DivestOS/Patches/Linux_CVEs/CVE-2015-8940/0.patch

From e13ebd727d161db7003be6756e61283dce85fa3b Mon Sep 17 00:00:00 2001
From: Bhalchandra Gajare <gajare@codeaurora.org>
Date: Tue, 10 Feb 2015 14:44:36 -0800
Subject: ASoC: q6lsm: Add check for integer overflow

During sound model registration, the total memory size needed by the
sound model data is the sum of sound model length, number of zero
padding bytes and the calibration size. It is possible this sum
can result into integer overflow causing difficult to debug issues.
Add check for integer overflow to avoid such possible issues.

CRs-fixed: 792367
Change-Id: I9f451aa308214a4eac42b82e2abf1375c858ff30
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
---
 sound/soc/msm/qdsp6v2/q6lsm.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c
index db29115..67be542 100644
--- a/sound/soc/msm/qdsp6v2/q6lsm.c
+++ b/sound/soc/msm/qdsp6v2/q6lsm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2014, Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2015, Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -1055,6 +1055,15 @@ int q6lsm_snd_model_buf_alloc(struct lsm_client *client, size_t len)
 		client->sound_model.size = len;
 		pad_zero = (LSM_ALIGN_BOUNDARY -
 			    (len % LSM_ALIGN_BOUNDARY));
+		if ((len > SIZE_MAX - pad_zero) ||
+		    (len + pad_zero >
+		     SIZE_MAX - cal_block->cal_data.size)) {
+			pr_err("%s: invalid allocation size, len = %zd, pad_zero =%zd, cal_size = %zd\n",
+				__func__, len, pad_zero,
+				cal_block->cal_data.size);
+			rc = -EINVAL;
+			goto fail;
+		}
 
 		total_mem = PAGE_ALIGN(pad_zero + len +
 			cal_block->cal_data.size);
-- 
cgit v1.1