diff options
| author | Eddie Chen <eddie.chen@mediatek.com> | 2016-06-22 11:36:23 +0800 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-04-13 12:35:28 +0200 |
| commit | 082980248cf1b95608086201c76dffb644fa99f0 (patch) | |
| tree | 83c983934a04d6e2231c7649c3fda4e7565ee776 /drivers | |
| parent | d9e65f7fa127746f4deabd3cbc223f56ee21029a (diff) | |
Security Vulnerability in Mediatek driver : arbitrary kernel write
google security issue fix
Bug num:25873324
Change-Id: I2eb8e03dc67209d9a709fc4a27976f986f0b7606
Signed-off-by: Eddie Chen <eddie.chen@mediatek.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c b/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c index 7ab1e9ba6..d73e415bb 100644 --- a/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c +++ b/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c @@ -1157,29 +1157,27 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) break; case WMT_IOCTL_SET_PATCH_NUM:{ - pAtchNum = arg; - WMT_INFO_FUNC(" get patch num from launcher = %d\n", pAtchNum); + UINT32 MAX_UINT = ~0; + UINT32 t_patchnum = arg; - if (pAtchNum > 0 && pAtchNum < WMT_MAX_PATCH_NUM) { - - wmt_lib_set_patch_num(pAtchNum); + if (t_patchnum <= 0) { + WMT_ERR_FUNC("patch num <= 0!\n"); + break; + } - if (!pPatchInfo) { - pPatchInfo = kzalloc(sizeof(WMT_PATCH_INFO) * pAtchNum, GFP_ATOMIC); - } else { - WMT_ERR_FUNC("pPatchInfo!=NULL before alloc\n"); - break; - } - } else { - WMT_ERR_FUNC("patch num == 0! or > MAX patch number\n"); + /* Verify that the amount of slots requested wont overflow */ + if (t_patchnum >= (MAX_UINT / sizeof(WMT_PATCH_INFO))) { + WMT_ERR_FUNC("Patch num is too large!\n"); + break; } + + pPatchInfo = kcalloc(t_patchnum, sizeof(WMT_PATCH_INFO), GFP_ATOMIC); if (!pPatchInfo) { WMT_ERR_FUNC("allocate memory fail!\n"); - iRet = -EFAULT; break; } - - WMT_INFO_FUNC(" get patch num from launcher = %d\n", pAtchNum); + pAtchNum = t_patchnum; + WMT_INFO_FUNC("get patch num from launcher = %d\n", pAtchNum); wmt_lib_set_patch_num(pAtchNum); } break; @@ -1200,7 +1198,11 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) iRet = -EFAULT; break; } - + if (wMtPatchInfo.dowloadSeq > pAtchNum) { + WMT_ERR_FUNC("dowloadSeq would overflow\n"); + iRet = -EFAULT; + break; + } dWloadSeq = wMtPatchInfo.dowloadSeq; wMtPatchInfo.patchName[sizeof(wMtPatchInfo.patchName)-1] = '\0'; |