diff options
| author | Eddie Chen <eddie.chen@mediatek.com> | 2016-06-22 11:36:23 +0800 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-04-13 12:35:34 +0200 |
| commit | 81bcdfb07fd402a908a848e327652d433972412c (patch) | |
| tree | 8637d275367d628b0568fd2c24d42bf3697a20d7 /drivers/misc | |
| parent | 260c0c1a0a737c3a42de218b98f2f558d0c66320 (diff) | |
conn_soc: Security Vulnerability in Mediatek driver : arbitrary kernel write
google security issue fix
Bug num:25873324
Change-Id: I2eb8e03dc67209d9a709fc4a27976f986f0b7606
Signed-off-by: Eddie Chen <eddie.chen@mediatek.com>
Signed-off-by: Mister Oyster <oysterized@gmail.com>
Diffstat (limited to 'drivers/misc')
| -rw-r--r-- | drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c b/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c index 8da624363..4ad18aacf 100644 --- a/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c +++ b/drivers/misc/mediatek/connectivity/common/conn_soc/linux/pri/wmt_dev.c @@ -2108,21 +2108,27 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) break; case WMT_IOCTL_SET_PATCH_NUM:{ - pAtchNum = arg; - if (pAtchNum == 0 || pAtchNum > MAX_PATCH_NUM) { - WMT_ERR_FUNC("patch num(%d) == 0 or > %d!\n", pAtchNum, MAX_PATCH_NUM); - iRet = -1; + UINT32 MAX_UINT = ~0; + UINT32 t_patchnum = arg; + + if (t_patchnum <= 0) { + WMT_ERR_FUNC("patch num <= 0!\n"); + break; + } + + /* Verify that the amount of slots requested wont overflow */ + if (t_patchnum >= (MAX_UINT / sizeof(WMT_PATCH_INFO))) { + WMT_ERR_FUNC("Patch num is too large!\n"); break; } - pPatchInfo = kcalloc(pAtchNum, sizeof(WMT_PATCH_INFO), GFP_ATOMIC); + pPatchInfo = kcalloc(t_patchnum, sizeof(WMT_PATCH_INFO), GFP_ATOMIC); if (!pPatchInfo) { WMT_ERR_FUNC("allocate memory fail!\n"); - iRet = -EFAULT; break; } - - WMT_DBG_FUNC(" get patch num from launcher = %d\n", pAtchNum); + pAtchNum = t_patchnum; + WMT_INFO_FUNC("get patch num from launcher = %d\n", pAtchNum); wmt_lib_set_patch_num(pAtchNum); } break; @@ -2143,7 +2149,11 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) iRet = -EFAULT; break; } - + if (wMtPatchInfo.dowloadSeq > pAtchNum) { + WMT_ERR_FUNC("dowloadSeq would overflow\n"); + iRet = -EFAULT; + break; + } dWloadSeq = wMtPatchInfo.dowloadSeq; WMT_DBG_FUNC( "patch dl seq %d,name %s,address info 0x%02x,0x%02x,0x%02x,0x%02x\n", |