evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ASoC: msm: qdsp6v2: add size check to fix out of bounds issue

Browse source 
Before calling audio calibration ioctl functions, compare the
allocated buffer size to the size of the header and cal type header
to ensure the buffer is big enough.

Change-Id: I601bb37ddcc34d459c207cf579f29744fe912d7b
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
This commit is contained in:
Vidyakumar Athota 2017-06-20 16:39:00 -07:00
parent 560a996da5
commit 8914f7b861
1 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
sound/soc/msm/qdsp6v2/audio_calibration.c
View file

@ -453,6 +453,12 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,
data->cal_type.cal_hdr.buffer_number);
ret = -EINVAL;
goto done;
} else if ((data->hdr.cal_type_size + sizeof(data->hdr)) > size) {
pr_err("%s: cal type hdr size %zd + cal type size %d is greater than user buffer size %d\n",
__func__, sizeof(data->hdr), data->hdr.cal_type_size,
size);
ret = -EFAULT;
goto done;
}
@ -490,13 +496,7 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,
goto unlock;
if (data == NULL)
goto unlock;
if ((sizeof(data->hdr) + data->hdr.cal_type_size) > size) {
pr_err("%s: header size %zd plus cal type size %d are greater than data buffer size %d\n",
__func__, sizeof(data->hdr),
data->hdr.cal_type_size, size);
ret = -EFAULT;
goto unlock;
} else if (copy_to_user((void *)arg, data,
if (copy_to_user(arg, data,
sizeof(data->hdr) + data->hdr.cal_type_size)) {
pr_err("%s: Could not copy cal type to user\n",
__func__);