diff options
| author | yang-cy.chen <yang-cy.chen@mediatek.com> | 2016-05-05 19:15:31 +0800 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2016-11-07 13:44:26 +0100 |
| commit | 800ad797e9b960bde4a4a39269f6ecb613a802e9 (patch) | |
| tree | 9f93a6d0dd73f57c9bb8a3e4bbff76ff2a964d41 | |
| parent | b4fe50b65774f9eb62f8bbcba8378225b6f66aec (diff) | |
Fix "arbitrary write-zero in mtkfb_ioctl() of Mediatek driver" issue
Problem:
lack of boundary check of user input parameter to cause arbitrary write-zero.
Solution:
remove unused code from driver
Bug num:28175025,28175027
Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
(cherry picked from commit c811910368f393068b343ebdcb6d515dc33cd710)
Change-Id: Ie59f5dd742b6b2295f63f76583a5cac2bdcf5d53
Ticket: PORRIDGE-398
| -rw-r--r-- | drivers/misc/mediatek/video/mtkfb.h | 2 | ||||
| -rw-r--r-- | drivers/misc/mediatek/videox/mt6735/mtkfb.c | 97 |
2 files changed, 2 insertions, 97 deletions
diff --git a/drivers/misc/mediatek/video/mtkfb.h b/drivers/misc/mediatek/video/mtkfb.h index a796339e5..be99fa733 100644 --- a/drivers/misc/mediatek/video/mtkfb.h +++ b/drivers/misc/mediatek/video/mtkfb.h @@ -26,7 +26,6 @@ #define MTKFB_SET_OVERLAY_LAYER MTK_IOW(0, struct fb_overlay_layer) #define MTKFB_TRIG_OVERLAY_OUT MTK_IO(1) #define MTKFB_SET_VIDEO_LAYERS MTK_IOW(2, struct fb_overlay_layer) -#define MTKFB_CAPTURE_FRAMEBUFFER MTK_IOW(3, unsigned long) #define MTKFB_CONFIG_IMMEDIATE_UPDATE MTK_IOW(4, unsigned long) #define MTKFB_SET_MULTIPLE_LAYERS MTK_IOW(5, struct fb_overlay_layer) #define MTKFB_REGISTER_OVERLAYBUFFER MTK_IOW(6, struct fb_overlay_buffer_info) @@ -59,7 +58,6 @@ #define MTKFB_SLT_AUTO_CAPTURE MTK_IOWR(27, struct fb_slt_catpure) //error handling -#define MTKFB_META_RESTORE_SCREEN MTK_IOW(101, unsigned long) #define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT MTK_IO(103) #define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT_AEE MTK_IO(104) diff --git a/drivers/misc/mediatek/videox/mt6735/mtkfb.c b/drivers/misc/mediatek/videox/mt6735/mtkfb.c index 2d550604e..2672a30f8 100644 --- a/drivers/misc/mediatek/videox/mt6735/mtkfb.c +++ b/drivers/misc/mediatek/videox/mt6735/mtkfb.c @@ -170,7 +170,6 @@ extern BOOL is_lcm_in_suspend_mode; // local function declarations // --------------------------------------------------------------------------- -static int init_framebuffer(struct fb_info *info); static int mtkfb_get_overlay_layer_info(struct fb_overlay_layer_info* layerInfo); static int mtkfb_update_screen(struct fb_info *info); static void mtkfb_update_screen_impl(void); @@ -1347,64 +1346,7 @@ static int mtkfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg return (r); } - case MTKFB_CAPTURE_FRAMEBUFFER: - { - unsigned long pbuf = 0; - if (copy_from_user(&pbuf, (void __user *)arg, sizeof(pbuf))) - { - MTKFB_LOG("[FB]: copy_from_user failed! line:%d \n", __LINE__); - r = -EFAULT; - } - else - { - dprec_logger_start(DPREC_LOGGER_WDMA_DUMP, 0, 0); - primary_display_capture_framebuffer_ovl(pbuf, eBGRA8888); - dprec_logger_done(DPREC_LOGGER_WDMA_DUMP, 0, 0); - } - - return (r); - } - - case MTKFB_SLT_AUTO_CAPTURE: - { - struct fb_slt_catpure capConfig; - if (copy_from_user(&capConfig, (void __user *)arg, sizeof(capConfig))) - { - MTKFB_LOG("[FB]: copy_from_user failed! line:%d \n", __LINE__); - r = -EFAULT; - } - else - { - unsigned int format; - switch (capConfig.format) - { - case MTK_FB_FORMAT_RGB888: - format = eRGB888; - break; - case MTK_FB_FORMAT_BGR888: - format = eBGR888; - break; - case MTK_FB_FORMAT_ARGB8888: - format = eARGB8888; - break; - case MTK_FB_FORMAT_RGB565: - format = eRGB565; - break; - case MTK_FB_FORMAT_UYVY: - format = eYUV_420_2P_UYVY; - break; - case MTK_FB_FORMAT_ABGR8888: - default: - format = eABGR8888; - break; - } - primary_display_capture_framebuffer_ovl((unsigned long)capConfig.outputBuffer, format); - } - - return (r); - } - - case MTKFB_GET_OVERLAY_LAYER_INFO: + case MTKFB_GET_OVERLAY_LAYER_INFO: { struct fb_overlay_layer_info layerInfo; MTKFB_LOG(" mtkfb_ioctl():MTKFB_GET_OVERLAY_LAYER_INFO\n"); @@ -1532,20 +1474,6 @@ static int mtkfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg return 0; } - case MTKFB_META_RESTORE_SCREEN: - { - struct fb_var_screeninfo var; - - if (copy_from_user(&var, argp, sizeof(var))) - return -EFAULT; - - info->var.yoffset = var.yoffset; - init_framebuffer(info); - - return mtkfb_pan_display_impl(&var, info); - } - - case MTKFB_GET_DEFAULT_UPDATESPEED: { unsigned int speed; @@ -1649,7 +1577,6 @@ struct compat_fb_overlay_layer { #define COMPAT_MTKFB_CONFIG_IMMEDIATE_UPDATE MTK_IOW(4, compat_ulong_t) #define COMPAT_MTKFB_GET_POWERSTATE MTK_IOR(21, compat_ulong_t) -#define COMPAT_MTKFB_META_RESTORE_SCREEN MTK_IOW(101, compat_ulong_t) static void compat_convert(struct compat_fb_overlay_layer *compat_info, struct fb_overlay_layer *info) { @@ -1733,14 +1660,7 @@ static long mtkfb_compat_ioctl(struct fb_info *info, unsigned int cmd, unsigned arg = (unsigned long) compat_ptr(arg); ret = mtkfb_ioctl(info, MTKFB_TRIG_OVERLAY_OUT, arg); break; - } - - case COMPAT_MTKFB_META_RESTORE_SCREEN: - { - arg = (unsigned long) compat_ptr(arg); - ret = mtkfb_ioctl(info, MTKFB_META_RESTORE_SCREEN, arg); - break; - } + } case COMPAT_MTKFB_SET_OVERLAY_LAYER: { @@ -2050,19 +1970,6 @@ static void mtkfb_fbinfo_cleanup(struct mtkfb_device *fbdev) (((x) & 0xF800) << 8) | \ (0xFF << 24)) // opaque -/* Init frame buffer content as 3 R/G/B color bars for debug */ -static int init_framebuffer(struct fb_info *info) -{ - void *buffer = info->screen_base + - info->var.yoffset * info->fix.line_length; - - // clean whole frame buffer as black - memset(buffer, 0, info->screen_size); - - return 0; -} - - /* Free driver resources. Can be called to rollback an aborted initialization * sequence. */ |