Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d6a325f1 authored by Shalini Manjunatha's avatar Shalini Manjunatha Committed by Gerrit - the friendly Code Review server
Browse files

dsp: afe: check for param size before copying



Check for the proper param size before copying,
to avoid buffer overflow.

Change-Id: I70c52e6ab76f528ea3714784ab9013b070839c40
Signed-off-by: default avatarShalini Manjunatha <quic_c_shalma@quicinc.com>
parent cb026c53
Loading
Loading
Loading
Loading
+79 −0
Original line number Diff line number Diff line
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
 * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
 */
#include <linux/slab.h>
#include <linux/debugfs.h>
@@ -685,32 +686,74 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
	switch (param_hdr.param_id) {
	case AFE_PARAM_ID_CALIB_RES_CFG_V2:
		expected_size += sizeof(struct asm_calib_res_cfg);
		if (param_hdr.param_size != sizeof(struct asm_calib_res_cfg)) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		data_dest = (u32 *) &this_afe.calib_data;
		break;
	case AFE_PARAM_ID_SP_V2_TH_VI_FTM_PARAMS:
		expected_size += sizeof(struct afe_sp_th_vi_ftm_params);
		if (param_hdr.param_size != sizeof(struct afe_sp_th_vi_ftm_params)) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		data_dest = (u32 *) &this_afe.th_vi_resp;
		break;
	case AFE_PARAM_ID_SP_V2_TH_VI_V_VALI_PARAMS:
		expected_size += sizeof(struct afe_sp_th_vi_v_vali_params);
		if (param_hdr.param_size != sizeof(struct afe_sp_th_vi_v_vali_params)) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		data_dest = (u32 *) &this_afe.th_vi_v_vali_resp;
		break;
	case AFE_PARAM_ID_SP_V2_EX_VI_FTM_PARAMS:
		expected_size += sizeof(struct afe_sp_ex_vi_ftm_params);
		if (param_hdr.param_size != sizeof(struct afe_sp_ex_vi_ftm_params)) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		data_dest = (u32 *) &this_afe.ex_vi_resp;
		break;
	case AFE_PARAM_ID_SP_RX_TMAX_XMAX_LOGGING:
		expected_size += sizeof(
				struct afe_sp_rx_tmax_xmax_logging_param);
		if (param_hdr.param_size != sizeof(struct afe_sp_rx_tmax_xmax_logging_param)) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		data_dest = (u32 *) &this_afe.xt_logging_resp;
		break;
	case AFE_PARAM_ID_SP_V4_CALIB_RES_CFG:
		expected_size += sizeof(
				struct afe_sp_v4_param_th_vi_calib_res_cfg);
		if (param_hdr.param_size != sizeof(
				struct afe_sp_v4_param_th_vi_calib_res_cfg)) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		data_dest = (u32 *) &this_afe.spv4_calib_data;
		break;
	case AFE_PARAM_ID_SP_V4_TH_VI_FTM_PARAMS:
		num_ch = data_start[0];
		if (num_ch > SP_V2_NUM_MAX_SPKRS) {
			pr_err("%s: Error: num_ch %d is greater than expected\n",
				__func__,num_ch);
			return -EINVAL;
		}
		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_th_vi_ftm_params) +
			(num_ch * sizeof(struct afe_sp_v4_channel_ftm_params)))) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		this_afe.spv4_th_vi_ftm_rcvd_param_size = param_hdr.param_size;
		data_dest = (u32 *)&this_afe.spv4_th_vi_ftm_resp;
		expected_size +=
@@ -719,6 +762,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
		break;
	case AFE_PARAM_ID_SP_V4_TH_VI_V_VALI_PARAMS:
		num_ch = data_start[0];
		if (num_ch > SP_V2_NUM_MAX_SPKRS) {
			pr_err("%s: Error: num_ch %d is greater than expected\n",
				__func__,num_ch);
			return -EINVAL;
		}
		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_th_vi_v_vali_params) +
				(num_ch *
				sizeof(struct afe_sp_v4_channel_v_vali_params)))) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		this_afe.spv4_v_vali_rcvd_param_size = param_hdr.param_size;
		data_dest = (u32 *)&this_afe.spv4_v_vali_resp;
		expected_size +=
@@ -728,6 +783,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
		break;
	case AFE_PARAM_ID_SP_V4_EX_VI_FTM_PARAMS:
		num_ch = data_start[0];
		if (num_ch > SP_V2_NUM_MAX_SPKRS) {
			pr_err("%s: Error: num_ch %d is greater than expected\n",
				__func__,num_ch);
			return -EINVAL;
		}
		if (param_hdr.param_size !=  (sizeof(struct afe_sp_v4_param_ex_vi_ftm_params) +
				(num_ch *
				sizeof(struct afe_sp_v4_channel_ex_vi_ftm_params)))) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		this_afe.spv4_ex_vi_ftm_rcvd_param_size = param_hdr.param_size;
		data_dest = (u32 *)&this_afe.spv4_ex_vi_ftm_resp;
		expected_size +=
@@ -736,6 +803,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
		break;
	case AFE_PARAM_ID_SP_V4_RX_TMAX_XMAX_LOGGING:
		num_ch = data_start[0];
		if (num_ch > SP_V2_NUM_MAX_SPKRS) {
			pr_err("%s: Error: num_ch %d is greater than expected\n",
				__func__,num_ch);
			return -EINVAL;
		}
		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_tmax_xmax_logging) +
				(num_ch *
				sizeof(struct afe_sp_v4_channel_tmax_xmax_params)))) {
			pr_err("%s: Error: param_size %d is greater than expected\n",
				__func__,param_hdr.param_size);
			return -EINVAL;
		}
		this_afe.spv4_max_log_rcvd_param_size = param_hdr.param_size;
		data_dest = (u32 *)&this_afe.spv4_max_log_resp;
		expected_size +=