diff options
| author | Ashish Jain <ashishj@codeaurora.org> | 2016-04-15 15:33:14 +0530 |
|---|---|---|
| committer | Jeevan Shriram <jshriram@codeaurora.org> | 2016-05-06 12:06:21 -0700 |
| commit | 97a9be4c8b2575d7ed7b70b78051bc7c2743120d (patch) | |
| tree | aaf4fd45608d92c15ff90c5f144005e195b36465 | |
| parent | ad3a05df97d50bdc07c65a35a29f9e0a4efea2dc (diff) | |
ASoC: msm: qdsp6v2: DAP: Fix buffer overflow
Add check to avoid out of bound access.
Check return value of get_user api.
CRs-Fixed: 997025
Change-Id: Ibbace116ac206007fa1928555838285304737737
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c index 242dc5f4415d..ace747dd9bde 100644 --- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c +++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved. * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and * only version 2 as published by the Free Software Foundation. @@ -1356,7 +1356,11 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg) int ret = 0, port_id = 0; int32_t data; struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg; - get_user(data, &dolby_data->data[0]); + if (get_user(data, &dolby_data->data[0])) { + pr_debug("%s error getting data\n", __func__); + ret = -EFAULT; + goto end; + } pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n", __func__, dolby_data->param_id, dolby_data->be_id, @@ -1471,11 +1475,23 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg) goto end; } + off = ds2_dap_params_offset[idx]; + if ((dolby_data->length <= 0) || + (dolby_data->length > TOTAL_LENGTH_DS2_PARAM - off)) { + pr_err("%s: invalid length %d at idx %d\n", + __func__, dolby_data->length, idx); + rc = -EINVAL; + goto end; + } + /* cache the parameters */ ds2_dap_params[cdev].dap_params_modified[idx] += 1; for (j = 0; j < dolby_data->length; j++) { - off = ds2_dap_params_offset[idx]; - get_user(data, &dolby_data->data[j]); + if (get_user(data, &dolby_data->data[j])) { + pr_debug("%s:error getting data\n", __func__); + rc = -EFAULT; + goto end; + } ds2_dap_params[cdev].params_val[off + j] = data; pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n", __func__, off, data, |