Security Patch: fix ioctl vulnerability for WMT_IOCTL_SET_PATCH_INFO [Detail] If dowloadSeq is 0, it'll pass the error handle and cause KE issue. [Solution] Add condition that downloadSeq can not equal to zero. CVE-2018-9397 Change-Id: I68a2d501c873c4d665634893066b6c0f03e1537c Signed-off-by: Ben Fennema <fennema@google.com>

commit: 4afa485f96571c751e4295b92effc95328c22b8b [log] [tgz]
author: David Chu <david.chu@mediatek.com> Mon Aug 06 17:58:30 2018 -0700
committer: Ben Fennema <fennema@google.com> Thu Aug 16 15:51:53 2018 -0700
tree: 3b004bc17c18fc68ecc079fafb3053c5488487f0
parent: f06e9a0a06f3bea41be2e5281d9b019786c4d1fe [diff]
diff --git a/drivers/misc/mediatek/combo/common/linux/wmt_dev.c b/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
index 6e37522..15f8627 100644
--- a/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
+++ b/drivers/misc/mediatek/combo/common/linux/wmt_dev.c

@@ -1021,10 +1021,11 @@
 				iRet = -EFAULT;
 				break;
 			}
-			if (wMtPatchInfo.dowloadSeq > pAtchNum) {
-				 WMT_ERR_FUNC("dowloadSeq would overflow\n");
-				 iRet = -EFAULT;
-				 break;
+			if (wMtPatchInfo.dowloadSeq > pAtchNum || wMtPatchInfo.dowloadSeq == 0) {
+				WMT_ERR_FUNC("dowloadSeq num(%u) > %u or == 0!\n", wMtPatchInfo.dowloadSeq, pAtchNum);
+				iRet = -EFAULT;
+				counter = 0;
+				break;
 			}
 			dWloadSeq = wMtPatchInfo.dowloadSeq;
commit	4afa485f96571c751e4295b92effc95328c22b8b	[log] [tgz]
author	David Chu <david.chu@mediatek.com>	Mon Aug 06 17:58:30 2018 -0700
committer	Ben Fennema <fennema@google.com>	Thu Aug 16 15:51:53 2018 -0700
tree	3b004bc17c18fc68ecc079fafb3053c5488487f0
parent	f06e9a0a06f3bea41be2e5281d9b019786c4d1fe [diff]