msm: asm: validate ADSP data before access · 877ffd6d9d - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

msm: asm: validate ADSP data before access

Validate buffer index obtained from ADSP token before using it.

CRs-Fixed: 2372302
Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>

This commit is contained in:

Vignesh Kulothungan

2019-02-28 14:55:05 -08:00

• committed by

Gerrit - the friendly Code Review server

parent c2c52e8d2b

commit 877ffd6d9d

1 changed files with 22 additions and 0 deletions

									
										22

sound/soc/msm/qdsp6v2/q6asm.c
									
										View file
										
				@ -1962,6 +1962,7 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)

						data->dest_port);

					if ((data->opcode != ASM_DATA_EVENT_RENDERED_EOS) &&

					    (data->opcode != ASM_DATA_EVENT_EOS) &&

					    (data->opcode != ASM_SESSION_EVENTX_OVERFLOW) &&

					    (data->opcode != ASM_SESSION_EVENT_RX_UNDERFLOW)) {

						if (payload == NULL) {

							pr_err("%s: payload is null\n", __func__);

				@ -2177,6 +2178,17 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)

							}

							spin_lock_irqsave(&port->dsp_lock, dsp_flags);

							buf_index = asm_token._token.buf_index;

							if (buf_index < 0 ||

									buf_index >= port->max_buf_cnt) {

								pr_debug("%s: Invalid buffer index %u\n",

								__func__, buf_index);

								spin_unlock_irqrestore(&port->dsp_lock,

												dsp_flags);

								spin_unlock_irqrestore(

									&(session[session_id].session_lock),

									flags);

								return -EINVAL;

							}

							if (data->payload_size >= 2 * sizeof(uint32_t) &&

								(lower_32_bits(port->buf[buf_index].phys) !=

								payload[0] ||

				@ -2287,6 +2299,16 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)

							}

							spin_lock_irqsave(&port->dsp_lock, dsp_flags);

							buf_index = asm_token._token.buf_index;

							if (buf_index < 0 || buf_index >= port->max_buf_cnt) {

								pr_debug("%s: Invalid buffer index %u\n",

								__func__, buf_index);

								spin_unlock_irqrestore(&port->dsp_lock,

												dsp_flags);

								spin_unlock_irqrestore(

									&(session[session_id].session_lock),

									flags);

								return -EINVAL;

							}

							port->buf[buf_index].used = 0;

							if (lower_32_bits(port->buf[buf_index].phys) !=

							payload[READDONE_IDX_BUFADD_LSW] ||