From 1673c4655d020fc9be4eb71bca28975d5c7ca7c7 Mon Sep 17 00:00:00 2001 From: Karthik Reddy Katta Date: Tue, 3 Jan 2017 11:09:05 +0530 Subject: drivers: soc: qcom: Add overflow check in ADM driver Add overflow check for param length to prevent heap overflow while allocating memory for ADM parameters. CRs-Fixed: 1103334 Change-Id: I1163aeaabbc84dba4cd0739a35ecbdee18b42717 Signed-off-by: Karthik Reddy Katta --- sound/soc/msm/qdsp6v2/q6adm.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'sound') diff --git a/sound/soc/msm/qdsp6v2/q6adm.c b/sound/soc/msm/qdsp6v2/q6adm.c index 04eafdb240f2..163ebf1a18cf 100644 --- a/sound/soc/msm/qdsp6v2/q6adm.c +++ b/sound/soc/msm/qdsp6v2/q6adm.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -978,9 +978,10 @@ int adm_get_params_v2(int port_id, int copp_idx, uint32_t module_id, char *params, uint32_t client_id) { struct adm_cmd_get_pp_params_v5 *adm_params = NULL; - int sz, rc = 0, i = 0; + int rc = 0, i = 0; int port_idx, idx; int *params_data = (int *)params; + uint64_t sz = 0; port_id = afe_convert_virtual_to_portid(port_id); port_idx = adm_validate_and_get_port_index(port_id); @@ -989,7 +990,16 @@ int adm_get_params_v2(int port_id, int copp_idx, uint32_t module_id, return -EINVAL; } - sz = sizeof(struct adm_cmd_get_pp_params_v5) + params_length; + sz = (uint64_t)sizeof(struct adm_cmd_get_pp_params_v5) + + (uint64_t)params_length; + /* + * Check if the value of "sz" (which is ultimately assigned to + * "hdr.pkt_size") crosses U16_MAX. + */ + if (sz > U16_MAX) { + pr_err("%s: Invalid params_length\n", __func__); + return -EINVAL; + } adm_params = kzalloc(sz, GFP_KERNEL); if (!adm_params) { pr_err("%s: adm params memory alloc failed", __func__); -- cgit v1.2.3