dsp: q6core: validate payload size before access for AVCSandroid-14.0.0_r0.47android-14.0.0_r0.12android-msm-redbull-4.19-android14-releaseandroid-msm-redbull-4.19-android14

Payload size is not checked before payload access for AVCS.
Check size to avoid out-of-boundary memory access.

Bug: 295039120
Change-Id: Ie7dd953c5fc12c73c7114a11ba6e45536c888869
Signed-off-by: Bubble Fang <bubblefang@google.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/dsp/q6core.c b/dsp/q6core.c
index 093a3db8..dae0a03c 100644
--- a/dsp/q6core.c
+++ b/dsp/q6core.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/kernel.h>
@@ -474,6 +475,12 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
 	case AVCS_CMD_RSP_LOAD_MODULES:
 		pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n",
 			 __func__);
+		if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload)
+			* rsp_payload->num_modules) + sizeof(uint32_t))) {
+			pr_err("%s: payload size not equal to expected size %d\n",
+				__func__,data->payload_size);
+			return -EINVAL;
+		}
 		memcpy(rsp_payload, data->payload, data->payload_size);
 		q6core_lcl.avcs_module_resp_received = 1;
 		wake_up(&q6core_lcl.avcs_module_load_unload_wait);
@@ -998,6 +1005,8 @@ int32_t q6core_avcs_load_unload_modules(struct avcs_load_unload_modules_payload
 		return -ENOMEM;
 	}
 
+	rsp_payload->num_modules = num_modules;
+
 	memcpy((uint8_t *)mod + sizeof(struct apr_hdr) +
 		sizeof(struct avcs_load_unload_modules_meminfo),
 		payload, payload_size);