From 7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e Mon Sep 17 00:00:00 2001 From: Ashish Jain Date: Fri, 15 Apr 2016 15:33:14 +0530 Subject: ASoC: msm: qdsp6v2: DAP: Fix buffer overflow Add check to avoid out of bound access. Check return value of get_user api. CRs-Fixed: 997025 Change-Id: Ibbace116ac206007fa1928555838285304737737 Signed-off-by: Ashish Jain --- sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c index 242dc5f..ace747d 100644 --- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c +++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved. * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and * only version 2 as published by the Free Software Foundation. @@ -1356,7 +1356,11 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg) int ret = 0, port_id = 0; int32_t data; struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg; - get_user(data, &dolby_data->data[0]); + if (get_user(data, &dolby_data->data[0])) { + pr_debug("%s error getting data\n", __func__); + ret = -EFAULT; + goto end; + } pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n", __func__, dolby_data->param_id, dolby_data->be_id, @@ -1471,11 +1475,23 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg) goto end; } + off = ds2_dap_params_offset[idx]; + if ((dolby_data->length <= 0) || + (dolby_data->length > TOTAL_LENGTH_DS2_PARAM - off)) { + pr_err("%s: invalid length %d at idx %d\n", + __func__, dolby_data->length, idx); + rc = -EINVAL; + goto end; + } + /* cache the parameters */ ds2_dap_params[cdev].dap_params_modified[idx] += 1; for (j = 0; j < dolby_data->length; j++) { - off = ds2_dap_params_offset[idx]; - get_user(data, &dolby_data->data[j]); + if (get_user(data, &dolby_data->data[j])) { + pr_debug("%s:error getting data\n", __func__); + rc = -EFAULT; + goto end; + } ds2_dap_params[cdev].params_val[off + j] = data; pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n", __func__, off, data, -- cgit v1.1