Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2e3341d5 authored by Aditya Bavanari's avatar Aditya Bavanari Committed by Gerrit - the friendly Code Review server
Browse files

asoc: msm: add check for integer overflow 



Add check for integer overflow of user
supplied data for ADSP stream command.

CRs-Fixed: 2173850
Change-Id: Ic70093e890b7a6dd07529d77d10fff003282a8ea
Signed-off-by: default avatarAditya Bavanari <abavanar@codeaurora.org>
parent 4f19778e

asoc/msm-compress-q6-v2.c

+10 −0
Original line number Diff line number Diff line
@@ -3644,6 +3644,7 @@ static int msm_compr_adsp_stream_cmd_put(struct snd_kcontrol *kcontrol, 
	struct msm_compr_audio *prtd;

	int ret = 0;

	struct msm_adsp_event_data *event_data = NULL;

	uint64_t actual_payload_len = 0;



	if (fe_id >= MSM_FRONTEND_DAI_MAX) {

		pr_err("%s Received invalid fe_id %lu\n",
@@ -3681,6 +3682,15 @@ static int msm_compr_adsp_stream_cmd_put(struct snd_kcontrol *kcontrol, 
		goto done;

	}



	actual_payload_len = sizeof(struct msm_adsp_event_data) +

		event_data->payload_len;

	if (actual_payload_len >= U32_MAX) {

		pr_err("%s payload length 0x%X  exceeds limit",

				__func__, event_data->payload_len);

		ret = -EINVAL;

		goto done;

	}



	if ((sizeof(struct msm_adsp_event_data) + event_data->payload_len) >=

					sizeof(ucontrol->value.bytes.data)) {

		pr_err("%s param length=%d  exceeds limit",

asoc/msm-pcm-q6-v2.c

+11 −1
Original line number Diff line number Diff line 
/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -1106,6 +1106,7 @@ static int msm_pcm_adsp_stream_cmd_put(struct snd_kcontrol *kcontrol, 
	struct msm_audio *prtd;

	int ret = 0;

	struct msm_adsp_event_data *event_data = NULL;

	uint64_t actual_payload_len = 0;



	if (!pdata) {

		pr_err("%s pdata is NULL\n", __func__);
@@ -1142,6 +1143,15 @@ static int msm_pcm_adsp_stream_cmd_put(struct snd_kcontrol *kcontrol, 
		goto done;

	}



	actual_payload_len = sizeof(struct msm_adsp_event_data) +

							event_data->payload_len;

	if (actual_payload_len >= U32_MAX) {

		pr_err("%s payload length 0x%X  exceeds limit",

			__func__, event_data->payload_len);

		ret = -EINVAL;

		goto done;

	}



	if ((sizeof(struct msm_adsp_event_data) + event_data->payload_len) >=

					sizeof(ucontrol->value.bytes.data)) {

		pr_err("%s param length=%d  exceeds limit",

asoc/msm-transcode-loopback-q6-v2.c

+11 −1
Original line number Diff line number Diff line 
/* Copyright (c) 2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -502,6 +502,7 @@ static int msm_transcode_stream_cmd_put(struct snd_kcontrol *kcontrol, 
	struct msm_transcode_loopback *prtd;

	int ret = 0;

	struct msm_adsp_event_data *event_data = NULL;

	uint64_t actual_payload_len = 0;



	if (fe_id >= MSM_FRONTEND_DAI_MAX) {

		pr_err("%s Received invalid fe_id %lu\n",
@@ -539,6 +540,15 @@ static int msm_transcode_stream_cmd_put(struct snd_kcontrol *kcontrol, 
		goto done;

	}



	actual_payload_len = sizeof(struct msm_adsp_event_data) +

		event_data->payload_len;

	if (actual_payload_len >= U32_MAX) {

		pr_err("%s payload length 0x%X  exceeds limit",

				__func__, event_data->payload_len);

		ret = -EINVAL;

		goto done;

	}



	if ((sizeof(struct msm_adsp_event_data) + event_data->payload_len) >=

					sizeof(ucontrol->value.bytes.data)) {

		pr_err("%s param length=%d  exceeds limit",

dsp/q6asm.c

+12 −2
Original line number Diff line number Diff line
@@ -1183,7 +1183,9 @@ int q6asm_send_stream_cmd(struct audio_client *ac, 
{

	char *asm_params = NULL;

	struct apr_hdr hdr;

	int sz, rc;

	int rc;

	uint32_t sz = 0;

	uint64_t actual_sz = 0;



	if (!data || !ac) {

		pr_err("%s: %s is NULL\n", __func__,
@@ -1200,7 +1202,15 @@ int q6asm_send_stream_cmd(struct audio_client *ac, 
		goto done;

	}



	sz = sizeof(struct apr_hdr) + data->payload_len;

	actual_sz = sizeof(struct apr_hdr) + data->payload_len;

	if (actual_sz > U32_MAX) {

		pr_err("%s: payload size 0x%X exceeds limit\n",

				__func__, data->payload_len);

		rc = -EINVAL;

		goto done;

	}



	sz = (uint32_t)actual_sz;

	asm_params = kzalloc(sz, GFP_KERNEL);

	if (!asm_params) {

		rc = -ENOMEM;