dariusz Michaluk [Tue, 26 May 2015 09:44:06 +0000 (11:44 +0200)]
config: enabled missing kernel config for LXC containers
Change-Id: I84724e71fe53dbd31bae42bbe0aef5531ac95715
Sven Wegener [Tue, 22 Jul 2014 08:26:06 +0000 (10:26 +0200)]
x86_32, entry: Store badsys error code in %eax
commit
8142b215501f8b291a108a202b3a053a265b03dd upstream.
Commit 554086d ("x86_32, entry: Do syscall exit work on badsys
(CVE-2014-4508)") introduced a regression in the x86_32 syscall entry
code, resulting in syscall() not returning proper errors for undefined
syscalls on CPUs supporting the sysenter feature.
The following code:
> int result = syscall(666);
> printf("result=%d errno=%d error=%s\n", result, errno, strerror(errno));
results in:
> result=666 errno=0 error=Success
Obviously, the syscall return value is the called syscall number, but it
should have been an ENOSYS error. When run under ptrace it behaves
correctly, which makes it hard to debug in the wild:
> result=-1 errno=38 error=Function not implemented
The %eax register is the return value register. For debugging via ptrace
the syscall entry code stores the complete register context on the
stack. The badsys handlers only store the ENOSYS error code in the
ptrace register set and do not set %eax like a regular syscall handler
would. The old resume_userspace call chain contains code that clobbers
%eax and it restores %eax from the ptrace registers afterwards. The same
goes for the ptrace-enabled call chain. When ptrace is not used, the
syscall return value is the passed-in syscall number from the untouched
%eax register.
Use %eax as the return value register in syscall_badsys and
sysenter_badsys, like a real syscall handler does, and have the caller
push the value onto the stack for ptrace access.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Link: http://lkml.kernel.org/r/alpine.LNX.2.11.1407221022380.31021@titan.int.lan.stealer.net
Reviewed-and-tested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Origin: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
8142b215501f8b291a108a202b3a053a265b03dd
Backported-by: Maciej Wereski <m.wereski@partner.samsung.com>
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
Change-Id: I5ecc413a86a49ee59a6bd3a55dc582dafd73d827
Andy Lutomirski [Mon, 23 Jun 2014 21:22:15 +0000 (14:22 -0700)]
x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
commit
554086d85e71f30abe46fc014fea31929a7c6a8a upstream.
The bad syscall nr paths are their own incomprehensible route
through the entry control flow. Rearrange them to work just like
syscalls that return -ENOSYS.
This fixes an OOPS in the audit code when fast-path auditing is
enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
This has probably been broken since Linux 2.6.27:
af0575bba0 i386 syscall audit fast-path
Cc: Roland McGrath <roland@redhat.com>
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Origin: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
554086d85e71f30abe46fc014fea31929a7c6a8a
Backported-by: Maciej Wereski <m.wereski@partner.samsung.com>
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
Change-Id: I7fbb024771fb7c33ce97006868fb9224e1d19321
haken.kim [Tue, 14 Jul 2015 12:23:20 +0000 (21:23 +0900)]
nfc: removed build warning for 64 bit
fix nfc build warings for prepare the 64bit enable.
Change-Id: I70551784a4b5e50fdc19a7320d4fed9ace26dba6
Signed-off-by: haken.kim <haken.kim@samsung.com>
GiWoong Kim [Fri, 17 Jul 2015 06:35:02 +0000 (15:35 +0900)]
touchscreen: removed warning for 64 bit build
enable by default, Wpointer-to-int-cast
Change-Id: I805e384e66ce99ddf692a292053a92c0342d6177
Signed-off-by: GiWoong Kim <giwoong.kim@samsung.com>
jinhyung.jo [Wed, 15 Jul 2015 04:27:29 +0000 (13:27 +0900)]
package: version up (3.14.7)
Change-Id: Ia9d182e396d10f3b77cd3e4e2ea78f7670008f24
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
jinhyung.jo [Wed, 15 Jul 2015 02:48:31 +0000 (11:48 +0900)]
VIGS: Removed a compilation warnning
Changed the format specifier from '%u' to '%pa' for the type 'resource_size_t'.
