aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEddie Chen <eddie.chen@mediatek.com>2016-06-22 11:36:23 +0800
committerMister Oyster <oysterized@gmail.com>2017-04-13 12:35:34 +0200
commit81bcdfb07fd402a908a848e327652d433972412c (patch)
tree8637d275367d628b0568fd2c24d42bf3697a20d7
parent260c0c1a0a737c3a42de218b98f2f558d0c66320 (diff)
conn_soc: Security Vulnerability in Mediatek driver : arbitrary kernel write
google security issue fix Bug num:25873324 Change-Id: I2eb8e03dc67209d9a709fc4a27976f986f0b7606 Signed-off-by: Eddie Chen <eddie.chen@mediatek.com> Signed-off-by: Mister Oyster <oysterized@gmail.com>
Diffstat
-rw-r--r--drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c28
1 files changed, 19 insertions, 9 deletions
diff --git a/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c b/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c
index 8da624363..4ad18aacf 100644
--- a/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c
+++ b/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c
@@ -2108,21 +2108,27 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
break;
case WMT_IOCTL_SET_PATCH_NUM:{
- pAtchNum = arg;
- if (pAtchNum == 0 || pAtchNum > MAX_PATCH_NUM) {
- WMT_ERR_FUNC("patch num(%d) == 0 or > %d!\n", pAtchNum, MAX_PATCH_NUM);
- iRet = -1;
+ UINT32 MAX_UINT = ~0;
+ UINT32 t_patchnum = arg;
+
+ if (t_patchnum <= 0) {
+ WMT_ERR_FUNC("patch num <= 0!\n");
+ break;
+ }
+
+ /* Verify that the amount of slots requested wont overflow */
+ if (t_patchnum >= (MAX_UINT / sizeof(WMT_PATCH_INFO))) {
+ WMT_ERR_FUNC("Patch num is too large!\n");
break;
}
- pPatchInfo = kcalloc(pAtchNum, sizeof(WMT_PATCH_INFO), GFP_ATOMIC);
+ pPatchInfo = kcalloc(t_patchnum, sizeof(WMT_PATCH_INFO), GFP_ATOMIC);
if (!pPatchInfo) {
WMT_ERR_FUNC("allocate memory fail!\n");
- iRet = -EFAULT;
break;
}
-
- WMT_DBG_FUNC(" get patch num from launcher = %d\n", pAtchNum);
+ pAtchNum = t_patchnum;
+ WMT_INFO_FUNC("get patch num from launcher = %d\n", pAtchNum);
wmt_lib_set_patch_num(pAtchNum);
}
break;
@@ -2143,7 +2149,11 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
iRet = -EFAULT;
break;
}
-
+ if (wMtPatchInfo.dowloadSeq > pAtchNum) {
+ WMT_ERR_FUNC("dowloadSeq would overflow\n");
+ iRet = -EFAULT;
+ break;
+ }
dWloadSeq = wMtPatchInfo.dowloadSeq;
WMT_DBG_FUNC(
"patch dl seq %d,name %s,address info 0x%02x,0x%02x,0x%02x,0x%02x\n",
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-14 09:14:14 +0000