Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-01-02 19:31:01 -05:00
Code Issues Packages Projects Releases Wiki Activity
92a0187dfb
DivestOS/Patches/Linux_CVEs-New/CVE-2016-2466/ANY/0.patch
Tad 92a0187dfb Overhaul CVE patches
2017-10-29 14:23:02 -04:00

58 lines
6.6 KiB
Diff
Raw Blame History

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - 8292fe595c99ccbcb5e73debdba21d5f1ad91ef6^! - kernel/msm.git - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&amp;continue=https://android.googlesource.com/login/kernel/msm.git/%2B/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/">msm.git</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%5E%21/">8292fe595c99ccbcb5e73debdba21d5f1ad91ef6^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>8292fe595c99ccbcb5e73debdba21d5f1ad91ef6</td><td><span>[<a href="/kernel/msm.git/+log/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/">log</a>]</span> <span>[<a href="/kernel/msm.git/+archive/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Ben Romberger &lt;bromberg@codeaurora.org&gt;</td><td>Thu Apr 14 14:35:10 2016 -0700</td></tr><tr><th class="Metadata-title">committer</th><td>Yuan Lin &lt;yualin@google.com&gt;</td><td>Wed Apr 20 17:53:33 2016 -0700</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/">d43e1c522da03f52f6b6082235fc29fdde35cab3</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%5E">27e5b60af8b7b1fd289b1438a69866a125dacbdc</a> <span>[<a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">ASoC: msm: Add bounds checking to ADM get params
Add additional bounds checking to ADM get params.
Validate that all buffer sizes are valid before
dereferencing.
BUG=27947307
Change-Id: <a href="https://android-review.googlesource.com/#/q/Iae3643985b5b72b78606f4dff94f8068ee0ddc09">Iae3643985b5b72b78606f4dff94f8068ee0ddc09</a>
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/msm.git/+/27e5b60af8b7b1fd289b1438a69866a125dacbdc/sound/soc/msm/qdsp6v2/q6adm.c">a/sound/soc/msm/qdsp6v2/q6adm.c</a> <a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/sound/soc/msm/qdsp6v2/q6adm.c">b/sound/soc/msm/qdsp6v2/q6adm.c</a>
index 08caf51..14565cc 100644
--- a/sound/soc/msm/qdsp6v2/q6adm.c
+++ b/sound/soc/msm/qdsp6v2/q6adm.c
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -508,9 +508,18 @@
</span><span class="Diff-change"> rc = -EINVAL;</span>
<span class="Diff-change"> goto adm_get_param_return;</span>
<span class="Diff-change"> }</span>
<span class="Diff-delete">- if (params_data) {</span>
<span class="Diff-insert">+ if ((params_data) &amp;&amp;</span>
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters) &gt; 0) &amp;&amp;</span>
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters) &gt;= 1+adm_get_parameters[0]) &amp;&amp;</span>
<span class="Diff-insert">+ (params_length/sizeof(int) &gt;= adm_get_parameters[0])) {</span>
<span class="Diff-change"> for (i = 0; i &lt; adm_get_parameters[0]; i++)</span>
<span class="Diff-change"> params_data[i] = adm_get_parameters[1+i];</span>
<span class="Diff-insert">+ } else {</span>
<span class="Diff-insert">+ pr_err(&quot;%s: Get param data not copied! get_param array size %zd, index %d, params array size %zd, index %d\n&quot;,</span>
<span class="Diff-insert">+ __func__, ARRAY_SIZE(adm_get_parameters),</span>
<span class="Diff-insert">+ (1+adm_get_parameters[0]),</span>
<span class="Diff-insert">+ params_length/sizeof(int),</span>
<span class="Diff-insert">+ adm_get_parameters[0]);</span>
<span class="Diff-change"> }</span>
<span class="Diff-change"> rc = 0;</span>
<span class="Diff-change"> adm_get_param_return:</span>
<span class="Diff-hunk">@@ -799,17 +808,18 @@
</span><span class="Diff-change"> data-&gt;payload_size))</span>
<span class="Diff-change"> break;</span>
<span class="Diff-change"> </span>
<span class="Diff-delete">- if (payload[0] == 0) {</span>
<span class="Diff-delete">- if (data-&gt;payload_size &gt;</span>
<span class="Diff-delete">- (4 * sizeof(uint32_t))) {</span>
<span class="Diff-delete">- adm_get_parameters[0] = payload[3];</span>
<span class="Diff-insert">+ if ((payload[0] == 0) &amp;&amp;</span>
<span class="Diff-insert">+ (data-&gt;payload_size &gt; (4 * sizeof(*payload))) &amp;&amp;</span>
<span class="Diff-insert">+ (data-&gt;payload_size/sizeof(*payload)-4 &gt;= payload[3]) &amp;&amp;</span>
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters) &gt; 0) &amp;&amp;</span>
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters)-1 &gt;= payload[3])) {</span>
<span class="Diff-insert">+ adm_get_parameters[0] = payload[3];</span>
<span class="Diff-change"> pr_debug(&quot;GET_PP PARAM:received parameter length: 0x%x\n&quot;,</span>
<span class="Diff-change"> adm_get_parameters[0]);</span>
<span class="Diff-change"> /* storing param size then params */</span>
<span class="Diff-change"> for (i = 0; i &lt; payload[3]; i++)</span>
<span class="Diff-change"> adm_get_parameters[1+i] =</span>
<span class="Diff-change"> payload[4+i];</span>
<span class="Diff-delete">- }</span>
<span class="Diff-change"> } else {</span>
<span class="Diff-change"> adm_get_parameters[0] = -1;</span>
<span class="Diff-change"> pr_err(&quot;%s: GET_PP_PARAMS failed, setting size to %d\n&quot;,</span>
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>
Reference in New Issue View Git Blame Copy Permalink