Project

General

Profile

Actions

Issue #1449

closed

Patchset for CVE-2015-3843, CVE-2014-2851, CVE-2013-6271, CVE-2013-6282, CVE-2014-3153, CVE-2014-0196, CVE-2014-7912 and more...

Added by My Self over 8 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
03/30/2015
Due date:
% Done:

70%

Estimated time:
Resolution:
wontfix
Device:
Grant:
Type of work:

Description

I searched around a bit and found some more Replicant vulnerabilities. With this issue I want to provide the patches for them.

I've merged them already to my local Replicant 4.2 repo and successfully compiled/reflashed/tested them on my i9100 (with smdk4412 kernel).

CVE-2015-3843

more informations: http://achaykin.blogspot.de/2015/08/spoofing-and-intercepting-sim-commands.html
patch: https://android.googlesource.com/platform/packages/apps/Stk/+/bab5e5e6c1d45dade413e620d6e37d5d3d0e99e4
file in patchset: 0001-Fix-tab-space-inconsistencies-in-stk_msg_dialog.xml.patch
to be merged in: packages/apps/Stk/

tcp_cubic

more informations: http://bitsup.blogspot.ca/2015/09/thanks-google-tcp-team-for-open-source.html
patch: https://github.com/torvalds/linux/commit/30927520dbae297182990bb21d08762bcc35ce1d
file in patchset: 0002-tcp_cubic-better-follow-cubic-curve-after-idle-perio.patch
to be merged in:
kernel/goldelico/gta04/net/
kernel/samsung/aries/net/
kernel/samsung/crespo/net/
kernel/samsung/espresso10/net/
kernel/samsung/smdk4412/net/
kernel/samsung/tuna/net/

CVE-2014-2851

more informations: http://forum.xda-developers.com/showthread.php?p=53195295#post53195295 and http://forum.xda-developers.com/showpost.php?p=53195627&postcount=130
patch: https://github.com/CyanogenMod/android_kernel_bn_encore/commit/00caf17c45028843311129de54cd6af62f714f28
file in patchset: 0003-net-ipv4-current-group_info-should-be-put-after-usin.patch
to be merged in:
kernel/samsung/aries/net/
kernel/samsung/crespo/net/
kernel/samsung/espresso10/net/
kernel/samsung/smdk4412/net/
kernel/samsung/tuna/net/
file in patchset: 0003-GTA04-net-ipv4-current-group_info-should-be-put-after-usin.patch
to be merged in: kernel/goldelico/gta04/net/

security bug

more informations: http://forum.xda-developers.com/showpost.php?p=48627823&postcount=113
patch 1/2: https://github.com/CyanogenMod/android_kernel_bn_encore/commit/8f1bd0c0a8447f35b00130dd1a508dd95b5323ff
file in patchset: 0004-Staging-TIDSPBRIDGE-Use-vm_iomap_memory-for-mmap-ing.patch
to be merged in:
kernel/samsung/aries/drivers/
kernel/samsung/crespo/drivers/
kernel/samsung/espresso10/drivers/
kernel/samsung/smdk4412/drivers/
kernel/samsung/tuna/drivers/
file in patchset: 0004-GTA04-Staging-TIDSPBRIDGE-Use-vm_iomap_memory-for-mmap-ing.patch
to be merged in: kernel/goldelico/gta04/drivers/
patch 2/2: https://github.com/CyanogenMod/android_kernel_bn_encore/commit/ae15456ce30a204942e1b92267313ffdcdebc62d
file in patchset: 0005-tidspbridge-fix-last-patch-to-map-same-region-of-phy.patch
to be merged in:
kernel/samsung/aries/drivers/
kernel/samsung/crespo/drivers/
kernel/samsung/espresso10/drivers/
kernel/samsung/smdk4412/drivers/
kernel/samsung/tuna/drivers/
file in patchset: 0005-GTA04-tidspbridge-fix-last-patch-to-map-same-region-of-phy.patch
to be merged in: kernel/goldelico/gta04/drivers/

vold_asec

more informations: http://www.androidvulnerabilities.org/vulnerabilities/vold_asec
patch: https://android.googlesource.com/platform/system/vold/+/0de7c61
file in patchset: 0006-Validate-asec-names.patch
to be merged in: system/vold/

CVE-2013-6271 - Remove Device Locks from Android Phone

more informations: http://blog.curesec.com/article/blog/CVE-2013-6271-Remove-Device-Locks-from-Android-Phone-26.html
patch: https://android.googlesource.com/platform/packages/apps/Settings/+/66026773bbf1d7631743a5b892a4f768c694f868
Replicant issue: http://redmine.replicant.us/issues/1359 all the credits to Wolfgang Wiedmeyer!

