DivestOS/Patches/Linux_CVEs/CVE-2017-0608/4.4/0002.patch

From b66f442dd97c781e873e8f7b248e197f86fd2980 Mon Sep 17 00:00:00 2001
From: Xiaoyu Ye <benyxy@codeaurora.org>
Date: Mon, 19 Dec 2016 18:38:53 -0800
Subject: ASoC: msm: qdsp6v2: Add range checking in msm_dai_q6_set_channel_map

Range checking is added to prevent buffer overflow that due to inputs
can be set by user space.

CRs-Fixed: 1098363
Change-Id: I057261291806240ee6d7b8106a5e83a7665e013d
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
---
 sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
index 26cdd0f..fa21ec5 100644
--- a/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-dai-q6-v2.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -1889,6 +1889,11 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
 			pr_err("%s: rx slot not found\n", __func__);
 			return -EINVAL;
 		}
+		if (rx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
+			pr_err("%s: invalid rx num %d\n", __func__, rx_num);
+			return -EINVAL;
+		}
+
 		for (i = 0; i < rx_num; i++) {
 			dai_data->port_config.slim_sch.shared_ch_mapping[i] =
 			    rx_slot[i];
@@ -1922,6 +1927,11 @@ static int msm_dai_q6_set_channel_map(struct snd_soc_dai *dai,
 			pr_err("%s: tx slot not found\n", __func__);
 			return -EINVAL;
 		}
+		if (tx_num > AFE_PORT_MAX_AUDIO_CHAN_CNT) {
+			pr_err("%s: invalid tx num %d\n", __func__, tx_num);
+			return -EINVAL;
+		}
+
 		for (i = 0; i < tx_num; i++) {
 			dai_data->port_config.slim_sch.shared_ch_mapping[i] =
 			    tx_slot[i];
-- 
cgit v1.1