samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
程式碼 問題 合併請求 Actions 套件 專案 版本發布 Wiki 動態

lsm: check payload size validity before using it as array index

瀏覽代碼 
Payload size validity is not checked before using it in array index.
Check payload size to avoid out-of-boundary memory.

Change-Id: Ic0b06bb331fc1753ff7543bb218ab12d6a4a3ca8
Signed-off-by: Kunlei Zhang <kunleiz@codeaurora.org>
此提交包含在:
Kunlei Zhang
2019-01-23 17:18:19 +08:00
提交者 Gerrit - the friendly Code Review server
父節點 d14c2dc368
當前提交 16e535969b
共有 3 個檔案被更改,包括 66 行新增14 行删除
下載 Patch 檔 下載差異檔 展開所有檔案 折疊所有檔案

16
dsp/q6lsm.c
查看文件

@@ -153,7 +153,8 @@ static int q6lsm_callback(struct apr_client_data *data, void *priv)
struct lsm_cmd_read_done read_done;
token = data->token;
if (data->payload_size > sizeof(read_done)) {
if (data->payload_size > sizeof(read_done) ||
data->payload_size < 6 * sizeof(payload[0])) {
pr_err("%s: read done error payload size %d expected size %zd\n",
__func__, data->payload_size,
sizeof(read_done));
@@ -171,6 +172,7 @@ static int q6lsm_callback(struct apr_client_data *data, void *priv)
if (client->cb)
client->cb(data->opcode, data->token,
(void *)&read_done,
sizeof(read_done),
client->priv);
return 0;
} else if (data->opcode == APR_BASIC_RSP_RESULT) {
@@ -198,6 +200,11 @@ static int q6lsm_callback(struct apr_client_data *data, void *priv)
__func__, token, client->session);
return -EINVAL;
}
if (data->payload_size < 2 * sizeof(payload[0])) {
pr_err("%s: payload has invalid size[%d]\n",
__func__, data->payload_size);
return -EINVAL;
}
client->cmd_err_code = payload[1];
if (client->cmd_err_code)
pr_err("%s: cmd 0x%x failed status %d\n",
@@ -218,7 +225,7 @@ static int q6lsm_callback(struct apr_client_data *data, void *priv)
if (client->cb)
client->cb(data->opcode, data->token, data->payload,
client->priv);
data->payload_size, client->priv);
return 0;
}
@@ -1791,6 +1798,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
"proc 0x%x SID 0x%x\n", __func__, data->opcode,
data->reset_event, data->reset_proc, sid);
if (sid < LSM_MIN_SESSION_ID || sid > LSM_MAX_SESSION_ID)
pr_err("%s: Invalid session %d\n", __func__, sid);
apr_reset(lsm_common.apr);
lsm_common.apr = NULL;
atomic_set(&lsm_common.apr_users, 0);
@@ -1855,7 +1864,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
}
if (client->cb)
client->cb(data->opcode, data->token,
data->payload, client->priv);
data->payload, data->payload_size,
client->priv);
return 0;
}