Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
64d490d95e
DivestOS/Patches/Linux_CVEs/CVE-2016-2068/ANY/0.patch
Tad 3989a1b20b Update Linux CVE patches
2017-10-29 22:14:37 -04:00

70 lines
2.6 KiB
Diff
Raw Blame History

From 2c04c0dab66013b7dfbe4d5a523c2c1d6b5b11d6 Mon Sep 17 00:00:00 2001
From: Weiyin Jiang <wjiang@codeaurora.org>
Date: Tue, 26 Apr 2016 14:35:38 +0800
Subject: ASoC: msm: audio-effects: misc fixes in h/w accelerated effect
Adding memory copy size check and integer overflow check in h/w
accelerated effect driver.
Change-Id: I17d4cc0a38770f0c5067fa8047cd63e7bf085e48
CRs-Fixed: 1006609
Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
---
drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 8 +++++---
sound/soc/msm/qdsp6v2/q6asm.c | 6 ++++++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
index 3ba20ca..3a88344 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
@@ -163,7 +163,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
pr_debug("%s: dec buf size: %d, num_buf: %d, enc buf size: %d, num_buf: %d\n",
__func__, effects->config.output.buf_size,
- effects->config.output.buf_size,
+ effects->config.output.num_buf,
effects->config.input.buf_size,
effects->config.input.num_buf);
rc = q6asm_audio_client_buf_alloc_contiguous(IN, effects->ac,
@@ -251,7 +251,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
bufptr = q6asm_is_cpu_buf_avail(IN, effects->ac, &size, &idx);
if (bufptr) {
- if (copy_from_user(bufptr, (void *)arg,
+ if ((effects->config.buf_cfg.output_len > size) ||
+ copy_from_user(bufptr, (void *)arg,
effects->config.buf_cfg.output_len)) {
rc = -EFAULT;
goto ioctl_fail;
@@ -307,7 +308,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
rc = -EFAULT;
goto ioctl_fail;
}
- if (copy_to_user((void *)arg, bufptr,
+ if ((effects->config.buf_cfg.input_len > size) ||
+ copy_to_user((void *)arg, bufptr,
effects->config.buf_cfg.input_len)) {
rc = -EFAULT;
goto ioctl_fail;
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
index df310b8..d143eb0 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@@ -1300,6 +1300,12 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
ac->port[dir].buf = buf;
+ /* check for integer overflow */
+ if ((bufcnt > 0) && ((INT_MAX / bufcnt) < bufsz)) {
+ pr_err("%s: integer overflow\n", __func__);
+ mutex_unlock(&ac->cmd_lock);
+ goto fail;
+ }
bytes_to_alloc = bufsz * bufcnt;
/* The size to allocate should be multiple of 4K bytes */
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink