DivestOS/Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch

37 lines
1.2 KiB
Diff
Raw Normal View History

2017-11-07 17:32:46 -05:00
From 25ab82f5d7d8d8d3b4c8eaaa02944dd5a81be7c3 Mon Sep 17 00:00:00 2001
From: Karthik Reddy Katta <a_katta@codeaurora.org>
Date: Wed, 28 Dec 2016 11:24:33 +0530
Subject: drivers: soc: qcom: Add overflow check for sound model size
Overflow check is added for sound model size to prevent
heap overflow while allocating memory for sound model data.
CRs-Fixed: 1100682
Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
---
sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
2017-11-07 17:32:46 -05:00
index d5b675f..a4daf91d 100644
--- a/sound/soc/msm/msm-cpe-lsm.c
+++ b/sound/soc/msm/msm-cpe-lsm.c
2017-11-07 17:32:46 -05:00
@@ -1913,6 +1913,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
session, &offset);
+ /* Check if 'p_info->param_size + offset' crosses U32_MAX. */
+ if (p_info->param_size > U32_MAX - offset) {
+ dev_err(rtd->dev,
+ "%s: Invalid param_size %d\n",
+ __func__, p_info->param_size);
+ return -EINVAL;
+ }
session->snd_model_size = p_info->param_size + offset;
session->snd_model_data = vzalloc(session->snd_model_size);
--
cgit v1.1