DivestOS/Patches/Linux_CVEs-New/CVE-2017-0609/ANY/0.patch
2017-10-29 14:23:02 -04:00

138 lines
4.0 KiB
Diff

From 38a83df036084c00e8c5a4599c8ee7880b4ee567 Mon Sep 17 00:00:00 2001
From: Walter Yang <yandongy@codeaurora.org>
Date: Wed, 21 Dec 2016 14:43:46 +0800
Subject: ASoC: msm-cpe-lsm: cleanup ioctl functions
Some of the ioctl command handling is not properly using the
copy_from_user interface. Fix these issues and cleanup the ioctl
functions to make sure there is no illegal memory access.
CRs-Fixed: 1090482
Change-Id: Ib18e4b132d3487a3103335768aad5df2ebe13f2d
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
---
sound/soc/msm/msm-cpe-lsm.c | 51 +++++++++++++--------------------------------
1 file changed, 14 insertions(+), 37 deletions(-)
diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
index ef4c9b0..0b77e8c 100644
--- a/sound/soc/msm/msm-cpe-lsm.c
+++ b/sound/soc/msm/msm-cpe-lsm.c
@@ -1179,13 +1179,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
dev_dbg(rtd->dev,
"%s: %s\n",
__func__, "SNDRV_LSM_REG_SND_MODEL_V2");
- if (!arg) {
- dev_err(rtd->dev,
- "%s: Invalid argument to ioctl %s\n",
- __func__,
- "SNDRV_LSM_REG_SND_MODEL_V2");
- return -EINVAL;
- }
memcpy(&snd_model, arg,
sizeof(struct snd_lsm_sound_model_v2));
@@ -1328,13 +1321,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
dev_dbg(rtd->dev,
"%s: %s\n",
__func__, "SNDRV_LSM_EVENT_STATUS");
- if (!arg) {
- dev_err(rtd->dev,
- "%s: Invalid argument to ioctl %s\n",
- __func__,
- "SNDRV_LSM_EVENT_STATUS");
- return -EINVAL;
- }
user = arg;
@@ -1437,12 +1423,6 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
break;
case SNDRV_LSM_SET_PARAMS:
- if (!arg) {
- dev_err(rtd->dev,
- "%s: %s Invalid argument\n",
- __func__, "SNDRV_LSM_SET_PARAMS");
- return -EINVAL;
- }
memcpy(&det_params, arg,
sizeof(det_params));
if (det_params.num_confidence_levels <= 0) {
@@ -2289,12 +2269,6 @@ done:
}
#ifdef CONFIG_COMPAT
-struct snd_lsm_event_status32 {
- u16 status;
- u16 payload_size;
- u8 payload[0];
-};
-
struct snd_lsm_sound_model_v2_32 {
compat_uptr_t data;
compat_uptr_t confidence_level;
@@ -2326,8 +2300,6 @@ struct snd_lsm_module_params_32 {
};
enum {
- SNDRV_LSM_EVENT_STATUS32 =
- _IOW('U', 0x02, struct snd_lsm_event_status32),
SNDRV_LSM_REG_SND_MODEL_V2_32 =
_IOW('U', 0x07, struct snd_lsm_sound_model_v2_32),
SNDRV_LSM_SET_PARAMS32 =
@@ -2421,7 +2393,7 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
err);
}
break;
- case SNDRV_LSM_EVENT_STATUS32: {
+ case SNDRV_LSM_EVENT_STATUS: {
struct snd_lsm_event_status *event_status = NULL;
struct snd_lsm_event_status u_event_status32;
struct snd_lsm_event_status *udata_32 = NULL;
@@ -2463,7 +2435,6 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
} else {
event_status->payload_size =
u_event_status32.payload_size;
- cmd = SNDRV_LSM_EVENT_STATUS;
err = msm_cpe_lsm_ioctl_shared(substream,
cmd, event_status);
if (err)
@@ -2563,13 +2534,6 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
return -EINVAL;
}
- if (!arg) {
- dev_err(rtd->dev,
- "%s: %s: No Param data to set\n",
- __func__, "SET_MODULE_PARAMS_32");
- return -EINVAL;
- }
-
if (copy_from_user(&p_data_32, arg,
sizeof(p_data_32))) {
dev_err(rtd->dev,
@@ -2647,6 +2611,19 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream,
kfree(params32);
break;
}
+ case SNDRV_LSM_REG_SND_MODEL_V2:
+ case SNDRV_LSM_SET_PARAMS:
+ case SNDRV_LSM_SET_MODULE_PARAMS:
+ /*
+ * In ideal cases, the compat_ioctl should never be called
+ * with the above unlocked ioctl commands. Print error
+ * and return error if it does.
+ */
+ dev_err(rtd->dev,
+ "%s: Invalid cmd for compat_ioctl\n",
+ __func__);
+ err = -EINVAL;
+ break;
default:
err = msm_cpe_lsm_ioctl_shared(substream, cmd, arg);
break;
--
cgit v1.1