evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

rtac: add size check when reading cal data kvaddr buffer

Browse source 
Add size check to ensure cal data bytes size fits inside
the cal date when copying to user space buffer.

CRs-Fixed: 2110256
Change-Id: I511999984684a9db4aaf1cf2c65eb1495c36980f
Signed-off-by: kunleiz <kunleiz@codeaurora.org>
This commit is contained in:
kunleiz 2017-09-29 14:22:38 +08:00 committed by Gerrit - the friendly Code Review server
parent 6604cb543e
commit 1e40690dbd
1 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
sound/soc/msm/qdsp6v2/rtac.c
View file

@ -901,6 +901,14 @@ int send_adm_apr(void *buf, u32 opcode)
bytes_returned = ((u32 *)rtac_cal[ADM_RTAC_CAL].cal_data.
kvaddr)[2] + 3 * sizeof(u32);
if (bytes_returned > rtac_cal[ADM_RTAC_CAL].
map_data.map_size) {
pr_err("%s: Invalid data size = %d\n",
__func__, bytes_returned);
result = -EINVAL;
goto err;
}
if (bytes_returned > user_buf_size) {
pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
__func__, user_buf_size, bytes_returned);
@ -1123,6 +1131,14 @@ int send_rtac_asm_apr(void *buf, u32 opcode)
bytes_returned = ((u32 *)rtac_cal[ASM_RTAC_CAL].cal_data.
kvaddr)[2] + 3 * sizeof(u32);
if (bytes_returned > rtac_cal[ASM_RTAC_CAL].
map_data.map_size) {
pr_err("%s: Invalid data size = %d\n",
__func__, bytes_returned);
result = -EINVAL;
goto err;
}
if (bytes_returned > user_buf_size) {
pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
__func__, user_buf_size, bytes_returned);
@ -1382,6 +1398,14 @@ static int send_rtac_afe_apr(void *buf, uint32_t opcode)
bytes_returned = get_resp->param_size +
sizeof(struct afe_port_param_data_v2);
if (bytes_returned > rtac_cal[AFE_RTAC_CAL].
map_data.map_size) {
pr_err("%s: Invalid data size = %d\n",
__func__, bytes_returned);
result = -EINVAL;
goto err;
}
if (bytes_returned > user_afe_buf.buf_size) {
pr_err("%s: user size = 0x%x, returned size = 0x%x\n",
__func__, user_afe_buf.buf_size,
@ -1606,6 +1630,14 @@ int send_voice_apr(u32 mode, void *buf, u32 opcode)
bytes_returned = ((u32 *)rtac_cal[VOICE_RTAC_CAL].cal_data.
kvaddr)[2] + 3 * sizeof(u32);
if (bytes_returned > rtac_cal[VOICE_RTAC_CAL].
map_data.map_size) {
pr_err("%s: Invalid data size = %d\n",
__func__, bytes_returned);
result = -EINVAL;
goto err;
}
if (bytes_returned > user_buf_size) {
pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
__func__, user_buf_size, bytes_returned);