ASoC: msm-pcm-host-voice: Handle OOB access in hpcm_start.

There is no error check for case when hpcm_start is called for the same RX or TX tap points multiple times. This can result in OOB access of struct vss_ivpcm_tap_point. Handle this scenario with appropriate no_of_tp check. Change-Id: Ib384d21c9bf372f3e5d78f64b5c056e836728399 Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com> (cherry picked from commit 521277c4c3ffc4a3f4a232de41cfa4fc7b6aaa35)
author: Soumya Managoli <quic_c_smanag@quicinc.com> 2023-08-17 17:30:33 +0530
committer: Georg Veichtlbauer <georg@vware.at> 2023-11-08 17:53:52 +0100
commit: 2819983a37389edcd23c2f5c2ee510b5ee35c8a7 (patch)
tree: af8d271731d1c65ced31aa945124fdb13f3b0f09
parent: d6df26ee1bbb50a4362daa182185f3f85c604d7e (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
index 495d8b9e9354..6dc8289ffce1 100644
--- a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
@@ -645,6 +645,12 @@ static int hpcm_start_vocpcm(char *pcm_id, struct hpcm_drv *prtd,
 		}
 	}
 
+	if (*no_of_tp != no_of_tp_req && *no_of_tp > 2) {
+		pr_err("%s:: Invalid hpcm start request\n", __func__);
+		memset(&prtd->start_cmd, 0, sizeof(struct start_cmd));
+		return -EINVAL;
+	}
+
 	if ((prtd->mixer_conf.tx.enable || prtd->mixer_conf.rx.enable) &&
 	    *no_of_tp == no_of_tp_req) {
 		voc_send_cvp_start_vocpcm(voc_get_session_id(sess_name),
author	Soumya Managoli <quic_c_smanag@quicinc.com>	2023-08-17 17:30:33 +0530
committer	Georg Veichtlbauer <georg@vware.at>	2023-11-08 17:53:52 +0100
commit	2819983a37389edcd23c2f5c2ee510b5ee35c8a7 (patch)
tree	af8d271731d1c65ced31aa945124fdb13f3b0f09
parent	d6df26ee1bbb50a4362daa182185f3f85c604d7e (diff)