Ana Sayfa Keşfet Yardım
Giriş Yap
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

rtac: add size check when reading cal data kvaddr buffer

Add size check to ensure cal data bytes size fits inside
the cal data when copying to user space buffer.

CRs-Fixed: 2110256
Change-Id: I511999984684a9db4aaf1cf2c65eb1495c36980f
Signed-off-by: kunleiz <[email protected]>
kunleiz 7 yıl önce
ebeveyn
53a557ad46
işleme
9c42950615
1 değiştirilmiş dosya ile 32 ekleme ve 0 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 32 0
      dsp/rtac.c

+ 32 - 0
dsp/rtac.c
Dosyayı Görüntüle 

@@ -909,6 +909,14 @@ int send_adm_apr(void *buf, u32 opcode)
 
 		bytes_returned = ((u32 *)rtac_cal[ADM_RTAC_CAL].cal_data.
 
 			kvaddr)[2] + 3 * sizeof(u32);
 
 
+		if (bytes_returned > rtac_cal[ADM_RTAC_CAL].
 
+			map_data.map_size) {
 
+			pr_err("%s: Invalid data size = %d\n",
 
+				__func__, bytes_returned);
 
+			result = -EINVAL;
 
+			goto err;
 
+		}
 
+
 
 		if (bytes_returned > user_buf_size) {
 
 			pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
 
 				__func__, user_buf_size, bytes_returned);
 
@@ -1132,6 +1140,14 @@ int send_rtac_asm_apr(void *buf, u32 opcode)
 
 		bytes_returned = ((u32 *)rtac_cal[ASM_RTAC_CAL].cal_data.
 
 			kvaddr)[2] + 3 * sizeof(u32);
 
 
+		if (bytes_returned > rtac_cal[ASM_RTAC_CAL].
 
+			map_data.map_size) {
 
+			pr_err("%s: Invalid data size = %d\n",
 
+				__func__, bytes_returned);
 
+			result = -EINVAL;
 
+			goto err;
 
+		}
 
+
 
 		if (bytes_returned > user_buf_size) {
 
 			pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
 
 				__func__, user_buf_size, bytes_returned);
 
@@ -1392,6 +1408,14 @@ static int send_rtac_afe_apr(void *buf, uint32_t opcode)
 
 		bytes_returned = get_resp->param_size +
 
 				sizeof(struct afe_port_param_data_v2);
 
 
+		if (bytes_returned > rtac_cal[AFE_RTAC_CAL].
 
+			map_data.map_size) {
 
+			pr_err("%s: Invalid data size = %d\n",
 
+				__func__, bytes_returned);
 
+			result = -EINVAL;
 
+			goto err;
 
+		}
 
+
 
 		if (bytes_returned > user_afe_buf.buf_size) {
 
 			pr_err("%s: user size = 0x%x, returned size = 0x%x\n",
 
 				__func__, user_afe_buf.buf_size,
 
@@ -1617,6 +1641,14 @@ int send_voice_apr(u32 mode, void *buf, u32 opcode)
 
 		bytes_returned = ((u32 *)rtac_cal[VOICE_RTAC_CAL].cal_data.
 
 			kvaddr)[2] + 3 * sizeof(u32);
 
 
+		if (bytes_returned > rtac_cal[VOICE_RTAC_CAL].
 
+			map_data.map_size) {
 
+			pr_err("%s: Invalid data size = %d\n",
 
+				__func__, bytes_returned);
 
+			result = -EINVAL;
 
+			goto err;
 
+		}
 
+
 
 		if (bytes_returned > user_buf_size) {
 
 			pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
 
 				__func__, user_buf_size, bytes_returned);