msdc: mt6735: fix code defect

[Detail] A malicious userspace application can corrupt kernel memory. the offset is not limited, so it will becomes a powerful arbitrary memory read/write primitive. [Solution] set the limit of the offset from 0 to 0xFFFF MTK-Commit-Id: 91446a30b6123dd3391074062dc9833d09dbcc54 Change-Id: Icf733233133bd8ed734ec69a3567e06281d982ff Signed-off-by: Edison Liu <Edison.Liu@mediatek.com> CR-Id: ALPS03684210 Feature: Others
author: Edison Liu <Edison.Liu@mediatek.com> 2018-01-11 15:57:41 +0800
committer: Moyster <oysterized@gmail.com> 2019-07-18 21:35:48 +0200
commit: 0cdf30c59f4a9464d9c8fe85a37174c479e6408e (patch)
tree: 9efeed0ddf523127e7d5e7997e54c4f2f0ec60ec
parent: a0e750967210b4991decda1519eb17d82ae60eef (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/misc/mediatek/mmc-host/mt6735/dbg.c b/drivers/misc/mediatek/mmc-host/mt6735/dbg.c
index 468cb5cd7..5714ada61 100644
--- a/drivers/misc/mediatek/mmc-host/mt6735/dbg.c
+++ b/drivers/misc/mediatek/mmc-host/mt6735/dbg.c
@@ -2126,6 +2126,8 @@ static ssize_t msdc_debug_proc_write(struct file *file, const char *buf, size_t
 
 		if (id >= HOST_MAX_NUM || id < 0)
 			pr_err("[****SD_Debug****]msdc host_id error when modify msdc reg\n");
+		else if (offset > 0xFFFF || offset < 0)
+			pr_err("[****SD_Debug****]msdc address offset error when modify msdc reg\n");
 		else {
 #if defined(CFG_DEV_MSDC0)
 			if (id == 0)
author	Edison Liu <Edison.Liu@mediatek.com>	2018-01-11 15:57:41 +0800
committer	Moyster <oysterized@gmail.com>	2019-07-18 21:35:48 +0200
commit	0cdf30c59f4a9464d9c8fe85a37174c479e6408e (patch)
tree	9efeed0ddf523127e7d5e7997e54c4f2f0ec60ec
parent	a0e750967210b4991decda1519eb17d82ae60eef (diff)