DivestOS/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch

55 lines
1.6 KiB
Diff
Raw Normal View History

2017-11-07 21:38:42 -05:00
From da638cc248f0d692a89e26f788c43d6f641c81ef Mon Sep 17 00:00:00 2001
From: Xiaojun Sang <xsang@codeaurora.org>
2017-11-07 21:38:42 -05:00
Date: Fri, 04 Nov 2016 14:35:58 +0800
Subject: [PATCH] ASoC: soc: prevent risk of buffer overflow
In case of large value for bufcnt_t or bufcnt,
cmd_size may overflow. Buffer size allocated by cmd_size might
be not as expected.
Possible buffer overflow could happen.
CRs-Fixed: 1084210
Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
---
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
2017-11-07 21:38:42 -05:00
index 31bd1d7..11a94e4 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
2017-11-07 21:38:42 -05:00
@@ -4054,7 +4054,7 @@
struct asm_buffer_node *buffer_node = NULL;
int rc = 0;
int i = 0;
- int cmd_size = 0;
+ uint32_t cmd_size = 0;
uint32_t bufcnt_t;
uint32_t bufsz_t;
2017-11-07 21:38:42 -05:00
@@ -4076,10 +4076,25 @@
bufsz_t = PAGE_ALIGN(bufsz_t);
}
+ if (bufcnt_t > (UINT_MAX
+ - sizeof(struct avs_cmd_shared_mem_map_regions))
+ / sizeof(struct avs_shared_map_region_payload)) {
+ pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n",
+ __func__, bufcnt_t);
+ return -EINVAL;
+ }
+
cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions)
+ (sizeof(struct avs_shared_map_region_payload)
* bufcnt_t);
+
+ if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) {
+ pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
+ __func__, bufcnt);
+ return -EINVAL;
+ }
+
buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt,
GFP_KERNEL);
if (!buffer_node) {