diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2018-06-03 19:10:46 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-06-03 19:10:45 -0700 |
| commit | 3c78eaa8124c0aa8a1872becc113c904453b5067 (patch) | |
| tree | 50dd9428c48a7df2ce5b50e99377c89b6bfb7a61 | |
| parent | fd95dadf54bf08e910a4cad0bbce8d25e8813429 (diff) | |
| parent | 49662914af86d4b7ef721a87c07f1dbff8c96387 (diff) | |
Merge "soc: msm: add size check to fix out of bounds on ANC"
| -rw-r--r-- | drivers/soc/qcom/qdsp6v2/audio_anc.c | 20 | ||||
| -rw-r--r-- | include/uapi/linux/msm_audio_anc.h | 7 |
2 files changed, 19 insertions, 8 deletions
diff --git a/drivers/soc/qcom/qdsp6v2/audio_anc.c b/drivers/soc/qcom/qdsp6v2/audio_anc.c index e0abd2b58027..65c585886453 100644 --- a/drivers/soc/qcom/qdsp6v2/audio_anc.c +++ b/drivers/soc/qcom/qdsp6v2/audio_anc.c @@ -53,6 +53,9 @@ static size_t get_user_anc_cmd_size(int32_t anc_cmd) case ANC_CMD_ALGO_MODULE: size = sizeof(struct audio_anc_algo_module_info); break; + case ANC_CMD_ALGO_CALIBRATION: + size = sizeof(struct audio_anc_algo_calibration_info); + break; default: pr_err("%s:Invalid anc cmd %d!", __func__, anc_cmd); @@ -77,6 +80,7 @@ static int call_set_anc(int32_t anc_cmd, case ANC_CMD_RPM: case ANC_CMD_BYPASS_MODE: case ANC_CMD_ALGO_MODULE: + case ANC_CMD_ALGO_CALIBRATION: ret = msm_anc_dev_set_info(data, anc_cmd); break; default: @@ -176,6 +180,12 @@ static long audio_anc_shared_ioctl(struct file *file, unsigned int cmd, sizeof(union audio_anc_data)); ret = -EINVAL; goto done; + } else if ((data->hdr.anc_cmd_size + sizeof(data->hdr)) > size) { + pr_err("%s: anc_cmd size %d + anc cmd hdr size %zd is is greater than user buffer siz %d!\n", + __func__, data->hdr.anc_cmd_size, sizeof(data->hdr), + size); + ret = -EFAULT; + goto done; } switch (cmd) { @@ -194,15 +204,9 @@ static long audio_anc_shared_ioctl(struct file *file, unsigned int cmd, goto done; if (data == NULL) goto done; - if ((sizeof(data->hdr) + data->hdr.anc_cmd_size) > size) { - pr_err("%s: header size %zd plus ype size %d larger than data buffer size %d\n", - __func__, sizeof(data->hdr), - data->hdr.anc_cmd_size, size); - ret = -EFAULT; - goto done; - } else if (copy_to_user((void *)arg, data, + if (copy_to_user(arg, data, sizeof(data->hdr) + data->hdr.anc_cmd_size)) { - pr_err("%s: Could not copy cal type to user\n", + pr_err("%s: Could not copy anc data to user\n", __func__); ret = -EFAULT; goto done; diff --git a/include/uapi/linux/msm_audio_anc.h b/include/uapi/linux/msm_audio_anc.h index 028d381bc1a6..d628f7ce9267 100644 --- a/include/uapi/linux/msm_audio_anc.h +++ b/include/uapi/linux/msm_audio_anc.h @@ -16,6 +16,7 @@ #define ANC_CMD_RPM 2 #define ANC_CMD_BYPASS_MODE 3 #define ANC_CMD_ALGO_MODULE 4 +#define ANC_CMD_ALGO_CALIBRATION 5 /* room for ANC_CMD define extend */ #define ANC_CMD_MAX 0xFF @@ -39,10 +40,16 @@ struct audio_anc_algo_module_info { int32_t module_id; }; +struct audio_anc_algo_calibration_info { + int32_t payload_size; + /* num bytes of payload specificed in payload_size followed */ +}; + union audio_anc_data { struct audio_anc_rpm_info rpm_info; struct audio_anc_bypass_mode bypass_mode_info; struct audio_anc_algo_module_info algo_info; + struct audio_anc_algo_calibration_info algo_cali_info; }; struct audio_anc_packet { |