Fix "Information disclosure vulnerability in MediaTek driver"

CVE-2017-0529

1 files changed, 14 insertions, 93 deletions

diff --git a/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c b/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c
index f65f2e89e..4e0bbaa5f 100644
--- a/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c
+++ b/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c
@@ -78,7 +78,6 @@ BOOL fbconfig_start_LCM_config;
 #define FB_GET_MISC FBCONFIG_IOR(80, unsigned int)
 
 #define DP_COLOR_BITS_PER_PIXEL(color)    ((0x0003FF00 & color) >>  8)
-static int global_layer_id = -1;
 
 struct dentry *ConfigPara_dbgfs = NULL;
 CONFIG_RECORD_LIST head_list ;
@@ -418,99 +417,22 @@ static long fbconfig_ioctl(struct file * file, unsigned int cmd, unsigned long a
         }else
             PanelMaster_DSI_set_timing(dsi_id,timing);		
         return 0 ;
-     }	 
+     }
      case FB_LAYER_GET_EN:
      {   
-            PM_LAYER_EN layers;
-			OVL_BASIC_STRUCT ovl_all[OVL_LAYER_NUM];
-			ovl_get_info(0, ovl_all);
-			layers.layer_en[0]= (ovl_all[0].layer_en? 1:0);
-			layers.layer_en[1]= (ovl_all[1].layer_en? 1:0);
-			layers.layer_en[2]= (ovl_all[2].layer_en? 1:0);
-			layers.layer_en[3]= (ovl_all[3].layer_en? 1:0);
-#ifdef OVL_CASCADE_SUPPORT			
-			layers.layer_en[4]= (ovl_all[4].layer_en? 1:0);
-			layers.layer_en[5]= (ovl_all[5].layer_en? 1:0);
-			layers.layer_en[6]= (ovl_all[6].layer_en? 1:0);
-			layers.layer_en[7]= (ovl_all[7].layer_en? 1:0);
-#endif			
-            printk("[LAYER_GET_EN]:L0:%d L1:%d L2:%d L3:%d\n",ovl_all[0].layer_en,ovl_all[1].layer_en,ovl_all[2].layer_en,ovl_all[3].layer_en);
-            return copy_to_user(argp, &layers,  sizeof(layers)) ? -EFAULT : 0;
-        }
-        case FB_LAYER_GET_INFO:
-        {
-		    PM_LAYER_INFO layer_info;
-			OVL_BASIC_STRUCT ovl_all[OVL_LAYER_NUM];
-			if(copy_from_user(&layer_info,(void __user*)argp,sizeof(layer_info)))
-            {
-                    printk("[TE_SET_ENABLE]: copy_from_user failed! line:%d \n", __LINE__);
-                    return -EFAULT;
-            }
-			global_layer_id = layer_info.index;
-			ovl_get_info(0, ovl_all);
-		    layer_info.height = ovl_all[layer_info.index].src_h;
-			layer_info.width =  ovl_all[layer_info.index].src_w;
-			layer_info.fmt = DP_COLOR_BITS_PER_PIXEL(ovl_all[layer_info.index].fmt);         
-		    layer_info.layer_size = ovl_all[layer_info.index].src_pitch* ovl_all[layer_info.index].src_h;
-			  printk("===>: layer_size:0x%x height:%d \n",layer_info.layer_size,layer_info.height);
-			  printk("===>: width:%d src_pitch:%d \n",layer_info.width,ovl_all[layer_info.index].src_pitch);
-			  printk("===>: layer_id:%d fmt:%d\n",global_layer_id,layer_info.fmt);
-			  printk("===>: layer_en:%d \n",(ovl_all[layer_info.index].layer_en));
-			if((layer_info.height == 0)||(layer_info.width ==0)||(ovl_all[layer_info.index].layer_en ==0))
-			{
-			 printk("===> is 000 Errorrrr!!\n");
-			return -2 ;			
-			}
-		    else			    
-			    return copy_to_user(argp, &layer_info,  sizeof(layer_info)) ? -EFAULT : 0;
-			   
-        }
-        case FB_LAYER_DUMP:
-        {
-            int layer_size;	
-            int ret =0;
-            unsigned long kva =0;
-			unsigned int mva ;
-            unsigned int mapped_size = 0 ;	
-			unsigned int real_mva=0;
-			unsigned int real_size=0;
-			OVL_BASIC_STRUCT ovl_all[OVL_LAYER_NUM];			
-			ovl_get_info(0, ovl_all);
-			layer_size = ovl_all[global_layer_id].src_pitch * ovl_all[global_layer_id].src_h ;
-            mva =  ovl_all[global_layer_id].addr ;
-            printk("layer_size=%d, src_pitch=%d, h=%d, mva=0x%x, \n",
-                layer_size, ovl_all[global_layer_id].src_pitch, ovl_all[global_layer_id].src_h, mva);	
-
-            if((layer_size !=0)&&(ovl_all[global_layer_id].layer_en !=0))
-            {
-               // printk("sxk==>FB_LAYER_DUMP==>layer_size is %d   mva is 0x%x\n",layer_size,mva);
-				extern int m4u_query_mva_info(unsigned int mva, unsigned int size, unsigned int *real_mva, unsigned int *real_size);
-				ret=m4u_query_mva_info(mva, layer_size,&real_mva,&real_size);
-				if(ret<0)
-				{	
-					printk("m4u_query_mva_info error:mva is 0x%x layer size is %d\n",mva,layer_size);	
-					return ret;
-				}
-                ret=m4u_mva_map_kernel( real_mva, real_size, &kva, &mapped_size);		
-				if(ret<0)
-				{
-					printk("m4u_mva_map_kernel error: ret=%d 0x%x %d\r\n",ret,real_mva,real_size);					
-					return ret;
-				}
-				if(layer_size>mapped_size)
-				{
-					printk("==>layer size(0x%x)>mapped size(0x%x)!!!",layer_size,mapped_size);
-					return -EFAULT;
-				}
-                printk("==> addr from user space is 0x%p\n", argp);
-                printk("==> kva is 0x%lx real_mva %x mva %x mmaped size is %dlayer_size is %d\n",kva,real_mva,mva,mapped_size,layer_size);
-                ret = copy_to_user(argp, (void *)kva+(mva-real_mva),  layer_size-(mva-real_mva)) ? -EFAULT : 0;
-                m4u_mva_unmap_kernel(real_mva, real_size, kva);
-                return ret ;
-            }
-            else
-                return -2 ;
-        }	        
+        pr_debug("[FB_LAYER_GET_EN] not supported anymore\n");
+        return 0;
+     }
+     case FB_LAYER_GET_INFO:
+     {
+        pr_debug("[FB_LAYER_GET_INFO] not supported anymore\n");
+        return 0;
+     }
+     case FB_LAYER_DUMP:
+     {
+        pr_debug("[FB_LAYER_DUMP] not supported anymore\n");
+        return 0;
+     }
 	case LCM_GET_ESD:
 	{
 		ESD_PARA esd_para ;
@@ -596,4 +518,3 @@ void PanelMaster_Deinit(void)
 {
     debugfs_remove(ConfigPara_dbgfs);
 }
-