Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a69e001b authored by Soumya Managoli's avatar Soumya Managoli
Browse files

ASoC: Resolve use after free in listen sound client 



Updated get_param_payload buffer ptr to NULL
after free to avoid use after free issue.

Change-Id: I86da8c12a0bdccce690f67b037198b67640e339b
Signed-off-by: default avatarSoumya Managoli <quic_c_smanag@quicinc.com>
parent ba56a640

asoc/msm-lsm-client.c

+7 −1
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2013-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.

 */

#include <linux/init.h>

#include <linux/err.h>
@@ -2325,6 +2325,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
	case SNDRV_LSM_GET_MODULE_PARAMS_32: {

		struct lsm_params_get_info_32 p_info_32, *param_info_rsp = NULL;

		struct lsm_params_get_info *p_info = NULL;

		prtd->lsm_client->get_param_payload = NULL;



		memset(&p_info_32, 0 , sizeof(p_info_32));

		if (!prtd->lsm_client->use_topology) {
@@ -2375,6 +2376,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				__func__, err);

			kfree(p_info);

			kfree(prtd->lsm_client->get_param_payload);

			prtd->lsm_client->get_param_payload = NULL;

			goto done;

		}
@@ -2385,6 +2387,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			err = -ENOMEM;

			kfree(p_info);

			kfree(prtd->lsm_client->get_param_payload);

			prtd->lsm_client->get_param_payload = NULL;

			goto done;

		}
@@ -2409,6 +2412,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		kfree(p_info);

		kfree(param_info_rsp);

		kfree(prtd->lsm_client->get_param_payload);

		prtd->lsm_client->get_param_payload = NULL;

		break;

	}

	case SNDRV_LSM_REG_SND_MODEL_V2:
@@ -2635,6 +2639,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 


	case SNDRV_LSM_GET_MODULE_PARAMS: {

		struct lsm_params_get_info temp_p_info, *p_info = NULL;

		prtd->lsm_client->get_param_payload = NULL;



		memset(&temp_p_info, 0, sizeof(temp_p_info));

		if (!prtd->lsm_client->use_topology) {
@@ -2706,6 +2711,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
free:

		kfree(p_info);

		kfree(prtd->lsm_client->get_param_payload);

		prtd->lsm_client->get_param_payload = NULL;

		break;

	}

	case SNDRV_LSM_EVENT_STATUS: