Accueil Explorer Aide
Connexion
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

Merge "dsp: q6usm: Check size of payload before access"

Linux Build Service Account il y a 6 ans
Parent
b227c31c2b def212b841
commit
c76093dd87
1 fichiers modifiés avec 23 ajouts et 1 suppressions
Vue séparée Afficher les stats Diff
  1. 23 1
      dsp/q6usm.c

+ 23 - 1
dsp/q6usm.c
Voir le fichier 

@@ -1,6 +1,6 @@
 
 // SPDX-License-Identifier: GPL-2.0-only
 
 /*
 
- * Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
 
+ * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
 
  */
 
 #include <linux/mutex.h>
 
 #include <linux/wait.h>
 
@@ -490,6 +490,11 @@ static int32_t q6usm_mmapcallback(struct apr_client_data *data, void *priv)
 
 	uint32_t token;
 
 	uint32_t *payload = data->payload;
 
 
+	if (data->payload_size < (2 * sizeof(uint32_t))) {
 
+		pr_err("%s: payload has invalid size[%d]\n", __func__,
 
+		       data->payload_size);
 
+		return -EINVAL;
 
+	}
 
 	pr_debug("%s: ptr0[0x%x]; ptr1[0x%x]; opcode[0x%x]\n",
 
 		 __func__, payload[0], payload[1], data->opcode);
 
 	pr_debug("%s: token[0x%x]; payload_size[%d]; src[%d]; dest[%d];\n",
 
@@ -551,6 +556,11 @@ static int32_t q6usm_callback(struct apr_client_data *data, void *priv)
 
 	}
 
 
 	if (data->opcode == APR_BASIC_RSP_RESULT) {
 
+		if (data->payload_size < (2 * sizeof(uint32_t))) {
 
+			pr_err("%s: payload has invalid size[%d]\n", __func__,
 
+			       data->payload_size);
 
+			return -EINVAL;
 
+		}
 
 		/* status field check */
 
 		if (payload[1]) {
 
 			pr_err("%s: wrong response[%d] on cmd [%d]\n",
 
@@ -614,6 +624,12 @@ static int32_t q6usm_callback(struct apr_client_data *data, void *priv)
 
 
 		opcode = Q6USM_EVENT_READ_DONE;
 
 		spin_lock_irqsave(&port->dsp_lock, dsp_flags);
 
+		if (data->payload_size <
 
+		    (sizeof(uint32_t)*(READDONE_IDX_STATUS + 1))) {
 
+			pr_err("%s: Invalid payload size for READDONE[%d]\n",
 
+			       __func__, data->payload_size);
 
+			return -EINVAL;
 
+		}
 
 		if (payload[READDONE_IDX_STATUS]) {
 
 			pr_err("%s: wrong READDONE[%d]; token[%d]\n",
 
 			       __func__,
 
@@ -660,6 +676,12 @@ static int32_t q6usm_callback(struct apr_client_data *data, void *priv)
 
 		struct us_port_data *port = &usc->port[IN];
 
 
 		opcode = Q6USM_EVENT_WRITE_DONE;
 
+		if (data->payload_size <
 
+		    (sizeof(uint32_t)*(WRITEDONE_IDX_STATUS + 1))) {
 
+			pr_err("%s: Invalid payload size for WRITEDONE[%d]\n",
 
+			       __func__, data->payload_size);
 
+			return -EINVAL;
 
+		}
 
 		if (payload[WRITEDONE_IDX_STATUS]) {
 
 			pr_err("%s: wrong WRITEDONE_IDX_STATUS[%d]\n",
 
 			       __func__,