Merge android-4.4.140 (789274d) into msm-4.4

* refs/heads/tmp-789274d
  Linux 4.4.140
  staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
  netfilter: nf_log: don't hold nf_log_mutex during user access
  mtd: cfi_cmdset_0002: Change erase functions to check chip good only
  mtd: cfi_cmdset_0002: Change erase functions to retry for error
  mtd: cfi_cmdset_0002: Change definition naming to retry write operation
  dm bufio: don't take the lock in dm_bufio_shrink_count
  mtd: rawnand: mxc: set spare area size register explicitly
  dm bufio: drop the lock when doing GFP_NOIO allocation
  dm bufio: avoid sleeping while holding the dm_bufio lock
  mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
  media: cx25840: Use subdev host data for PLL override
  x86/mce: Fix incorrect "Machine check from unknown source" message
  x86/mce: Detect local MCEs properly
  HID: debug: check length before copy_to_user()
  HID: hiddev: fix potential Spectre v1
  HID: i2c-hid: Fix "incomplete report" noise
  ext4: check superblock mapped prior to committing
  ext4: add more mount time checks of the superblock
  ext4: add more inode number paranoia checks
  ext4: clear i_data in ext4_inode_info when removing inline data
  ext4: include the illegal physical block in the bad map ext4_error msg
  ext4: verify the depth of extent tree in ext4_find_extent()
  ext4: only look at the bg_flags field if it is valid
  ext4: always check block group bounds in ext4_init_block_bitmap()
  ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
  jbd2: don't mark block as modified if the handle is out of credits
  cifs: Fix infinite loop when using hard mount option
  drbd: fix access after free
  s390: Correct register corruption in critical section cleanup
  scsi: sg: mitigate read/write abuse
  tracing: Fix missing return symbol in function_graph output
  mm: hugetlb: yield when prepping struct pages
  ubi: fastmap: Correctly handle interrupted erasures in EBA
  ARM: dts: imx6q: Use correct SDMA script for SPI5 core
  netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
  nvme-pci: initialize queue memory before interrupts
  kprobes/x86: Do not modify singlestep buffer while resuming
  ipv4: Fix error return value in fib_convert_metrics()
  i2c: rcar: fix resume by always initializing registers before transfer
  ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
  x86/boot: Fix early command-line parsing when matching at end
  n_tty: Access echo_* variables carefully.
  staging: android: ion: Return an ERR_PTR in ion_map_kernel
  n_tty: Fix stall at n_tty_receive_char_special().
  USB: serial: cp210x: add Silicon Labs IDs for Windows Update
  USB: serial: cp210x: add CESINEL device ids
  usb: cdc_acm: Add quirk for Uniden UBC125 scanner

Change-Id: I01c4fc4b6354c28a7d8ff391ff515096ed4d3da4
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

1 files changed, 40 insertions, 2 deletions

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 3906be2836ba..74761424c6a9 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -51,6 +51,7 @@ static int sg_version_num = 30536;	/* 2 digits for each component */
 #include <linux/atomic.h>
 #include <linux/ratelimit.h>
 #include <linux/uio.h>
+#include <linux/cred.h> /* for sg_check_file_access() */
 
 #include "scsi.h"
 #include <scsi/scsi_dbg.h>
@@ -221,6 +222,33 @@ static void sg_device_destroy(struct kref *kref);
 	sdev_prefix_printk(prefix, (sdp)->device,		\
 			   (sdp)->disk->disk_name, fmt, ##a)
 
+/*
+ * The SCSI interfaces that use read() and write() as an asynchronous variant of
+ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways
+ * to trigger read() and write() calls from various contexts with elevated
+ * privileges. This can lead to kernel memory corruption (e.g. if these
+ * interfaces are called through splice()) and privilege escalation inside
+ * userspace (e.g. if a process with access to such a device passes a file
+ * descriptor to a SUID binary as stdin/stdout/stderr).
+ *
+ * This function provides protection for the legacy API by restricting the
+ * calling context.
+ */
+static int sg_check_file_access(struct file *filp, const char *caller)
+{
+	if (filp->f_cred != current_real_cred()) {
+		pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n",
+			caller, task_tgid_vnr(current), current->comm);
+		return -EPERM;
+	}
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
+		pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n",
+			caller, task_tgid_vnr(current), current->comm);
+		return -EACCES;
+	}
+	return 0;
+}
+
 static int sg_allow_access(struct file *filp, unsigned char *cmd)
 {
 	struct sg_fd *sfp = filp->private_data;
@@ -405,6 +433,14 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
 	struct sg_header *old_hdr = NULL;
 	int retval = 0;
 
+	/*
+	 * This could cause a response to be stranded. Close the associated
+	 * file descriptor to free up any resources being held.
+	 */
+	retval = sg_check_file_access(filp, __func__);
+	if (retval)
+		return retval;
+
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;
 	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
@@ -592,9 +628,11 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
 	struct sg_header old_hdr;
 	sg_io_hdr_t *hp;
 	unsigned char cmnd[SG_MAX_CDB_SIZE];
+	int retval;
 
-	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-		return -EINVAL;
+	retval = sg_check_file_access(filp, __func__);
+	if (retval)
+		return retval;
 
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;