CVE-2013-6282 - Qualcomm missing checks put_user get_user

more informations: http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_missing_checks_put_user_get_user
patch: https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483
XDA: http://forum.xda-developers.com/showpost.php?p=50453497&postcount=128
CM: https://github.com/CyanogenMod/android_kernel_bn_encore/commit/300345731b3e37349dd299a67b51bd202512ef0a
file in patchset: 0007-smdk4412-ARM-7527-1-uaccess-explicitly-check-__user-pointer-w.patch
to be merged in: kernel/samsung/smdk4412/
TODO: create patches for the following other kernels:
kernel/samsung/aries
kernel/samsung/crespo
kernel/samsung/espresso10
kernel/samsung/tuna
kernel/goldelico/gta04/

CVE-2014-3153

more informations: http://forum.xda-developers.com/showthread.php?p=53195295#post53195295 and http://forum.xda-developers.com/showpost.php?p=53195627&postcount=130
patches:
https://github.com/CyanogenMod/android_kernel_bn_encore/commit/2222834ffe15aca6ee7cb8b0d36b859b0b1a7baa
file in patchset: 0008-smdk4412-futex-Add-another-early-deadlock-detection-check.patch
to be merged in: kernel/samsung/smdk4412/
file in patchset: 0008-espresso10-futex-Add-another-early-deadlock-detection-check.patch
to be merged in: kernel/samsung/espresso10
TODO: create patches for the following other kernels:
kernel/samsung/aries
kernel/samsung/crespo
kernel/samsung/tuna
kernel/goldelico/gta04/
https://github.com/CyanogenMod/android_kernel_bn_encore/commit/baebae0d76389821c688aa33a95d8e872c470b35
file in patchset: 0009-smdk4412-futex-Prevent-attaching-to-kernel-threads.patch
to be merged in: kernel/samsung/smdk4412/
file in patchset: 0009-espresso10-futex-Prevent-attaching-to-kernel-threads.patch
to be merged in: kernel/samsung/espresso10
TODO: create patches for the following other kernels:
kernel/samsung/aries
kernel/samsung/crespo
kernel/samsung/tuna
kernel/goldelico/gta04/
https://github.com/CyanogenMod/android_kernel_bn_encore/commit/7189b4cd641fa63abe09ec03e24f3e5e0c3b6ff8
This patch was already merged to the existing Replicant 4.2 codebase.
https://github.com/CyanogenMod/android_kernel_bn_encore/commit/439741e669d36bf077e697fefd2c55beeeff7949
file in patchset: 0010-smdk4412-futex-Validate-atomic-acquisition-in-futex_lock_pi_a.patch
to be merged in: kernel/samsung/smdk4412/
file in patchset: 0010-espresso10-futex-Validate-atomic-acquisition-in-futex_lock_pi_a.patch
to be merged in: kernel/samsung/espresso10
TODO: create patches for the following other kernels:
kernel/samsung/aries
kernel/samsung/crespo
kernel/samsung/tuna
kernel/goldelico/gta04/
https://github.com/CyanogenMod/android_kernel_bn_encore/commit/e07cc0930f8c57e2e8784ad4b82a072ce69bf4fd
file in patchset: 0011-smdk4412-futex-Always-cleanup-owner-tid-in-unlock_pi.patch
to be merged in: kernel/samsung/smdk4412/
file in patchset: 0011-espresso10-futex-Always-cleanup-owner-tid-in-unlock_pi.patch
to be merged in: kernel/samsung/espresso10
TODO: create patches for the following other kernels:
kernel/samsung/aries
kernel/samsung/crespo
kernel/samsung/tuna
kernel/goldelico/gta04/
https://github.com/CyanogenMod/android_kernel_bn_encore/commit/0099c6a9ea68910e79084f4600f72e0fe2018e92
file in patchset: 0012-smdk4412-futex-Make-lookup_pi_state-more-robust.patch
to be merged in: kernel/samsung/smdk4412/
file in patchset: 0012-espresso10-futex-Make-lookup_pi_state-more-robust.patch
to be merged in: kernel/samsung/espresso10
TODO: create patches for the following other kernels:
kernel/samsung/aries
kernel/samsung/crespo
kernel/samsung/tuna
kernel/goldelico/gta04/