Here is an excerpt from the document below,
'https://www.kernel.org/doc/Documentation/printk-formats.txt',
"
Physical addresses types phys_addr_t:
%pa[p] 0x01234567 or 0x0123456789abcdef
For printing a phys_addr_t type (and its derivatives, such as
resource_size_t) which can vary based on build options, regardless of
the width of the CPU data path. Passed by reference.
".
Change-Id: Ia0d72411de707cb7f3aaba7d91e86f79f5c2b607
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
SeokYeon Hwang [Sun, 12 Jul 2015 05:08:10 +0000 (14:08 +0900)]
build: applied -Werror on maru drivers
Change-Id: I1d83a1130bc6b48636a95820e0b14aa48c1a3593
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Jinhyung Choi [Mon, 13 Jul 2015 08:00:53 +0000 (17:00 +0900)]
evdi: removed warning for 64 bit build
- changed printing format from %d to %zd for ssize_t
- It supported only after C99 compiler, so this will be re-checked later.
Change-Id: Idf1bdb753b8b93490ea5bb112cf5cdd75b7ad833
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
Jinhyung Choi [Mon, 13 Jul 2015 07:59:52 +0000 (16:59 +0900)]
sensor: remove warning for 64 bit build
changed NULL device to MKDEV(0,0) for device_create/device_destroy
Change-Id: Ic223af5760a9179e368db2ecab91b998f7642387
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
Jinhyung Choi [Mon, 13 Jul 2015 07:56:01 +0000 (16:56 +0900)]
power supply: remove warnings for 64 bit
- changed NULL device arg to MKDEV(0,0) for device_create/device_destroy
Change-Id: If53a9158364e781320d6e3db87a3bc3a84b113de
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
bk0121.shin [Mon, 13 Jul 2015 01:57:13 +0000 (10:57 +0900)]
build: Modify Makefile for extension
- To be included as built-in, 'obj-' should be used
instead of 'subdir' in Makefile
Change-Id: I5b7fafa0b07e15e067963fc231838f94f6555fba
Signed-off-by: bk0121.shin <bk0121.shin@samsung.com>
Andy Lutomirski [Thu, 29 May 2014 03:09:58 +0000 (23:09 -0400)]
auditsc: audit_krule mask accesses need bounds checking
Fixes an easy DoS and possible information disclosure.
This does nothing about the broken state of x32 auditing.
eparis: If the admin has enabled auditd and has specifically loaded
audit rules. This bug has been around since before git. Wow...
Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Origin: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
a3c54931199565930d6d84f4c3456f6440aefd41
Backported-by: Maciej Wereski <m.wereski@partner.samsung.com>
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
Change-Id: Ic36da623453b4507d93be2c68f8be6945da2df6c
jinhyung.jo [Tue, 7 Jul 2015 08:21:23 +0000 (17:21 +0900)]
maru-camera: Changed the method for passing the argument to/from device
Without using the CPU I/O, directly using the device memory.
Additionally
Allowing the instance to 2.
Modified the log format & contents.
Change-Id: I919b3847e7e0fec02a873bed27bd064bae92a680
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
SeokYeon Hwang [Tue, 7 Jul 2015 04:50:39 +0000 (13:50 +0900)]
build: introduced extension source path
The "extension source path" is additional source path that can be
used by product specific sources. The path can be prepared by
symbolic link or git submodule.
Change-Id: I9600fa107af5aa9755f9e071ef98c29babac83fd
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Sangho Park [Wed, 24 Jun 2015 06:43:03 +0000 (15:43 +0900)]
Merge "ramfs: suppress warnings when filesystem is mounted" into tizen_2.4_develop
Rafal Krypa [Tue, 23 Jun 2015 08:30:49 +0000 (10:30 +0200)]
Smack: fix backport of multi-onlycap patch
Adapt the patch for multiple labels in onlycap to older kernel version.
It was previously backported without an important dependency. There is a
difference in smk_import_entry function. In upstream it returns error codes,
but here the error is indicated by returning NULL.
Without this fix the kernel could crash when empty string is written to
onlycap interface file.
Change-Id: Ibadab8b78b86453526cd423100619ab0a10fa68c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 23 Jun 2015 08:28:09 +0000 (10:28 +0200)]
Smack: update patch for multi-onlycap to the final upstream version
Synchronize the patch enabling multiple labels in onlycap with the last
version that was merged upstream. The patch merged in this tree was an
earlier version, before it was updated and merged upstream.
