From: Soumya Managoli <quic_c_smanag@quicinc.com>android-t-qpr3-beta-3_r0.2android-t-qpr3-beta-3.1_r0.2android-13.0.0_r0.81android-13.0.0_r0.122android-13.0.0_r0.111android-13.0.0_r0.102android-msm-redbull-4.19-t-qpr3-beta-3android-msm-redbull-4.19-android13-qpr3

Date: Fri, 6 Jan 2023 14:37:20 +0530
Subject: [PATCH] ASoC: msm-pcm-q6-v2: Add dsp buf check

Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.

Bug: 271880369
Note: From a4374817ccc8686f86aa708243ecda95da28e216
Test: Local test
Change-Id: I964d760a19c574f0151f00cf9aba2a9592aabc29
Signed-off-by: Bubble Fang <bubblefang@google.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/asoc/msm-pcm-q6-v2.c b/asoc/msm-pcm-q6-v2.c
index e6a5c1a7..04c6eec3 100644
--- a/asoc/msm-pcm-q6-v2.c
+++ b/asoc/msm-pcm-q6-v2.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 
@@ -1007,6 +1008,14 @@ static int msm_pcm_capture_copy(struct snd_pcm_substream *substream,
 			xfer = size;
 		offset = prtd->in_frame_info[idx].offset;
 		pr_debug("Offset value = %d\n", offset);
+
+		if (offset >= size) {
+			pr_err("%s: Invalid dsp buf offset\n", __func__);
+			ret = -EFAULT;
+			q6asm_cpu_buf_release(OUT, prtd->audio_client);
+			goto fail;
+		}
+
 		if (size == 0 || size < prtd->pcm_count) {
 			memset(bufptr + offset + size, 0, prtd->pcm_count - size);
 			if (fbytes > prtd->pcm_count)