diff options
| author | Soumya Managoli <quic_c_smanag@quicinc.com> | 2023-01-06 14:37:20 +0530 |
|---|---|---|
| committer | Michael Bestas <mkbestas@lineageos.org> | 2023-06-09 14:04:15 +0200 |
| commit | d6038d6da57f766f4c9bb946a107e48617b414ff (patch) | |
| tree | 1ec296c923ee40f95fbe0bf1151755fe3df8fb71 | |
| parent | 0d7a6c301af8851542a9ec66a7dab571a979c057 (diff) | |
ASoC: msm-pcm-q6-v2: Add dsp buf check
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: I7753cc6db394704dbb959477150141d42b836bef
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c index 487aaf2390c0..5f4225e675ad 100644 --- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c +++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c @@ -1,4 +1,5 @@ /* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -995,6 +996,14 @@ static int msm_pcm_capture_copy(struct snd_pcm_substream *substream, xfer = size; offset = prtd->in_frame_info[idx].offset; pr_debug("Offset value = %d\n", offset); + + if (offset >= size) { + pr_err("%s: Invalid dsp buf offset\n", __func__); + ret = -EFAULT; + q6asm_cpu_buf_release(OUT, prtd->audio_client); + goto fail; + } + if (copy_to_user(buf, bufptr+offset, xfer)) { pr_err("Failed to copy buf to user\n"); ret = -EFAULT; |