DivestOS/Patches/Linux_CVEs/CVE-2017-0586/ANY/0.patch
2017-10-29 22:14:37 -04:00

55 lines
2.0 KiB
Diff

From 05bacdc0f9c16c58326a4be9e88afa870cf1024e Mon Sep 17 00:00:00 2001
From: Nick Desaulniers <ndesaulniers@google.com>
Date: Thu, 9 Feb 2017 16:04:21 -0800
Subject: [PATCH] ASoC: msm: qdsp6v2: Fix out-of-bounds access in put functions
Add out of bounds check in routing put functions
for the mux value before accessing the texts
pointer of soc_enum struct with mux as index.
CRs-fixed: 1097569
Bug: 33649808
Change-Id: Ib9ef8d398f0765754b0f79666963fac043b66077
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
---
sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
mode change 100755 => 100644 sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
old mode 100755
new mode 100644
index 97c914ac35a4a..adbeb77bcb912
--- a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -2272,6 +2272,11 @@ static int msm_routing_ec_ref_rx_put(struct snd_kcontrol *kcontrol,
struct snd_soc_dapm_update *update = NULL;
int valid_port = true;
+ if (mux >= e->items) {
+ pr_err("%s: Invalid mux value %d\n", __func__, mux);
+ return -EINVAL;
+ }
+
mutex_lock(&routing_lock);
switch (ucontrol->value.integer.value[0]) {
case 0:
@@ -2439,6 +2444,11 @@ static int msm_routing_ext_ec_put(struct snd_kcontrol *kcontrol,
uint16_t ext_ec_ref_port_id;
struct snd_soc_dapm_update *update = NULL;
+ if (mux >= e->items) {
+ pr_err("%s: Invalid mux value %d\n", __func__, mux);
+ return -EINVAL;
+ }
+
mutex_lock(&routing_lock);
msm_route_ext_ec_ref = ucontrol->value.integer.value[0];