Changes are only cosmetic (function name, comments, code formatting), but
merging them will ease future synchronization with upstream Smack code.
Change-Id: Iefe9ec32659043e62bdf2a227aad8f42c3563b9d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 15 May 2015 19:22:01 +0000 (21:22 +0200)]
Smack: allow multiple labels in onlycap
Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
processes running with the configured label. But having single privileged
label is not enough in some real use cases. On a complex system like Tizen,
there maybe few programs that need to configure Smack policy in run-time
and running them all with a single label is not always practical.
This patch extends onlycap feature for multiple labels. They are configured
in the same smackfs "onlycap" interface, separated by spaces.
Change-Id: Ia95b93b4474669b7fd02926926e10b814b78405c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
(cherry picked from commit
c0a3794dfc6a153294fa90f6499a43c78a608047)
Rafal Krypa [Fri, 15 May 2015 17:43:33 +0000 (19:43 +0200)]
Smack: fix seq operations in smackfs
Use proper RCU functions and read locking in smackfs seq_operations.
Smack gets away with not using proper RCU functions in smackfs, because
it never removes entries from these lists. But now one list will be
needed (with interface in smackfs) that will have both elements added and
removed to it.
This change will also help any future changes implementing removal of
unneeded entries from other Smack lists.
The patch also fixes handling of pos argument in smk_seq_start and
smk_seq_next. This fixes a bug in case when smackfs is read with a small
buffer:
Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b
CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13
Stack:
00000003 0000000d 7ff39e48 7f69fd00
7ff39ce0 601ae4b0 7ff39d50 600e587b
00000010 6039f690 7f69fd40 00612003
Call Trace:
[<
601ae4b0>] load2_seq_show+0x19/0x1d
[<
600e587b>] seq_read+0x168/0x331
[<
600c5943>] __vfs_read+0x21/0x101
[<
601a595e>] ? security_file_permission+0xf8/0x105
[<
600c5ec6>] ? rw_verify_area+0x86/0xe2
[<
600c5fc3>] vfs_read+0xa1/0x14c
[<
600c68e2>] SyS_read+0x57/0xa0
[<
6001da60>] handle_syscall+0x60/0x80
[<
6003087d>] userspace+0x442/0x548
[<
6001aa77>] ? interrupt_end+0x0/0x80
[<
6001daae>] ? copy_chunk_to_user+0x0/0x2b
[<
6002cb6b>] ? save_registers+0x1f/0x39
[<
60032ef7>] ? arch_prctl+0xf5/0x170
[<
6001a92d>] fork_handler+0x85/0x87
Change-Id: I032c1fc726c0670060d1cf4c419746257159b499
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
(cherry picked from commit
f638effaf324d57f37453e421be87e537140e527)
SeokYeon Hwang [Tue, 23 Jun 2015 15:17:45 +0000 (00:17 +0900)]
ramfs: suppress warnings when filesystem is mounted
Change-Id: Iea6900dbc0c03d6d13a1448d5d3294ecb9824b7f
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Maciej Wereski [Wed, 17 Jun 2015 08:29:43 +0000 (10:29 +0200)]
Tune config to meet systemd requirements
Change-Id: I65497741bf2fd7d77bf25fa2b4c744b0aa2ccaf1
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
SeokYeon Hwang [Mon, 8 Jun 2015 06:23:44 +0000 (15:23 +0900)]
virtio_blk: removed W/A for sdcard support
A sdcard support will be done by udev rules and deviced.
Change-Id: I126ba1c72e1215ee28ee4da34791877d86b56435
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Munkyu Im [Wed, 27 May 2015 07:46:16 +0000 (16:46 +0900)]
package: version up
Change-Id: I629d413854a34c5f21fda4de027772d8a2a1b0a5
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
Munkyu Im [Tue, 26 May 2015 04:32:58 +0000 (13:32 +0900)]
virtio-net: support MII
It's incomplete.
But support it to enable ioctl call on guest side.
Change-Id: Iaec1ed63fe5f0ce2fff19be42890ca1063555179
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
Sooyoung Ha [Sun, 17 May 2015 12:01:45 +0000 (21:01 +0900)]
packaging: remove dependency.
Remove the emulator-kernel-user-headers build dependency.
