diff options
author | Soumya Managoli <quic_c_smanag@quicinc.com> | 2023-01-06 14:37:20 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2023-01-18 22:57:05 -0800 |
commit | a4374817ccc8686f86aa708243ecda95da28e216 (patch) | |
tree | 5fcdbe8a6aecfcfa154b4e87241397ee6e548770 | |
parent | d5d266316c190b5f99df178621ac6d5493bc6fa8 (diff) | |
download | msm-extra-a4374817ccc8686f86aa708243ecda95da28e216.tar.gz |
ASoC: msm-pcm-q6-v2: Add dsp buf check
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: I7753cc6db394704dbb959477150141d42b836bef
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
-rw-r--r-- | asoc/msm-pcm-q6-v2.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/asoc/msm-pcm-q6-v2.c b/asoc/msm-pcm-q6-v2.c index e6a5c1a7..04c6eec3 100644 --- a/asoc/msm-pcm-q6-v2.c +++ b/asoc/msm-pcm-q6-v2.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. */ @@ -1007,6 +1008,14 @@ static int msm_pcm_capture_copy(struct snd_pcm_substream *substream, xfer = size; offset = prtd->in_frame_info[idx].offset; pr_debug("Offset value = %d\n", offset); + + if (offset >= size) { + pr_err("%s: Invalid dsp buf offset\n", __func__); + ret = -EFAULT; + q6asm_cpu_buf_release(OUT, prtd->audio_client); + goto fail; + } + if (size == 0 || size < prtd->pcm_count) { memset(bufptr + offset + size, 0, prtd->pcm_count - size); if (fbytes > prtd->pcm_count) |