Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b01e71d0 authored by Ravi Kumar Siddojigari's avatar Ravi Kumar Siddojigari Committed by Gerrit - the friendly Code Review server
Browse files

usb: Avoid exposing kernel addresses 



Usage of %p exposes the kernel addresses, an easy target to
kernel write vulnerabilities. With this patch currently
%pK prints only Zeros as address. If you need actual address
echo 0 > /proc/sys/kernel/kptr_restrict

addressing the info leak  issue under following CVEs
CVE-2016-8401, CVE-2016-8402, CVE-2016-8403,
CVE-2016-8404, CVE-2016-8405, CVE-2016-8406,
CVE-2016-8407

Change-Id: Iefe0639416275cfeca6e90b6f88cd0412bb76414
Signed-off-by: default avatarRavi Kumar Siddojigari <rsiddoji@codeaurora.org>
parent 6fb76668

drivers/usb/gadget/f_mbim.c

+7 −7
Original line number Diff line number Diff line
@@ -899,7 +899,7 @@ static void mbim_notify_complete(struct usb_ep *ep, struct usb_request *req) 
	struct f_mbim			*mbim = req->context;

	struct usb_cdc_notification	*event = req->buf;



	pr_debug("dev:%p\n", mbim);

	pr_debug("dev:%pK\n", mbim);



	spin_lock(&mbim->lock);

	switch (req->status) {
@@ -929,7 +929,7 @@ static void mbim_notify_complete(struct usb_ep *ep, struct usb_request *req) 
	mbim_do_notify(mbim);

	spin_unlock(&mbim->lock);



	pr_debug("dev:%p Exit\n", mbim);

	pr_debug("dev:%pK Exit\n", mbim);

}



static void mbim_ep0out_complete(struct usb_ep *ep, struct usb_request *req)
@@ -940,7 +940,7 @@ static void mbim_ep0out_complete(struct usb_ep *ep, struct usb_request *req) 
	struct f_mbim		*mbim = func_to_mbim(f);

	struct mbim_ntb_input_size *ntb = NULL;



	pr_debug("dev:%p\n", mbim);

	pr_debug("dev:%pK\n", mbim);



	req->context = NULL;

	if (req->status || req->actual != req->length) {
@@ -978,7 +978,7 @@ static void mbim_ep0out_complete(struct usb_ep *ep, struct usb_request *req) 
invalid:

	usb_ep_set_halt(ep);



	pr_err("dev:%p Failed\n", mbim);

	pr_err("dev:%pK Failed\n", mbim);



	return;

}
@@ -1000,7 +1000,7 @@ fmbim_cmd_complete(struct usb_ep *ep, struct usb_request *req) 
		return;

	}



	pr_debug("dev:%p port#%d\n", dev, dev->port_num);

	pr_debug("dev:%pK port#%d\n", dev, dev->port_num);



	cpkt = mbim_alloc_ctrl_pkt(len, GFP_ATOMIC);

	if (!cpkt) {
@@ -1313,7 +1313,7 @@ static int mbim_set_alt(struct usb_function *f, unsigned intf, unsigned alt) 
					return ret;

				}



				pr_info("Set mbim port in_desc = 0x%p\n",

				pr_info("Set mbim port in_desc = 0x%pK\n",

					mbim->bam_port.in->desc);



				ret = config_ep_by_speed(cdev->gadget, f,
@@ -1325,7 +1325,7 @@ static int mbim_set_alt(struct usb_function *f, unsigned intf, unsigned alt) 
					return ret;

				}



				pr_info("Set mbim port out_desc = 0x%p\n",

				pr_info("Set mbim port out_desc = 0x%pK\n",

					mbim->bam_port.out->desc);



				if (mbim->xport == USB_GADGET_XPORT_BAM2BAM_IPA

drivers/usb/gadget/u_ctrl_hsic.c

+4 −4
Original line number Diff line number Diff line 
/* Copyright (c) 2011, 2013-2014, The Linux Foundation. All rights reserved.

