Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
fc857876dc
DivestOS/Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch
Tad 11c7037780 Switch to new CVE patchset
2017-11-07 17:32:46 -05:00

91 lines
3.3 KiB
Diff
Raw Blame History

From e7369163162e7773bc887f7a264d6aa46cfcc665 Mon Sep 17 00:00:00 2001
From: Patrick Daly <pdaly@codeaurora.org>
Date: Thu, 28 May 2015 18:05:54 -0700
Subject: ASoC: msm: qdsp6v2: DAP: Fix unprotected userspace access
Use get_user() & friends to access userspace addresses.
Change-Id: I9741a60e53f6253da27913175e9b8c4abbf50db9
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Signed-off-by: Pradnya Chaphekar <pradnyac@codeaurora.org>
---
sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
index 67a9400..7761b9c 100644
--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
@@ -1354,11 +1354,13 @@ end:
static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
{
int ret = 0, port_id = 0;
+ int32_t data;
struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
+ get_user(data, &dolby_data->data[0]);
pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
__func__, dolby_data->param_id, dolby_data->be_id,
- dolby_data->device_id, dolby_data->length, dolby_data->data[0]);
+ dolby_data->device_id, dolby_data->length, data);
switch (dolby_data->param_id) {
case DAP_CMD_COMMIT_ALL:
@@ -1370,18 +1372,18 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
break;
case DAP_CMD_USE_CACHE_FOR_INIT:
- ds2_dap_params_states.use_cache = dolby_data->data[0];
+ ds2_dap_params_states.use_cache = data;
break;
case DAP_CMD_SET_BYPASS:
pr_debug("%s: bypass %d bypass type %d, data %d\n", __func__,
ds2_dap_params_states.dap_bypass,
ds2_dap_params_states.dap_bypass_type,
- dolby_data->data[0]);
+ data);
/* Do not perform bypass operation if bypass state is same*/
- if (ds2_dap_params_states.dap_bypass == dolby_data->data[0])
+ if (ds2_dap_params_states.dap_bypass == data)
break;
- ds2_dap_params_states.dap_bypass = dolby_data->data[0];
+ ds2_dap_params_states.dap_bypass = data;
/* hard bypass */
if (ds2_dap_params_states.dap_bypass_type == DAP_HARD_BYPASS)
msm_ds2_dap_handle_bypass(dolby_data);
@@ -1390,7 +1392,7 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
break;
case DAP_CMD_SET_BYPASS_TYPE:
- if (dolby_data->data[0] == true)
+ if (data == true)
ds2_dap_params_states.dap_bypass_type =
DAP_HARD_BYPASS;
else
@@ -1429,6 +1431,7 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
{
int rc = 0, idx, i, j, off, port_id = 0, cdev = 0;
int32_t num_device = 0;
+ int32_t data = 0;
int32_t dev_arr[DS2_DSP_SUPPORTED_ENDP_DEVICE] = {0};
struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
@@ -1472,10 +1475,10 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
ds2_dap_params[cdev].dap_params_modified[idx] += 1;
for (j = 0; j < dolby_data->length; j++) {
off = ds2_dap_params_offset[idx];
- ds2_dap_params[cdev].params_val[off + j] =
- dolby_data->data[j];
+ get_user(data, &dolby_data->data[j]);
+ ds2_dap_params[cdev].params_val[off + j] = data;
pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
- __func__, off, dolby_data->data[j],
+ __func__, off, data,
ds2_dap_params[cdev].
params_val[off + j]);
}
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink