diff options
| author | fire855 <thefire855@gmail.com> | 2017-04-08 16:47:57 +0200 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-05-28 18:00:09 +0200 |
| commit | efe9bef34e5ec9107257e22b1a3bf58ab510c9e6 (patch) | |
| tree | 887af85544b7afae21ee42ff6e37e7c0556478de | |
| parent | 13e4975cde348f42d254916257691db238ab18be (diff) | |
Fix "Elevation of privilege vulnerability in MediaTek components"
CVE-2017-0502
| -rw-r--r-- | drivers/misc/mediatek/m4u/2.0/m4u.c | 4 | ||||
| -rw-r--r-- | drivers/misc/mediatek/m4u/mt6735/m4u_hw.c | 36 | ||||
| -rw-r--r-- | drivers/misc/mediatek/m4u/mt6735/m4u_hw.h | 30 |
3 files changed, 38 insertions, 32 deletions
diff --git a/drivers/misc/mediatek/m4u/2.0/m4u.c b/drivers/misc/mediatek/m4u/2.0/m4u.c index f1920f285..a3d7b91f7 100644 --- a/drivers/misc/mediatek/m4u/2.0/m4u.c +++ b/drivers/misc/mediatek/m4u/2.0/m4u.c @@ -1976,7 +1976,7 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg int ret = 0; M4U_MOUDLE_STRUCT m4u_module; M4U_PORT_STRUCT m4u_port; - M4U_PORT_ID PortID; + /*M4U_PORT_ID PortID;*/ M4U_PORT_ID ModuleID; M4U_CACHE_STRUCT m4u_cache_data; M4U_DMA_STRUCT m4u_dma_data; @@ -2085,6 +2085,7 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg mutex_unlock(&gM4u_sec_init); #endif break; +#if 0 case MTK_M4U_T_MONITOR_START: ret = copy_from_user(&PortID, (void *)arg, sizeof(unsigned int)); if (ret) { @@ -2102,6 +2103,7 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg } ret = m4u_monitor_stop(m4u_port_2_m4u_id(PortID)); break; +#endif case MTK_M4U_T_CACHE_FLUSH_ALL: m4u_dma_cache_flush_all(); break; diff --git a/drivers/misc/mediatek/m4u/mt6735/m4u_hw.c b/drivers/misc/mediatek/m4u/mt6735/m4u_hw.c index 508304493..4874df998 100644 --- a/drivers/misc/mediatek/m4u/mt6735/m4u_hw.c +++ b/drivers/misc/mediatek/m4u/mt6735/m4u_hw.c @@ -286,6 +286,9 @@ int config_mau(M4U_MAU_STRUCT mau) unsigned int MVAEnd = mau.mva + mau.size; int port_id = m4u_port_2_larb_port(mau.port); + if (m4u_id == -1 || larb == -1) + return -1; + if (0 != m4u_id) return -1; @@ -1114,11 +1117,11 @@ int m4u_invalid_seq_range_by_id(int port, int seq_id) m4u_index = m4u_port_2_m4u_id(port); m4u_slave_id = m4u_port_2_m4u_slave_id(port); - if(m4u_index == -1 && m4u_slave_id == -1) + if (m4u_index == -1 || m4u_slave_id == -1) return -1; m4u_base = gM4UBaseAddr[m4u_index]; - pSeq = gM4USeq[m4u_index] + M4U_SEQ_NUM(m4u_index)*m4u_slave_id; + pSeq = gM4USeq[m4u_index] + M4U_SEQ_NUM(m4u_index) * m4u_slave_id; mutex_lock(&gM4u_seq_mutex); { @@ -1169,11 +1172,11 @@ static int _m4u_config_port(int port, int virt, int sec, int dis, int dir) int m4u_index = m4u_port_2_m4u_id(port); unsigned long m4u_base = gM4UBaseAddr[m4u_index]; unsigned long larb_base; - unsigned int larb, larb_port; + int larb, larb_port; int ret = 0; if (m4u_index == -1) - return -1; + return -1; M4ULOG_HIGH("config_port:%s,v%d,s%d\n", m4u_get_port_name(port), virt, sec); @@ -1192,6 +1195,8 @@ static int _m4u_config_port(int port, int virt, int sec, int dis, int dir) int mmu_en = 0; larb = m4u_port_2_larb_id(port); + if (larb == -1) + return -1; larb_port = m4u_port_2_larb_port(port); larb_base = gLarbBaseAddr[larb]; @@ -1235,11 +1240,9 @@ static inline void _m4u_port_clock_toggle(int m4u_index, int larb, int on) if (m4u_index == 0) { start = sched_clock(); if (on) { - smi_common_clock_on(); larb_clock_on(larb); } else { larb_clock_off(larb); - smi_common_clock_off(); } end = sched_clock(); @@ -1266,6 +1269,8 @@ int m4u_config_port(M4U_PORT_STRUCT *pM4uPort) /* native */ m4u_index = m4u_port_2_m4u_id(PortID); larb = m4u_port_2_larb_id(PortID); + if (m4u_index == -1 || larb == -1) + return -1; _m4u_port_clock_toggle(m4u_index, larb, 1); #ifdef M4U_TEE_SERVICE_ENABLE @@ -1337,6 +1342,8 @@ int m4u_config_port_array(struct m4u_port_array *port_array) unsigned int value; larb = m4u_port_2_larb_id(port); + if (larb == -1) + return -1; larb_port = m4u_port_2_larb_port(port); config_larb[larb] |= (1 << larb_port); value = (!!(port_array->ports[port] && M4U_PORT_ATTR_VIRTUAL))<<larb_port; @@ -1665,13 +1672,16 @@ void m4u_print_port_status(struct seq_file *seq, int only_print_active) M4U_PRINT_LOG_OR_SEQ(seq, "m4u_print_port_status ========>\n"); - smi_common_clock_on(); larb_clock_all_on(); for (port = 0; port < gM4u_port_num; port++) { m4u_index = m4u_port_2_m4u_id(port); + if (m4u_index == -1) + return; if (m4u_index == 0) { larb = m4u_port_2_larb_id(port); + if (larb == -1) + return; larb_port = m4u_port_2_larb_port(port); larb_base = gLarbBaseAddr[larb]; @@ -1690,7 +1700,6 @@ void m4u_print_port_status(struct seq_file *seq, int only_print_active) } larb_clock_all_off(); - smi_common_clock_off(); M4U_PRINT_LOG_OR_SEQ(seq, "\n"); } @@ -1783,12 +1792,11 @@ int m4u_unregister_fault_callback(int port) int m4u_enable_tf(int port, bool fgenable) { - if (port >= 0 && port < gM4u_port_num) + if (port >= 0 && port < M4U_PORT_UNKNOWN) { gM4uPort[port].enable_tf = fgenable; - else - M4UMSG("%s, error: port=%d\n", __func__, port); - - return 0; + return 0; + } + return -1; } /* ============================================================================== */ @@ -2309,4 +2317,4 @@ int m4u_dump_reg_for_smi_hang_issue(void) m4u_dump_rs_info(0, 0); return 0; -}
\ No newline at end of file +} diff --git a/drivers/misc/mediatek/m4u/mt6735/m4u_hw.h b/drivers/misc/mediatek/m4u/mt6735/m4u_hw.h index 2553d2223..4b301669b 100644 --- a/drivers/misc/mediatek/m4u/mt6735/m4u_hw.h +++ b/drivers/misc/mediatek/m4u/mt6735/m4u_hw.h @@ -102,18 +102,16 @@ static inline int m4u_get_port_by_tf_id(int m4u_id, int tf_id) static inline int m4u_port_2_larb_port(M4U_PORT_ID port) { - if (port < 0 || port > M4U_PORT_UNKNOWN) - return 0; - - return gM4uPort[port].larb_port; + if (port >= 0 && port < M4U_PORT_UNKNOWN) + return gM4uPort[port].larb_port; + return M4U_PORT_UNKNOWN; } static inline int m4u_port_2_larb_id(M4U_PORT_ID port) { - if (port < 0 || port > M4U_PORT_UNKNOWN) - return 0; - - return gM4uPort[port].larb_id; + if (port >= 0 && port < M4U_PORT_UNKNOWN) + return gM4uPort[port].larb_id; + return -1; } static inline int larb_2_m4u_slave_id(int larb) @@ -123,23 +121,21 @@ static inline int larb_2_m4u_slave_id(int larb) for (i = 0; i < gM4u_port_num; i++) if (gM4uPort[i].larb_id == larb) return gM4uPort[i].m4u_slave; - return 0; + return -1; } static inline int m4u_port_2_m4u_id(M4U_PORT_ID port) { - if (port < 0 || port > M4U_PORT_UNKNOWN) - return 0; - - return gM4uPort[port].m4u_id; + if (port >= 0 && port < M4U_PORT_UNKNOWN) + return gM4uPort[port].m4u_id; + return -1; } static inline int m4u_port_2_m4u_slave_id(M4U_PORT_ID port) { - if (port < 0 || port > M4U_PORT_UNKNOWN) - return 0; - - return gM4uPort[port].m4u_slave; + if (port >= 0 && port < M4U_PORT_UNKNOWN) + return gM4uPort[port].m4u_slave; + return -1; } static inline int larb_port_2_m4u_port(int larb, int larb_port) |