Commit 00f847b2 authored Dec 04, 2023 by Raza Kamal

Audio legacy: Integer overflow in msm_lsm_ioctl_compat during audio playback usecase.


size = sizeof(p_info_32) + p_info_32.param_size;
This overflow issue may result heap overflow during copying the data:
memcpy(param_info_rsp, &p_info_32, sizeof(p_info_32));

The validation check is added so that heap overflow can be avoided.

Change-Id: I11dcbe7ebb33e349dfd9f347f3ef25bc781075fc
Signed-off-by: Raza Kamal <quic_razkam@quicinc.com>
(cherry picked from commit 94d98318711f926bdeff0474d5970c18ee90f1a4)

parent 03fff182

asoc/msm-lsm-client.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -2167,8 +2167,13 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
		prtd->lsm_client->get_param_payload = NULL;
		goto done;
		}
		if (__builtin_uadd_overflow(sizeof(p_info_32), p_info_32.param_size, &size)) {
		pr_err("%s: param size exceeds limit of %u bytes.\n",
		__func__, UINT_MAX);
		err = -EINVAL;
		goto done;
		}

		size = sizeof(p_info_32) + p_info_32.param_size;
		param_info_rsp = kzalloc(size, GFP_KERNEL);

		if (!param_info_rsp) {