Change-Id: I6aa468dab8834e72789320e4d87e8e7752d6a951
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
Sangho Park [Sun, 17 May 2015 10:34:02 +0000 (19:34 +0900)]
Revert "packaging: use linux-glibc-devel instread of emulator-kernel-headers"
This reverts commit
12fbb0687ba2d1f8ecbeeac8c3be53cc378f2b37.
Change-Id: Iac02a9324f10006953f82409283a526531d2bc9e
(cherry picked from commit
08becd57e5e8375b2e2dc2fe48de664757bfde66)
Jinhyung Choi [Tue, 12 May 2015 13:50:09 +0000 (22:50 +0900)]
sensor: added logs for sensor capability debug purpose
Change-Id: Ibdf600bc24c9860200a171d88583ba56f560cb68
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
Jinhyung Choi [Tue, 12 May 2015 05:02:15 +0000 (14:02 +0900)]
sensor: add mutex for get_sensor_data in accelerometer
Change-Id: I6cc802e5b2ca413984b285798a2867419cec3977
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
Jinhyung Choi [Tue, 12 May 2015 05:02:39 +0000 (14:02 +0900)]
sensor: split scatter list initialization
split in/out virtqueue scatterlist to set sg_mark_end each
Change-Id: I562d51af7ab1d5e8b57b8971e7fe4d40d971a55b
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
sungmin ha [Tue, 28 Apr 2015 08:12:42 +0000 (17:12 +0900)]
rotary: Apply the changed specifications
The value of REL_WHEEL event was chaneged like below.
- Before
Right direction: 1 -> 2 -> 3
Left direction: 3 -> 2-> 1
- After
Departing from the current detent area: 1
Returning the current detent area: -1
Right direction(CW): 2
Left direction(CCW): -2
Change-Id: Ibd86e5c97839ea90383797096ed2c887a703e8b7
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
GiWoong Kim [Mon, 23 Mar 2015 12:20:29 +0000 (21:20 +0900)]
rotary: modified virtual rotary driver
tizen_rotary -> tizen_detent
Instead of the delta that the change of the degree,
sends up the detent value in every 15 degrees.
Change-Id: I1b2b7ea8e4a2ff4ac90626710ddfe7f691ad29e2
Signed-off-by: GiWoong Kim <giwoong.kim@samsung.com>
jinhyung.jo [Tue, 30 Dec 2014 10:09:49 +0000 (19:09 +0900)]
rotary: Added a new device driver
Added a new device driver for the rotary device
Change-Id: I8a388a1b40315a47e60dbf00f17ad0ad69d8414c
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
Jinhyung Choi [Mon, 11 May 2015 09:14:56 +0000 (18:14 +0900)]
sensor driver: waited for set_sensor_data
In order to resolve timing issue, set_sensor_data is waiting for a callback
similar to get_sensor_data.
Change-Id: I436375ea99b5f19c07d0683a89dd35d50218f830
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
(cherry picked from commit
b603734d766fa00ef69f2c075dd6264a7ad1bdb6)
Jinhyung Choi [Fri, 8 May 2015 06:27:39 +0000 (15:27 +0900)]
sensor: virtio memory allocation flag changed.
Change-Id: I58d577e26826a8f055a7c4e0349d8f326cb3ed7e
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
(cherry picked from commit
44fd6adc9dbdade3a714b3efac550e8062e2b880)
SeokYeon Hwang [Tue, 21 Apr 2015 11:53:37 +0000 (20:53 +0900)]
config: set NOOP as a default IO scheduler
Change-Id: I252dc0d20afb20559efe02ceeb90f0b825af6ce9
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
(cherry picked from commit
df6d0674dc7883bf1a971ffb8d969e86074537da)
SeokYeon Hwang [Mon, 20 Apr 2015 07:28:41 +0000 (16:28 +0900)]
config: enabled CONFIG_ANDROID_INTF_ALARM_DEV
Change-Id: I1af3b208e2dbaa28487a73f02ce04a660770e187
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
(cherry picked from commit
2b8f290969821e5602136a6abda02d6756242874)
Munkyu Im [Mon, 27 Apr 2015 11:11:10 +0000 (20:11 +0900)]
package: restructure directories
change installed directory
Change-Id: If295b80efe71dd6090123f17b3c2df61e3d1c606
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
minkee.lee [Fri, 17 Apr 2015 10:10:39 +0000 (19:10 +0900)]
Package: Modified package name.
