diff options
| author | Soumya Managoli <quic_c_smanag@quicinc.com> | 2023-09-01 13:33:50 +0530 |
|---|---|---|
| committer | Georg Veichtlbauer <georg@vware.at> | 2023-11-08 17:53:52 +0100 |
| commit | 51b6076835ef093f89aca3d819156b7d8f06752d (patch) | |
| tree | e86a844eee1124b881796a77482394561d97b761 | |
| parent | 902623421e7f00863589edf3c7feb2ec5a7b22ed (diff) | |
q6asm: validate payload size before access
Payload size is not checked before payload access.
Check size to avoid out-of-boundary memory access.
Change-Id: I1bd8281ad263b8c0102335504a740312755b8d15
Signed-off-by: Shalini Manjunatha <quic_c_shalma@quicinc.com>
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6asm.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c index eb3b42f47974..987c1cc099f8 100644 --- a/sound/soc/msm/qdsp6v2/q6asm.c +++ b/sound/soc/msm/qdsp6v2/q6asm.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. * Author: Brian Swetland <swetland@google.com> * * This software is licensed under the terms of the GNU General Public @@ -2275,6 +2276,15 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv) config_debug_fs_read_cb(); + if (data->payload_size != (READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)) { + pr_err("%s: payload size of %d is less than expected size\n", + __func__, data->payload_size); + spin_unlock_irqrestore( + &(session[session_id].session_lock), + flags); + return -EINVAL; + } + dev_vdbg(ac->dev, "%s: ReadDone: status=%d buff_add=0x%x act_size=%d offset=%d\n", __func__, payload[READDONE_IDX_STATUS], payload[READDONE_IDX_BUFADD_LSW], |