CVE-2014-0196 - pty race

more informations: http://www.androidvulnerabilities.org/vulnerabilities/pty_race
orig. patch: http://www.openwall.com/lists/oss-security/2014/05/05/6
XDA: http://forum.xda-developers.com/showpost.php?p=52615662&postcount=129
patch: https://github.com/steven676/ti-omap-encore-kernel3/commit/83540d5233d8f970f1d4c0c43f15d6f0ed10877c
file in patchset: 0013-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
to be merged in:
kernel/samsung/aries
kernel/samsung/crespo
kernel/samsung/espresso10
kernel/samsung/smdk4412/
kernel/goldelico/gta04/
TODO: create patches for the following other kernel:
kernel/samsung/tuna

CVE-2014-7912 - dhcpd buffer overrun

more informations: http://www.androidvulnerabilities.org/vulnerabilities/dhcpd_buffer_overrun
patch: https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0
file in patchset: 0014-Fun_with_buffer-overrruns.patch
to be merged in: external/dhcpcd


Files

patchset.zip (39.2 KB) patchset.zip My Self, 11/18/2015 09:36 PM
Actions #1

Updated by Wolfgang Wiedmeyer over 8 years ago

Thank you for the patches!
I applied the patches and cannot report any issues. I am running a build with these patches for several days now.
Kernel patches are tested with my smdk4412 kernel sources.

While we're mostly at kernel security here already: I also noticed that there is a busybox binary at usr/galaxys2_initramfs_files in the smdk4412 kernel sources.
I am not sure if this is actually used for the Galaxy S2, but if yes, it should maybe build from source. It could also be replaced with the one from external/busybox that already gets build. The binary gets at least included in the stage1 directory of initramfs_data.cpio.

Actions #2

Updated by Denis 'GNUtoo' Carikli over 8 years ago

  • Device Not device specific added
Actions #3

Updated by Wolfgang Wiedmeyer about 8 years ago

I did a clean merge of the current Replicant 4.2 branch with the cm-13.0 branch and I noticed a few things when I tried to apply the changes on top for the smdk4412 kernel.

First off: Can patch 0002 really be applied to the 3.0.x kernel? I noticed that it was not backported to the 3.2 kernel. I did not find the commit in there and the relevant code is also not there: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/net/ipv4/tcp_cubic.c?h=linux-3.2.y#n153

A few changes are already included in Cyanogenmod 13 (e.g. patch 0013). For CVE-2013-6282 (patch 0007) a different patch was included in Cyanogenmod: https://github.com/CyanogenMod/android_kernel_samsung_smdk4412/commit/67f8047290499070df082f5a2de81a387cfcfdd6

The rest of the kernel patches applied nicely.

Actions #4

Updated by Wolfgang Wiedmeyer about 8 years ago

First off: Can patch 0002 really be applied to the 3.0.x kernel? I noticed that it was not backported to the 3.2 kernel. I did not find the commit in there and the relevant code is also not there: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/net/ipv4/tcp_cubic.c?h=linux-3.2.y#n153

Among others, the tcp_cubic patch is now also in the smdk4412 kernel on the cm-13.0 branch: https://github.com/CyanogenMod/android_kernel_samsung_smdk4412/commit/f7a711c992bb3272bc07d66c60ec79a276638817

Actions #5

Updated by Wolfgang Wiedmeyer almost 7 years ago

  • Assignee changed from My Self to Paul Kocialkowski
  • Target version changed from Any version to Replicant 4.2
  • Device added
  • Device deleted (Not device specific)
Actions #6

Updated by Kurtis Hanna over 4 years ago

  • Status changed from New to Closed
  • Resolution set to wontfix

This issue has been closed because Replicant 4.2 is no longer supported or maintained.

Actions

Also available in: Atom PDF