Fix "Security Vulnerability - arbitrary address write ddp_drv.c" issue

Problem: user input parameter without validation Solution: Remove legacy code to prevent buffer overflow Bug num:28402341 Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com> (cherry picked from commit 76884c3948a5896c7d724a6852e9f8d1403fa9d0) Change-Id: I77467ae0c0652c7f44238b0320a1a6fef71c0d97 Ticket: PORRIDGE-398
author: yang-cy.chen <yang-cy.chen@mediatek.com> 2016-05-20 18:38:34 +0800
committer: Moyster <oysterized@gmail.com> 2016-11-07 13:46:49 +0100
commit: 7eb9f26b811bf92d852fe83bbcd8fe8befb9b5b6 (patch)
tree: 463bb4f2b8731a16d5417e2429a1782ef7f5be1a /drivers/misc
parent: 50215402c2b90b3af0fdbe72409401d86ec8be1c (diff)
4 files changed, 0 insertions, 52 deletions
diff --git a/drivers/misc/mediatek/dispsys/mt6735/ddp_color.c b/drivers/misc/mediatek/dispsys/mt6735/ddp_color.c
index 19021856e..6724d6f1c 100644
--- a/drivers/misc/mediatek/dispsys/mt6735/ddp_color.c
+++ b/drivers/misc/mediatek/dispsys/mt6735/ddp_color.c
@@ -1607,53 +1607,6 @@ static int _color_io(DISP_MODULE_ENUM module, int msg, unsigned long arg, void *
             break;
         }
 
-        case DISP_IOCTL_WRITE_REG:
-        {
-            DISP_WRITE_REG wParams;
-            unsigned int ret;
-            unsigned long va;
-            unsigned int pa;
-
-            if(copy_from_user(&wParams, (void *)arg, sizeof(DISP_WRITE_REG)))
-            {
-                COLOR_ERR("DISP_IOCTL_WRITE_REG, copy_from_user failed\n");
-                return -EFAULT;
-            }
-
-            pa = (unsigned int)wParams.reg;
-            va = color_pa2va(pa);
-
-            ret = color_is_reg_addr_valid(va);
-            if(ret == 0)
-            {
-                COLOR_ERR("reg write, addr invalid, pa:0x%x(va:0x%lx) \n", pa, va);
-                return -EFAULT;
-            }
-
-            // if TDSHP, write PA directly
-            if (ret == 2)
-            {
-                if(cmdq == NULL)
-                {
-                    mt_reg_sync_writel((unsigned int)(INREG32(va)&~(wParams.mask))|(wParams.val),(volatile unsigned long*)(va) );\
-                }
-                else
-                {
-                    //cmdqRecWrite(cmdq, TDSHP_PA_BASE + (wParams.reg - g_tdshp_va), wParams.val, wParams.mask);
-                    cmdqRecWrite(cmdq, pa, wParams.val, wParams.mask);
-                }
-            }
-            else
-            {
-                _color_reg_mask(cmdq, va, wParams.val, wParams.mask);
-            }
-
-            COLOR_NLOG("write pa:0x%x(va:0x%lx) = 0x%x (0x%x)\n", pa, va, wParams.val, wParams.mask);
-
-            break;
-
-        }
-
         case DISP_IOCTL_READ_SW_REG:
         {
             DISP_READ_REG rParams;
diff --git a/drivers/misc/mediatek/dispsys/mt6735/ddp_drv.h b/drivers/misc/mediatek/dispsys/mt6735/ddp_drv.h
index c444e300b..3fd80d8f0 100644
--- a/drivers/misc/mediatek/dispsys/mt6735/ddp_drv.h
+++ b/drivers/misc/mediatek/dispsys/mt6735/ddp_drv.h
@@ -185,7 +185,6 @@ typedef enum
 
 #define DISP_IOCTL_MAGIC        'x'
 
-#define DISP_IOCTL_WRITE_REG       _IOW     (DISP_IOCTL_MAGIC, 1, DISP_WRITE_REG)   // also defined in atci_pq_cmd.h
 #define DISP_IOCTL_READ_REG        _IOWR    (DISP_IOCTL_MAGIC, 2, DISP_READ_REG)    // also defined in atci_pq_cmd.h
 //#define DISP_IOCTL_WAIT_IRQ        _IOR     (DISP_IOCTL_MAGIC, 3, disp_wait_irq_struct)
 #define DISP_IOCTL_DUMP_REG        _IOR     (DISP_IOCTL_MAGIC, 4, int)
diff --git a/drivers/misc/mediatek/dispsys/mt6735/ddp_manager.c b/drivers/misc/mediatek/dispsys/mt6735/ddp_manager.c
index 2b697f6d5..8dc084ad4 100644
--- a/drivers/misc/mediatek/dispsys/mt6735/ddp_manager.c
+++ b/drivers/misc/mediatek/dispsys/mt6735/ddp_manager.c
@@ -1662,7 +1662,6 @@ int dpmgr_path_user_cmd(disp_path_handle dp_handle, int msg, unsigned long arg,
         case DISP_IOCTL_GET_PQ_GAL_PARAM:
         case DISP_IOCTL_PQ_SET_BYPASS_COLOR:
         case DISP_IOCTL_PQ_SET_WINDOW:
-        case DISP_IOCTL_WRITE_REG:
         case DISP_IOCTL_READ_REG:
         case DISP_IOCTL_MUTEX_CONTROL:
         case DISP_IOCTL_PQ_GET_TDSHP_FLAG:
diff --git a/drivers/misc/mediatek/videox/mt6735/mtk_disp_mgr.c b/drivers/misc/mediatek/videox/mt6735/mtk_disp_mgr.c
index 563f419f5..3632bd2f5 100644
--- a/drivers/misc/mediatek/videox/mt6735/mtk_disp_mgr.c
+++ b/drivers/misc/mediatek/videox/mt6735/mtk_disp_mgr.c
@@ -2667,8 +2667,6 @@ const char* _session_ioctl_spy(unsigned int cmd)
 				return "DISP_IOCTL_PQ_SET_BYPASS_COLOR";
 	    	case DISP_IOCTL_PQ_SET_WINDOW:
 				return "DISP_IOCTL_PQ_SET_WINDOW";
-    		case DISP_IOCTL_WRITE_REG:
-				return "DISP_IOCTL_WRITE_REG";
     		case DISP_IOCTL_READ_REG:
 				return "DISP_IOCTL_READ_REG";
     		case DISP_IOCTL_MUTEX_CONTROL:
@@ -2785,7 +2783,6 @@ long mtk_disp_mgr_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 	    case DISP_IOCTL_PQ_SET_BYPASS_COLOR:
 	    case DISP_IOCTL_PQ_SET_WINDOW:
 	    case DISP_IOCTL_OD_CTL:
-	    case DISP_IOCTL_WRITE_REG:
 	    case DISP_IOCTL_READ_REG:
 	    case DISP_IOCTL_MUTEX_CONTROL:
 	    case DISP_IOCTL_PQ_GET_TDSHP_FLAG:
author	yang-cy.chen <yang-cy.chen@mediatek.com>	2016-05-20 18:38:34 +0800
committer	Moyster <oysterized@gmail.com>	2016-11-07 13:46:49 +0100
commit	7eb9f26b811bf92d852fe83bbcd8fe8befb9b5b6 (patch)
tree	463bb4f2b8731a16d5417e2429a1782ef7f5be1a /drivers/misc
parent	50215402c2b90b3af0fdbe72409401d86ec8be1c (diff)