Security Vulnerability in Mediatek driver : arbitrary kernel write
google security issue fix
Bug num:25873324
Change-Id: I2eb8e03dc67209d9a709fc4a27976f986f0b7606
Signed-off-by: Eddie Chen <eddie.chen@mediatek.com>
diff --git a/drivers/misc/mediatek/combo/common/linux/wmt_dev.c b/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
index 4eaeb0c..6e37522 100644
--- a/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
+++ b/drivers/misc/mediatek/combo/common/linux/wmt_dev.c
@@ -981,26 +981,28 @@
break;
case WMT_IOCTL_SET_PATCH_NUM:{
- pAtchNum = arg;
- WMT_INFO_FUNC(" get patch num from launcher = %d\n", pAtchNum);
+ UINT32 MAX_UINT = ~0;
+ UINT32 t_patchnum = arg;
- if (pAtchNum > 0 && pAtchNum < WMT_MAX_PATCH_NUM) {
-
- wmt_lib_set_patch_num(pAtchNum);
-
- if (!pPatchInfo) {
- pPatchInfo = kzalloc(sizeof(WMT_PATCH_INFO) * pAtchNum, GFP_ATOMIC);
- } else {
- WMT_ERR_FUNC("pPatchInfo!=NULL before alloc\n");
- break;
- }
- } else {
- WMT_ERR_FUNC("patch num == 0! or > MAX patch number\n");
+ if (t_patchnum <= 0) {
+ WMT_ERR_FUNC("patch num <= 0!\n");
+ break;
}
+
+ /* Verify that the amount of slots requested wont overflow */
+ if (t_patchnum >= (MAX_UINT / sizeof(WMT_PATCH_INFO))) {
+ WMT_ERR_FUNC("Patch num is too large!\n");
+ break;
+ }
+
+ pPatchInfo = kcalloc(t_patchnum, sizeof(WMT_PATCH_INFO), GFP_ATOMIC);
if (!pPatchInfo) {
WMT_ERR_FUNC("allocate memory fail!\n");
break;
}
+ pAtchNum = t_patchnum;
+ WMT_INFO_FUNC("get patch num from launcher = %d\n", pAtchNum);
+ wmt_lib_set_patch_num(pAtchNum);
}
break;
@@ -1019,7 +1021,11 @@
iRet = -EFAULT;
break;
}
-
+ if (wMtPatchInfo.dowloadSeq > pAtchNum) {
+ WMT_ERR_FUNC("dowloadSeq would overflow\n");
+ iRet = -EFAULT;
+ break;
+ }
dWloadSeq = wMtPatchInfo.dowloadSeq;
wMtPatchInfo.patchName[sizeof(wMtPatchInfo.patchName)-1] = '\0';
