From 68cd0ffd58c19350e772dd8e39793159c1e07a2d Mon Sep 17 00:00:00 2001
From: David Chu <david.chu@mediatek.com>
Date: Mon, 6 Aug 2018 17:58:30 -0700
Subject: Security Patch: fix ioctl vulnerability for WMT_IOCTL_SET_PATCH_INFO

[Detail]
If dowloadSeq is 0, it'll pass the error handle and cause KE issue.

[Solution]
Add condition that downloadSeq can not equal to zero.

CVE-2018-9397

Change-Id: I68a2d501c873c4d665634893066b6c0f03e1537c
Signed-off-by: Ben Fennema <fennema@google.com>
---
 drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c b/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c
index d73e415bb..1f9072128 100644
--- a/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c
+++ b/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c
@@ -1198,10 +1198,11 @@ long WMT_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 				iRet = -EFAULT;
 				break;
 			}
-			if (wMtPatchInfo.dowloadSeq > pAtchNum) {
-				 WMT_ERR_FUNC("dowloadSeq would overflow\n");
-				 iRet = -EFAULT;
-				 break;
+			if (wMtPatchInfo.dowloadSeq > pAtchNum || wMtPatchInfo.dowloadSeq == 0) {
+				WMT_ERR_FUNC("dowloadSeq num(%u) > %u or == 0!\n", wMtPatchInfo.dowloadSeq, pAtchNum);
+				iRet = -EFAULT;
+				counter = 0;
+				break;
 			}
 			dWloadSeq = wMtPatchInfo.dowloadSeq;
 
-- 
cgit v1.2.3