Security Patch: fix ioctl vulnerability for WMT_IOCTL_SET_PATCH_INFO

[Detail] If dowloadSeq is 0, it'll pass the error handle and cause KE issue. [Solution] Add condition that downloadSeq can not equal to zero. CVE-2018-9397 Change-Id: I68a2d501c873c4d665634893066b6c0f03e1537c Signed-off-by: Ben Fennema <fennema@google.com>
author: David Chu <david.chu@mediatek.com> 2018-08-06 17:58:30 -0700
committer: Moyster <oysterized@gmail.com> 2018-11-27 16:28:19 +0100
commit: 68cd0ffd58c19350e772dd8e39793159c1e07a2d (patch)
tree: 32081a67c976f14c9fa9cb04e735c1e0c352d347 /drivers/misc/mediatek
parent: f52ef5b1ce9c8c0214dcf58e28a579f7c4844cc3 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c b/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c
index d73e415bb..1f9072128 100644
--- a/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c
+++ b/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c
@@ -1198,10 +1198,11 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 				iRet = -EFAULT;
 				break;
 			}
-			if (wMtPatchInfo.dowloadSeq > pAtchNum) {
-				 WMT_ERR_FUNC("dowloadSeq would overflow\n");
-				 iRet = -EFAULT;
-				 break;
+			if (wMtPatchInfo.dowloadSeq > pAtchNum || wMtPatchInfo.dowloadSeq == 0) {
+				WMT_ERR_FUNC("dowloadSeq num(%u) > %u or == 0!\n", wMtPatchInfo.dowloadSeq, pAtchNum);
+				iRet = -EFAULT;
+				counter = 0;
+				break;
 			}
 			dWloadSeq = wMtPatchInfo.dowloadSeq;
author	David Chu <david.chu@mediatek.com>	2018-08-06 17:58:30 -0700
committer	Moyster <oysterized@gmail.com>	2018-11-27 16:28:19 +0100
commit	68cd0ffd58c19350e772dd8e39793159c1e07a2d (patch)
tree	32081a67c976f14c9fa9cb04e735c1e0c352d347 /drivers/misc/mediatek
parent	f52ef5b1ce9c8c0214dcf58e28a579f7c4844cc3 (diff)