diff options
author | Bubble Fang <bubblefang@google.com> | 2023-09-04 07:11:20 +0000 |
---|---|---|
committer | Bubble Fang <bubblefang@google.com> | 2023-09-26 06:40:25 +0000 |
commit | 98361d9521fe61bd7b47256c5cb860f02ad1162e (patch) | |
tree | e2c6daa12d52214bffb5c22ae23193d57d17051a | |
parent | a37ceaedf6fa842c011130b3558e86dbafa2893e (diff) | |
download | msm-extra-98361d9521fe61bd7b47256c5cb860f02ad1162e.tar.gz |
dsp: asm: validate payload size before access
Payload size is not checked before payload access. Check size
to avoid out-of-boundary memory access.
Bug: 295052332
Change-Id: Ia22f3346a0f23012ddde65326515c42330466ca3
Signed-off-by: Bubble Fang <bubblefang@google.com>
-rw-r--r-- | dsp/q6asm.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/dsp/q6asm.c b/dsp/q6asm.c index 2939599d..4effafb9 100644 --- a/dsp/q6asm.c +++ b/dsp/q6asm.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. * Author: Brian Swetland <swetland@google.com> * * This software is licensed under the terms of the GNU General Public @@ -2289,6 +2290,15 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv) config_debug_fs_read_cb(); + if (data->payload_size != (READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)) { + pr_err("%s: payload size of %d is less than expected %d.\n", + __func__, data->payload_size, + ((READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t))); + spin_unlock_irqrestore( + &(session[session_id].session_lock), + flags); + return -EINVAL; + } dev_vdbg(ac->dev, "%s: ReadDone: status=%d buff_add=0x%x act_size=%d offset=%d\n", __func__, payload[READDONE_IDX_STATUS], payload[READDONE_IDX_BUFADD_LSW], |