diff options
| author | Soumya Managoli <quic_c_smanag@quicinc.com> | 2023-05-16 15:38:11 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2023-06-06 23:05:30 -0700 |
| commit | dcbd3bb3fe42809cd5ee45a551fbb934e17bedfd (patch) | |
| tree | 052b042c5b7fbc004e3f2f4cecad49827da6ada0 | |
| parent | 67cbee5bbfcf5fafd18a1a0a64ea40ca1a1b12be (diff) | |
ASoC: msm-pcm-q6-v2: Add dsp buf check
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: Ia81bf25a5a32a69c39dce7589c96bff99b9452f0
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c index c1ef60bd8cba..2186418de361 100644 --- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c +++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c @@ -1,4 +1,5 @@ /* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -990,6 +991,14 @@ static int msm_pcm_capture_copy(struct snd_pcm_substream *substream, xfer = size; offset = prtd->in_frame_info[idx].offset; pr_debug("Offset value = %d\n", offset); + + if (offset >= size) { + pr_err("%s: Invalid dsp buf offset\n", __func__); + ret = -EFAULT; + q6asm_cpu_buf_release(OUT, prtd->audio_client); + goto fail; + } + if (copy_to_user(buf, bufptr+offset, xfer)) { pr_err("Failed to copy buf to user\n"); ret = -EFAULT; |