Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
fc857876dc
DivestOS/Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch
Tad 11c7037780 Switch to new CVE patchset
2017-11-07 17:32:46 -05:00

68 lines
2.4 KiB
Diff
Raw Blame History

From 7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e Mon Sep 17 00:00:00 2001
From: Ashish Jain <ashishj@codeaurora.org>
Date: Fri, 15 Apr 2016 15:33:14 +0530
Subject: ASoC: msm: qdsp6v2: DAP: Fix buffer overflow
Add check to avoid out of bound access.
Check return value of get_user api.
CRs-Fixed: 997025
Change-Id: Ibbace116ac206007fa1928555838285304737737
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
---
sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
index 242dc5f..ace747d 100644
--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
* only version 2 as published by the Free Software Foundation.
@@ -1356,7 +1356,11 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
int ret = 0, port_id = 0;
int32_t data;
struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
- get_user(data, &dolby_data->data[0]);
+ if (get_user(data, &dolby_data->data[0])) {
+ pr_debug("%s error getting data\n", __func__);
+ ret = -EFAULT;
+ goto end;
+ }
pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
__func__, dolby_data->param_id, dolby_data->be_id,
@@ -1471,11 +1475,23 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
goto end;
}
+ off = ds2_dap_params_offset[idx];
+ if ((dolby_data->length <= 0) ||
+ (dolby_data->length > TOTAL_LENGTH_DS2_PARAM - off)) {
+ pr_err("%s: invalid length %d at idx %d\n",
+ __func__, dolby_data->length, idx);
+ rc = -EINVAL;
+ goto end;
+ }
+
/* cache the parameters */
ds2_dap_params[cdev].dap_params_modified[idx] += 1;
for (j = 0; j < dolby_data->length; j++) {
- off = ds2_dap_params_offset[idx];
- get_user(data, &dolby_data->data[j]);
+ if (get_user(data, &dolby_data->data[j])) {
+ pr_debug("%s:error getting data\n", __func__);
+ rc = -EFAULT;
+ goto end;
+ }
ds2_dap_params[cdev].params_val[off + j] = data;
pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
__func__, off, data,
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink