From 8a177017a15a40228ea7fc7191f01ff943490552 Mon Sep 17 00:00:00 2001
From: Chin-Ting Kuo <chin-ting.kuo@mediatek.com>
Date: Wed, 27 Sep 2017 09:48:11 +0800
Subject: masp: fix ioctl: SEC_GET_RANDOM_ID memory check range

[Detail]
Size of RID is 16 bytes instead of 4 bytes. Instead of
using "unsigned int" as input type of _IOR(), a new struct
"sec_rid" which is 16 bytes in size is declared and used in
order to make memory access permission check range correct.

MTK-Commit-Id: 4e1c03ca23666da29bbcd024839de5ad8a3fa143

Change-Id: I892b71fb082b5b2335d29436fee1bc61cf14fc15
Signed-off-by: Chin-Ting Kuo <chin-ting.kuo@mediatek.com>
CR-Id: ALPS03523553
Feature: Vulnerability Scan
---
 drivers/misc/mediatek/masp/asfv2/asf_inc/sec_ioctl.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'drivers/misc')

diff --git a/drivers/misc/mediatek/masp/asfv2/asf_inc/sec_ioctl.h b/drivers/misc/mediatek/masp/asfv2/asf_inc/sec_ioctl.h
index c6b105074..89eee336b 100644
--- a/drivers/misc/mediatek/masp/asfv2/asf_inc/sec_ioctl.h
+++ b/drivers/misc/mediatek/masp/asfv2/asf_inc/sec_ioctl.h
@@ -1,11 +1,15 @@
 #ifndef SEC_IOCTL_H
 #define SEC_IOCTL_H
 
+struct sec_rid {
+	unsigned int rid_val[4];
+};
+
 /* use 's' as magic number */
 #define SEC_IOC_MAGIC       's'
 
 /* random id */
-#define SEC_GET_RANDOM_ID               _IOR(SEC_IOC_MAGIC,  1, unsigned int)
+#define SEC_GET_RANDOM_ID               _IOR(SEC_IOC_MAGIC,  1, struct sec_rid)
 
 /* secure boot init */
 #define SEC_BOOT_INIT                   _IOR(SEC_IOC_MAGIC,  2, unsigned int)
-- 
cgit v1.2.3