- Added platform version("2.4") to package name.
Change-Id: Ia6a5eb5eca93330bdca90f799b6e941705f3669a
Signed-off-by: minkee.lee <minkee.lee@samsung.com>
minkee.lee [Fri, 17 Apr 2015 07:50:21 +0000 (16:50 +0900)]
Merge branch 'tizen_2.4' into tizen_2.4_develop
Change-Id: I94112bf901574a1ae450adcc7f545a3dd9a295b5
Signed-off-by: minkee.lee <minkee.lee@samsung.com>
sungmin ha [Wed, 15 Apr 2015 08:10:09 +0000 (17:10 +0900)]
package: version up(3.14.5)
Change-Id: I40c6f16893d0be8747a36ff20aca4918c3f18035
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
Sasha Levin [Wed, 28 Jan 2015 11:30:43 +0000 (20:30 +0900)]
vfs: read file_handle only once in handle_to_path
This patch was related with "[CVE-2015-1420] Race condition in fs/fhandle.c in the Linux kernel".
We used to read file_handle twice. Once to get the amount of extra bytes, and
once to fetch the entire structure.
This may be problematic since we do size verifications only after the first
read, so if the number of extra bytes changes in userspace between the first
and second calls, we'll have an incoherent view of file_handle.
Instead, read the constant size once, and copy that over to the final
structure without having to re-read it again.
Change-Id: I318d7428079e323f53bc7eb1f7dc0a5dfac7eb0b
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Byungsoo Kim <bs1770.kim@samsung.com>
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
Hector Marco-Gisbert [Sat, 14 Feb 2015 17:33:50 +0000 (09:33 -0800)]
x86, mm/ASLR: Fix stack randomization on 64-bit systems
The issue is that the stack for processes is not properly randomized on
64 bit architectures due to an integer overflow.
The affected function is randomize_stack_top() in file
"fs/binfmt_elf.c":
static unsigned long randomize_stack_top(unsigned long stack_top)
{
unsigned int random_variable = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
random_variable = get_random_int() & STACK_RND_MASK;
random_variable <<= PAGE_SHIFT;
}
return PAGE_ALIGN(stack_top) + random_variable;
return PAGE_ALIGN(stack_top) - random_variable;
}
Note that, it declares the "random_variable" variable as "unsigned int".
Since the result of the shifting operation between STACK_RND_MASK (which
is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
random_variable <<= PAGE_SHIFT;
then the two leftmost bits are dropped when storing the result in the
"random_variable". This variable shall be at least 34 bits long to hold
the (22+12) result.
These two dropped bits have an impact on the entropy of process stack.
Concretely, the total stack entropy is reduced by four: from 2^28 to
2^30 (One fourth of expected entropy).
This patch restores back the entropy by correcting the types involved
in the operations in the functions randomize_stack_top() and
stack_maxrandom_size().
The successful fix can be tested with:
$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
7ffeda566000-
7ffeda587000 rw-p
00000000 00:00 0 [stack]
7fff5a332000-
7fff5a353000 rw-p
00000000 00:00 0 [stack]
7ffcdb7a1000-
7ffcdb7c2000 rw-p
00000000 00:00 0 [stack]
7ffd5e2c4000-
7ffd5e2e5000 rw-p
00000000 00:00 0 [stack]
...
Once corrected, the leading bytes should be between 7ffc and 7fff,
rather than always being 7fff.
Change-Id: I961d7977c511e0228a92f0020021fe50589e3e95
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: CVE-2015-1593
Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
Signed-off-by: Borislav Petkov <bp@suse.de>
Daniel Borkmann [Thu, 22 Jan 2015 17:26:54 +0000 (18:26 +0100)]
net: sctp: fix slab corruption from use after free on INIT collisions
When hitting an INIT collision case during the 4WHS with AUTH enabled, as
already described in detail in commit
1be9a950c646 ("net: sctp: inherit
auth_capable on INIT collisions"), it can happen that we occasionally
still remotely trigger the following panic on server side which seems to
have been uncovered after the fix from commit
1be9a950c646 ...
