Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d6a325f1 authored by Shalini Manjunatha's avatar Shalini Manjunatha Committed by Gerrit - the friendly Code Review server
Browse files

dsp: afe: check for param size before copying 



Check for the proper param size before copying,
to avoid buffer overflow.

Change-Id: I70c52e6ab76f528ea3714784ab9013b070839c40
Signed-off-by: default avatarShalini Manjunatha <quic_c_shalma@quicinc.com>
parent cb026c53

dsp/q6afe.c

+79 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.

 */

#include <linux/slab.h>

#include <linux/debugfs.h>
@@ -685,32 +686,74 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
	switch (param_hdr.param_id) {

	case AFE_PARAM_ID_CALIB_RES_CFG_V2:

		expected_size += sizeof(struct asm_calib_res_cfg);

		if (param_hdr.param_size != sizeof(struct asm_calib_res_cfg)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.calib_data;

		break;

	case AFE_PARAM_ID_SP_V2_TH_VI_FTM_PARAMS:

		expected_size += sizeof(struct afe_sp_th_vi_ftm_params);

		if (param_hdr.param_size != sizeof(struct afe_sp_th_vi_ftm_params)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.th_vi_resp;

		break;

	case AFE_PARAM_ID_SP_V2_TH_VI_V_VALI_PARAMS:

		expected_size += sizeof(struct afe_sp_th_vi_v_vali_params);

		if (param_hdr.param_size != sizeof(struct afe_sp_th_vi_v_vali_params)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.th_vi_v_vali_resp;

		break;

	case AFE_PARAM_ID_SP_V2_EX_VI_FTM_PARAMS:

		expected_size += sizeof(struct afe_sp_ex_vi_ftm_params);

		if (param_hdr.param_size != sizeof(struct afe_sp_ex_vi_ftm_params)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.ex_vi_resp;

		break;

	case AFE_PARAM_ID_SP_RX_TMAX_XMAX_LOGGING:

		expected_size += sizeof(

				struct afe_sp_rx_tmax_xmax_logging_param);

		if (param_hdr.param_size != sizeof(struct afe_sp_rx_tmax_xmax_logging_param)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.xt_logging_resp;

		break;

	case AFE_PARAM_ID_SP_V4_CALIB_RES_CFG:

		expected_size += sizeof(

				struct afe_sp_v4_param_th_vi_calib_res_cfg);

		if (param_hdr.param_size != sizeof(

				struct afe_sp_v4_param_th_vi_calib_res_cfg)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.spv4_calib_data;

		break;

	case AFE_PARAM_ID_SP_V4_TH_VI_FTM_PARAMS:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_th_vi_ftm_params) +

			(num_ch * sizeof(struct afe_sp_v4_channel_ftm_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_th_vi_ftm_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_th_vi_ftm_resp;

		expected_size +=
@@ -719,6 +762,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
		break;

	case AFE_PARAM_ID_SP_V4_TH_VI_V_VALI_PARAMS:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_th_vi_v_vali_params) +

				(num_ch *

				sizeof(struct afe_sp_v4_channel_v_vali_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_v_vali_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_v_vali_resp;

		expected_size +=
@@ -728,6 +783,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
		break;

	case AFE_PARAM_ID_SP_V4_EX_VI_FTM_PARAMS:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size !=  (sizeof(struct afe_sp_v4_param_ex_vi_ftm_params) +

				(num_ch *

				sizeof(struct afe_sp_v4_channel_ex_vi_ftm_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_ex_vi_ftm_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_ex_vi_ftm_resp;

		expected_size +=
@@ -736,6 +803,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
		break;

	case AFE_PARAM_ID_SP_V4_RX_TMAX_XMAX_LOGGING:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_tmax_xmax_logging) +

				(num_ch *

				sizeof(struct afe_sp_v4_channel_tmax_xmax_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_max_log_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_max_log_resp;

		expected_size +=