DivestOS/Patches/Linux_CVEs/CVE-2017-0444/ANY/0.patch

61 lines
1.9 KiB
Diff
Raw Normal View History

From 230f280dd4046a227665ff07c9afaa7b9aa1e061 Mon Sep 17 00:00:00 2001
From: Mark Salyzyn <salyzyn@google.com>
Date: Thu, 17 Nov 2016 08:58:07 -0800
Subject: rt5677: protect model_buf and model_len
vad_lock is active for model_buf and model_len fields
except during RT_WRITE_CODEC_DSP_IOCTL transactions.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32705232
Change-Id: I3493909019b18a902c577c0010b41087fecb5325
---
sound/soc/codecs/rt5677.h | 1 +
sound/soc/codecs/rt5677_ioctl.c | 10 ++++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/rt5677.h b/sound/soc/codecs/rt5677.h
index 5295cfd..2375769 100644
--- a/sound/soc/codecs/rt5677.h
+++ b/sound/soc/codecs/rt5677.h
@@ -1468,6 +1468,7 @@ struct rt5677_priv {
*/
struct regmap *regmap;
struct mutex index_lock;
+ /* protects vad activities, including model_len and model_buf */
struct mutex vad_lock;
struct workqueue_struct *check_mic_wq;
struct delayed_work check_hp_mic_work;
diff --git a/sound/soc/codecs/rt5677_ioctl.c b/sound/soc/codecs/rt5677_ioctl.c
index f5ee880..d3262f5 100644
--- a/sound/soc/codecs/rt5677_ioctl.c
+++ b/sound/soc/codecs/rt5677_ioctl.c
@@ -151,16 +151,22 @@ int rt5677_ioctl_common(struct snd_hwdep *hw, struct file *file,
case RT_WRITE_CODEC_DSP_IOCTL:
case RT_WRITE_CODEC_DSP_IOCTL_COMPAT:
+ mutex_lock(&rt5677->vad_lock);
if (!rt5677->model_buf || rt5677->model_len < size) {
vfree(rt5677->model_buf);
rt5677->model_len = 0;
rt5677->model_buf = vmalloc(size);
- if (!rt5677->model_buf)
+ if (!rt5677->model_buf) {
+ mutex_unlock(&rt5677->vad_lock);
return -ENOMEM;
+ }
}
- if (copy_from_user(rt5677->model_buf, rt_codec.buf, size))
+ if (copy_from_user(rt5677->model_buf, rt_codec.buf, size)) {
+ mutex_unlock(&rt5677->vad_lock);
return -EFAULT;
+ }
rt5677->model_len = size;
+ mutex_unlock(&rt5677->vad_lock);
return 0;
default:
--
cgit v1.1