/* Copyright (c) 2011, 2013-2016, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -184,7 +184,7 @@ static void ghsic_ctrl_connect_w(struct work_struct *w) 
	if (!port || !test_bit(CH_READY, &port->bridge_sts))

		return;



	pr_debug("%s: port:%p port type =%u\n", __func__, port, port->gtype);

	pr_debug("%s: port:%pK port type =%u\n", __func__, port, port->gtype);



	retval = ctrl_bridge_open(&port->brdg);

	if (retval) {
@@ -481,7 +481,7 @@ static int gctrl_port_alloc(int portno, enum gadget_type gtype) 


	platform_driver_register(pdrv);



	pr_debug("%s: port:%p portno:%d\n", __func__, port, portno);

	pr_debug("%s: port:%pK portno:%d\n", __func__, port, portno);



	return 0;

}
@@ -573,7 +573,7 @@ static ssize_t gctrl_read_stats(struct file *file, char __user *ubuf, 


		temp += scnprintf(buf + temp, DEBUG_BUF_SIZE - temp,

				"\nName:        %s\n"

				"#PORT:%d port: %p\n"

				"#PORT:%d port: %pK\n"

				"to_usbhost:    %lu\n"

				"to_modem:      %lu\n"

				"cpkt_drp_cnt:  %lu\n"

net/netfilter/nf_conntrack_core.c

+10 −10
Original line number Diff line number Diff line
@@ -188,7 +188,7 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); 
static void

clean_from_lists(struct nf_conn *ct)

{

	pr_debug("clean_from_lists(%p)\n", ct);

	pr_debug("clean_from_lists(%pK)\n", ct);

	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);

	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode);
@@ -203,7 +203,7 @@ destroy_conntrack(struct nf_conntrack *nfct) 
	struct net *net = nf_ct_net(ct);

	struct nf_conntrack_l4proto *l4proto;



	pr_debug("destroy_conntrack(%p)\n", ct);

	pr_debug("destroy_conntrack(%pK)\n", ct);

	NF_CT_ASSERT(atomic_read(&nfct->use) == 0);

	NF_CT_ASSERT(!timer_pending(&ct->timeout));
@@ -234,7 +234,7 @@ destroy_conntrack(struct nf_conntrack *nfct) 
	if (ct->master)

		nf_ct_put(ct->master);



	pr_debug("destroy_conntrack: returning ct=%p to slab\n", ct);

	pr_debug("destroy_conntrack: returning ct=%pK to slab\n", ct);

	nf_conntrack_free(ct);

}
@@ -496,7 +496,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) 
	/* No external references means no one else could have

	   confirmed us. */

	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));

	pr_debug("Confirming conntrack %p\n", ct);

	pr_debug("Confirming conntrack %pK\n", ct);



	spin_lock_bh(&nf_conntrack_lock);
@@ -827,7 +827,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, 
	spin_lock_bh(&nf_conntrack_lock);

	exp = nf_ct_find_expectation(net, zone, tuple);

	if (exp) {

		pr_debug("conntrack: expectation arrives ct=%p exp=%p\n",

		pr_debug("conntrack: expectation arrives ct=%pK exp=%pK\n",

			 ct, exp);

		/* Welcome, Mr. Bond.  We've been expecting you... */

		__set_bit(IPS_EXPECTED_BIT, &ct->status);
@@ -917,14 +917,14 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, 
	} else {

		/* Once we've had two way comms, always ESTABLISHED. */

		if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {

			pr_debug("nf_conntrack_in: normal packet for %p\n", ct);

			pr_debug("nf_conntrack_in:normal packet for %pK\n", ct);

			*ctinfo = IP_CT_ESTABLISHED;

		} else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {

			pr_debug("nf_conntrack_in: related packet for %p\n",

			pr_debug("nf_conntrack_in: related packet for %pK\n",

				 ct);

			*ctinfo = IP_CT_RELATED;

		} else {

			pr_debug("nf_conntrack_in: new packet for %p\n", ct);

			pr_debug("nf_conntrack_in: new packet for %pK\n", ct);

			*ctinfo = IP_CT_NEW;

		}

		*set_reply = 0;
@@ -1066,7 +1066,7 @@ void nf_conntrack_alter_reply(struct nf_conn *ct, 
	/* Should be unconfirmed, so not in hash table yet */

	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));



	pr_debug("Altering reply tuple of %p to ", ct);

	pr_debug("Altering reply tuple of %pK to ", ct);

	nf_ct_dump_tuple(newreply);



	ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
@@ -1641,7 +1641,7 @@ int nf_conntrack_init_net(struct net *net) 
		goto err_stat;

	}



	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);

	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%pK", net);

	if (!net->ct.slabname) {

		ret = -ENOMEM;

		goto err_slabname;