[ 533.876389] BUG: unable to handle kernel paging request at
00000000ffffffff
[ 533.913657] IP: [<
ffffffff811ac385>] __kmalloc+0x95/0x230
[ 533.940559] PGD
5030f2067 PUD 0
[ 533.957104] Oops: 0000 [#1] SMP
[ 533.974283] Modules linked in: sctp mlx4_en [...]
[ 534.939704] Call Trace:
[ 534.951833] [<
ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
[ 534.984213] [<
ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
[ 535.015025] [<
ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
[ 535.045661] [<
ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
[ 535.074593] [<
ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
[ 535.105239] [<
ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
[ 535.138606] [<
ffffffff814e43bd>] SyS_listen+0x9d/0xb0
[ 535.166848] [<
ffffffff816149a9>] system_call_fastpath+0x16/0x1b
... or depending on the the application, for example this one:
[ 1370.026490] BUG: unable to handle kernel paging request at
00000000ffffffff
[ 1370.026506] IP: [<
ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
[ 1370.054568] PGD
633c94067 PUD 0
[ 1370.070446] Oops: 0000 [#1] SMP
[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
[ 1370.963431] Call Trace:
[ 1370.974632] [<
ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
[ 1371.000863] [<
ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
[ 1371.027154] [<
ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
[ 1371.054679] [<
ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
[ 1371.080183] [<
ffffffff816149a9>] system_call_fastpath+0x16/0x1b
With slab debugging enabled, we can see that the poison has been overwritten:
[ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten
[ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
[ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
[ 669.826424] __slab_alloc+0x4bf/0x566
[ 669.826433] __kmalloc+0x280/0x310
[ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp]
[ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
[ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
[ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...]
[ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
[ 669.826635] __slab_free+0x39/0x2a8
[ 669.826643] kfree+0x1d6/0x230
[ 669.826650] kzfree+0x31/0x40
[ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp]
[ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp]
[ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp]
Since this only triggers in some collision-cases with AUTH, the problem at
heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
when having refcnt 1, once directly in sctp_assoc_update() and yet again
from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
the already kzfree'd memory, which is also consistent with the observation
of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
at a later point in time when poison is checked on new allocation).
Reference counting of auth keys revisited:
Shared keys for AUTH chunks are being stored in endpoints and associations
in endpoint_shared_keys list. On endpoint creation, a null key is being
added; on association creation, all endpoint shared keys are being cached
and thus cloned over to the association. struct sctp_shared_key only holds
a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
keeps track of users internally through refcounting. Naturally, on assoc
or enpoint destruction, sctp_shared_key are being destroyed directly and
the reference on sctp_auth_bytes dropped.
User space can add keys to either list via setsockopt(2) through struct
sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
with refcount 1 and in case of replacement drops the reference on the old
sctp_auth_bytes. A key can be set active from user space through setsockopt()
on the id via sctp_auth_set_active_key(), which iterates through either
endpoint_shared_keys and in case of an assoc, invokes (one of various places)
sctp_auth_asoc_init_active_key().
sctp_auth_asoc_init_active_key() computes the actual secret from local's
and peer's random, hmac and shared key parameters and returns a new key
directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
the reference if there was a previous one. The secret, which where we
eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
intitial refcount of 1, which also stays unchanged eventually in
sctp_assoc_update(). This key is later being used for crypto layer to
set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
To close the loop: asoc->asoc_shared_key is freshly allocated secret
material and independant of the sctp_shared_key management keeping track
of only shared keys in endpoints and assocs. Hence, also commit
4184b2a79a76
("net: sctp: fix memory leak in auth key management") is independant of
this bug here since it concerns a different layer (though same structures
being used eventually). asoc->asoc_shared_key is reference dropped correctly
on assoc destruction in sctp_association_free() and when active keys are
being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
to remove that sctp_auth_key_put() from there which fixes these panics.
Change-Id: I07e48e69eaa9bc6699d75957c75244849e0b5b46
Fixes:
730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vasiliy Ulyanov [Fri, 27 Mar 2015 11:44:35 +0000 (14:44 +0300)]
VIGS: add base dmabuf import/export support
Change-Id: I04b3c9558d99b096a8a54b57ab89a7a8b5b225b6
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
Vasiliy Ulyanov [Wed, 25 Feb 2015 06:55:49 +0000 (09:55 +0300)]
VIGS: enable render-nodes feature
Change-Id: I7304e19f61b10869dc3433d68405d5edb8645de4
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>