diff options
| author | Michael Bestas <mkbestas@lineageos.org> | 2024-10-11 02:00:13 +0300 |
|---|---|---|
| committer | Michael Bestas <mkbestas@lineageos.org> | 2024-10-11 02:00:13 +0300 |
| commit | 5723bf36a6f222828f00962a067480a1ad7fd98f (patch) | |
| tree | ce330a13bb759307304f1676c1159dec7450e69b /sound/soc/msm/qdsp6v2/q6voice.c | |
| parent | 17d850f5a5bc1318b67a974b16d32a2dd3bab5cf (diff) | |
| parent | dc9abd24dd0943d1afb3a349bbacc19baa0f071d (diff) | |
Merge tag 'LA.UM.8.4.c25-11300-8x98.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.4 into android13-4.4-msm8998
"LA.UM.8.4.c25-11300-8x98.0"
* tag 'LA.UM.8.4.c25-11300-8x98.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.4:
msm: kgsl: Fix error handling during drawctxt switch
dsp: q6voice: Adds checks for an integer overflow
msm: adsprpc: Handle UAF in fastrpc internal munmap
Conflicts:
drivers/char/adsprpc.c
Change-Id: I3b55e2f381f91677a3d739ba33f4f1d57f6573e0
Diffstat (limited to 'sound/soc/msm/qdsp6v2/q6voice.c')
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6voice.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6voice.c b/sound/soc/msm/qdsp6v2/q6voice.c index 996567ff3a0e..a1f1fafbdf8d 100644 --- a/sound/soc/msm/qdsp6v2/q6voice.c +++ b/sound/soc/msm/qdsp6v2/q6voice.c @@ -1,5 +1,5 @@ /* Copyright (c) 2012-2018, 2020, The Linux Foundation. All rights reserved. - * + * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and * only version 2 as published by the Free Software Foundation. @@ -17,6 +17,7 @@ #include <linux/wait.h> #include <linux/mutex.h> #include <linux/msm_audio_ion.h> +#include <linux/overflow.h> #include <soc/qcom/socinfo.h> #include <linux/qdsp6v2/apr_tal.h> @@ -6771,7 +6772,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) { int ret = 0; u16 cvs_handle; - uint32_t *cvs_voc_pkt; + uint32_t *cvs_voc_pkt, tot_buf_sz; struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd; void *apr_cvs; @@ -6800,9 +6801,15 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED; cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data; + + if (__unsigned_add_overflow(cvs_voc_pkt[2], + (uint32_t)(3 * sizeof(uint32_t)), &tot_buf_sz)) { + pr_err("%s: integer overflow detected\n", __func__); + return -EINVAL; + } + if (cvs_voc_pkt != NULL && common.mvs_info.ul_cb != NULL) { - if (v->shmem_info.sh_buf.buf[1].size < - ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) { + if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) { pr_err("%s: invalid voc pkt size\n", __func__); return -EINVAL; } |