diff options
| author | fire855 <thefire855@gmail.com> | 2017-04-08 23:30:28 +0200 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-05-28 18:00:31 +0200 |
| commit | f5834ec25091ea265da4b8c486b92ebe83990b4a (patch) | |
| tree | fc3d2b1233c8eb439a7205f84dd7e70f58b75ee2 | |
| parent | efe9bef34e5ec9107257e22b1a3bf58ab510c9e6 (diff) | |
Fix "Information disclosure vulnerability in MediaTek driver"
CVE-2017-0529
| -rw-r--r-- | drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c | 107 |
1 files changed, 14 insertions, 93 deletions
diff --git a/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c b/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c index f65f2e89e..4e0bbaa5f 100644 --- a/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c +++ b/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c @@ -78,7 +78,6 @@ BOOL fbconfig_start_LCM_config; #define FB_GET_MISC FBCONFIG_IOR(80, unsigned int) #define DP_COLOR_BITS_PER_PIXEL(color) ((0x0003FF00 & color) >> 8) -static int global_layer_id = -1; struct dentry *ConfigPara_dbgfs = NULL; CONFIG_RECORD_LIST head_list ; @@ -418,99 +417,22 @@ static long fbconfig_ioctl(struct file * file, unsigned int cmd, unsigned long a }else PanelMaster_DSI_set_timing(dsi_id,timing); return 0 ; - } + } case FB_LAYER_GET_EN: { - PM_LAYER_EN layers; - OVL_BASIC_STRUCT ovl_all[OVL_LAYER_NUM]; - ovl_get_info(0, ovl_all); - layers.layer_en[0]= (ovl_all[0].layer_en? 1:0); - layers.layer_en[1]= (ovl_all[1].layer_en? 1:0); - layers.layer_en[2]= (ovl_all[2].layer_en? 1:0); - layers.layer_en[3]= (ovl_all[3].layer_en? 1:0); -#ifdef OVL_CASCADE_SUPPORT - layers.layer_en[4]= (ovl_all[4].layer_en? 1:0); - layers.layer_en[5]= (ovl_all[5].layer_en? 1:0); - layers.layer_en[6]= (ovl_all[6].layer_en? 1:0); - layers.layer_en[7]= (ovl_all[7].layer_en? 1:0); -#endif - printk("[LAYER_GET_EN]:L0:%d L1:%d L2:%d L3:%d\n",ovl_all[0].layer_en,ovl_all[1].layer_en,ovl_all[2].layer_en,ovl_all[3].layer_en); - return copy_to_user(argp, &layers, sizeof(layers)) ? -EFAULT : 0; - } - case FB_LAYER_GET_INFO: - { - PM_LAYER_INFO layer_info; - OVL_BASIC_STRUCT ovl_all[OVL_LAYER_NUM]; - if(copy_from_user(&layer_info,(void __user*)argp,sizeof(layer_info))) - { - printk("[TE_SET_ENABLE]: copy_from_user failed! line:%d \n", __LINE__); - return -EFAULT; - } - global_layer_id = layer_info.index; - ovl_get_info(0, ovl_all); - layer_info.height = ovl_all[layer_info.index].src_h; - layer_info.width = ovl_all[layer_info.index].src_w; - layer_info.fmt = DP_COLOR_BITS_PER_PIXEL(ovl_all[layer_info.index].fmt); - layer_info.layer_size = ovl_all[layer_info.index].src_pitch* ovl_all[layer_info.index].src_h; - printk("===>: layer_size:0x%x height:%d \n",layer_info.layer_size,layer_info.height); - printk("===>: width:%d src_pitch:%d \n",layer_info.width,ovl_all[layer_info.index].src_pitch); - printk("===>: layer_id:%d fmt:%d\n",global_layer_id,layer_info.fmt); - printk("===>: layer_en:%d \n",(ovl_all[layer_info.index].layer_en)); - if((layer_info.height == 0)||(layer_info.width ==0)||(ovl_all[layer_info.index].layer_en ==0)) - { - printk("===> is 000 Errorrrr!!\n"); - return -2 ; - } - else - return copy_to_user(argp, &layer_info, sizeof(layer_info)) ? -EFAULT : 0; - - } - case FB_LAYER_DUMP: - { - int layer_size; - int ret =0; - unsigned long kva =0; - unsigned int mva ; - unsigned int mapped_size = 0 ; - unsigned int real_mva=0; - unsigned int real_size=0; - OVL_BASIC_STRUCT ovl_all[OVL_LAYER_NUM]; - ovl_get_info(0, ovl_all); - layer_size = ovl_all[global_layer_id].src_pitch * ovl_all[global_layer_id].src_h ; - mva = ovl_all[global_layer_id].addr ; - printk("layer_size=%d, src_pitch=%d, h=%d, mva=0x%x, \n", - layer_size, ovl_all[global_layer_id].src_pitch, ovl_all[global_layer_id].src_h, mva); - - if((layer_size !=0)&&(ovl_all[global_layer_id].layer_en !=0)) - { - // printk("sxk==>FB_LAYER_DUMP==>layer_size is %d mva is 0x%x\n",layer_size,mva); - extern int m4u_query_mva_info(unsigned int mva, unsigned int size, unsigned int *real_mva, unsigned int *real_size); - ret=m4u_query_mva_info(mva, layer_size,&real_mva,&real_size); - if(ret<0) - { - printk("m4u_query_mva_info error:mva is 0x%x layer size is %d\n",mva,layer_size); - return ret; - } - ret=m4u_mva_map_kernel( real_mva, real_size, &kva, &mapped_size); - if(ret<0) - { - printk("m4u_mva_map_kernel error: ret=%d 0x%x %d\r\n",ret,real_mva,real_size); - return ret; - } - if(layer_size>mapped_size) - { - printk("==>layer size(0x%x)>mapped size(0x%x)!!!",layer_size,mapped_size); - return -EFAULT; - } - printk("==> addr from user space is 0x%p\n", argp); - printk("==> kva is 0x%lx real_mva %x mva %x mmaped size is %dlayer_size is %d\n",kva,real_mva,mva,mapped_size,layer_size); - ret = copy_to_user(argp, (void *)kva+(mva-real_mva), layer_size-(mva-real_mva)) ? -EFAULT : 0; - m4u_mva_unmap_kernel(real_mva, real_size, kva); - return ret ; - } - else - return -2 ; - } + pr_debug("[FB_LAYER_GET_EN] not supported anymore\n"); + return 0; + } + case FB_LAYER_GET_INFO: + { + pr_debug("[FB_LAYER_GET_INFO] not supported anymore\n"); + return 0; + } + case FB_LAYER_DUMP: + { + pr_debug("[FB_LAYER_DUMP] not supported anymore\n"); + return 0; + } case LCM_GET_ESD: { ESD_PARA esd_para ; @@ -596,4 +518,3 @@ void PanelMaster_Deinit(void) { debugfs_remove(ConfigPara_dbgfs); } - |