diff options
author | Bubble Fang <bubblefang@google.com> | 2023-09-01 17:24:02 +0000 |
---|---|---|
committer | Bubble Fang <bubblefang@google.com> | 2023-09-08 17:43:26 +0000 |
commit | e867414fa42b483659dd56e5d4f0e6d4f1a5bb9d (patch) | |
tree | 8c9b0e5a1fd16f0ff8c2791f6acb309c922803dd | |
parent | 4523f2360e370f4ec763987b61953dc01cbc68e0 (diff) | |
download | msm-extra-e867414fa42b483659dd56e5d4f0e6d4f1a5bb9d.tar.gz |
dsp: q6core: validate payload size before access for AVCSandroid-14.0.0_r0.47android-14.0.0_r0.12android-msm-redbull-4.19-android14-releaseandroid-msm-redbull-4.19-android14
Payload size is not checked before payload access for AVCS.
Check size to avoid out-of-boundary memory access.
Bug: 295039120
Change-Id: Ie7dd953c5fc12c73c7114a11ba6e45536c888869
Signed-off-by: Bubble Fang <bubblefang@google.com>
-rw-r--r-- | dsp/q6core.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/dsp/q6core.c b/dsp/q6core.c index 093a3db8..dae0a03c 100644 --- a/dsp/q6core.c +++ b/dsp/q6core.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. */ #include <linux/kernel.h> @@ -474,6 +475,12 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) case AVCS_CMD_RSP_LOAD_MODULES: pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n", __func__); + if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload) + * rsp_payload->num_modules) + sizeof(uint32_t))) { + pr_err("%s: payload size not equal to expected size %d\n", + __func__,data->payload_size); + return -EINVAL; + } memcpy(rsp_payload, data->payload, data->payload_size); q6core_lcl.avcs_module_resp_received = 1; wake_up(&q6core_lcl.avcs_module_load_unload_wait); @@ -998,6 +1005,8 @@ int32_t q6core_avcs_load_unload_modules(struct avcs_load_unload_modules_payload return -ENOMEM; } + rsp_payload->num_modules = num_modules; + memcpy((uint8_t *)mod + sizeof(struct apr_hdr) + sizeof(struct avcs_load_unload_modules_meminfo), payload, payload_size); |