Fix security vulnerablity in cmdq driver

2 files changed, 10 insertions, 1 deletions

diff --git a/drivers/misc/mediatek/cmdq/cmdq_driver.c b/drivers/misc/mediatek/cmdq/cmdq_driver.c
index cf7708890..21512e7e0 100644
--- a/drivers/misc/mediatek/cmdq/cmdq_driver.c
+++ b/drivers/misc/mediatek/cmdq/cmdq_driver.c
@@ -41,6 +41,8 @@ static const struct of_device_id cmdq_of_ids[] = {
 };
 #endif
 
+#define CMDQ_MAX_DUMP_REG_COUNT (2048)
+
 static dev_t gCmdqDevNo;
 static struct cdev *gCmdqCDev;
 static struct class *gCMDQClass;
@@ -202,6 +204,8 @@ static int cmdq_driver_create_reg_address_buffer(cmdqCommandStruct *pCommand)
 	}
 
 	/* how many register to dump? */
+	if (kernelRegCount > CMDQ_MAX_DUMP_REG_COUNT || userRegCount > CMDQ_MAX_DUMP_REG_COUNT)
+		return -EINVAL;
 	totalRegCount = kernelRegCount + userRegCount;
 
 	if (0 == totalRegCount) {
diff --git a/drivers/misc/mediatek/cmdq/cmdq_test.c b/drivers/misc/mediatek/cmdq/cmdq_test.c
index 58c21e7b1..fc1309008 100644
--- a/drivers/misc/mediatek/cmdq/cmdq_test.c
+++ b/drivers/misc/mediatek/cmdq/cmdq_test.c
@@ -29,7 +29,9 @@ static bool gCmdqTestSecure = false;
 
 extern unsigned long msleep_interruptible(unsigned int msecs);
 
+#if 0
 static struct proc_dir_entry *gCmdqTestProcEntry;
+#endif
 
 extern int32_t cmdq_core_suspend_HW_thread(int32_t thread);
 
@@ -2912,6 +2914,7 @@ static struct file_operations cmdq_fops = {
 
 static int __init cmdq_test_init(void)
 {
+#if 0
 	CMDQ_MSG("cmdq_test_init\n");
 
 	/* Mout proc entry for debug */
@@ -2921,17 +2924,19 @@ static int __init cmdq_test_init(void)
 			CMDQ_MSG("cmdq_test_init failed\n");
 		}
 	}
-
+#endif
 	return 0;
 }
 
 static void __exit cmdq_test_exit(void)
 {
+#if 0
 	CMDQ_MSG("cmdq_test_exit\n");
 	if (NULL != gCmdqTestProcEntry) {
 		proc_remove(gCmdqTestProcEntry);
 		gCmdqTestProcEntry = NULL;
 	}
+#endif
 }
 module_init(cmdq_test_init);
 module_exit(cmdq_test_exit);