Security Patch: fix ioctl vulnerability for WMT_IOCTL_SET_PATCH_INFO
[Detail]
If dowloadSeq is 0, it'll pass the error handle and cause KE issue.
[Solution]
Add condition that downloadSeq can not equal to zero.
CVE-2018-9397
Change-Id: I68a2d501c873c4d665634893066b6c0f03e1537c
Signed-off-by: Ben Fennema <fennema@google.com>
diff --git a/drivers/misc/mediatek/combo/common/linux/wmt_dev.c b/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
index 6e37522..15f8627 100644
--- a/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
+++ b/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
@@ -1021,10 +1021,11 @@
iRet = -EFAULT;
break;
}
- if (wMtPatchInfo.dowloadSeq > pAtchNum) {
- WMT_ERR_FUNC("dowloadSeq would overflow\n");
- iRet = -EFAULT;
- break;
+ if (wMtPatchInfo.dowloadSeq > pAtchNum || wMtPatchInfo.dowloadSeq == 0) {
+ WMT_ERR_FUNC("dowloadSeq num(%u) > %u or == 0!\n", wMtPatchInfo.dowloadSeq, pAtchNum);
+ iRet = -EFAULT;
+ counter = 0;
+ break;
}
dWloadSeq = wMtPatchInfo.dowloadSeq;