summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-02-04Merge android-msm-pixel-4.19-24Q1 into android-msm-pixel-4.19-24Q2android-u-qpr3-beta-2.1_r0.6android-msm-redbull-4.19-android14-qpr3-betaPixelBot AutoMerger
SBMerger: 603054162 Change-Id: Ic1b078bea84007432b464acc1d9080751c9cc428 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2024-02-01dsp: add protection to prevent OOB for tasandroid-14.0.0_r0.78android-14.0.0_r0.68android-msm-redbull-4.19-android14-qpr2vincenttew
Bug: 322896109 Change-Id: I1b5af19507d623208dc8d942da3520d93e2690c1 Signed-off-by: vincenttew <vincenttew@google.com> (cherry picked from commit d91323baae6f759cf67d18c0431e32bc61046cb9)
2024-01-22dsp: add protection to prevent OOB for tasvincenttew
Bug: 291869046 Change-Id: I1b5af19507d623208dc8d942da3520d93e2690c1 Signed-off-by: vincenttew <vincenttew@google.com>
2023-12-31Merge android-msm-pixel-4.19-24Q1 into android-msm-pixel-4.19-24Q2PixelBot AutoMerger
SBMerger: 571992243 Change-Id: Ie732508ec781d0c969e26668f5f76249aadafa64 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2023-12-26ASoC: msm-lsm-client: Integer overflow checkandroid-u-qpr2-beta-3.1_r0.6android-14.0.0_r0.58android-msm-redbull-4.19-android14-qpr2-betaBubble Fang
Added integer overflow check for lsm_params_get_info size. Bug: 309462484 Change-Id: Ide4ec94a2fa6c21d40b1101d8b05b5f7931075c8 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-12-26dsp: q6asm: Add check for ADSP payload sizeBubble Fang
There is no check for the ADSP returned payload size for ASM_SESSION_CMD_GET_MTMX_STRTR_PARAMS_V2 cmd response. This can lead to buffer overread. Fix is to address this. Bug: 309462901 Change-Id: I44ed1cbc4cf3706a85754c7dfd07f5b50859ec6a Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-12-26ASoC: msm-audio-effects-q6-v2: Add BPF order checkBubble Fang
Added check for bandpassfilter order in order to avoid coeff len going out of bounds thereby leading to memory overflow issues. Bug: 309463056 Change-Id: I59c9a53c5965ae4b68df0524af754c34c7c384d0 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-10-31ASoC: dsp: q6core: Avoid use after freeandroid-u-qpr3-beta-2_r0.1android-u-qpr3-beta-1_r0.6android-u-qpr2-beta-3_r0.1android-14.0.0_r0.46android-14.0.0_r0.32android-msm-redbull-4.19-android14-qpr1Bubble Fang
Add check for AVCS_CMD_RSP_LOAD_MODULE response payload to avoid its access after free. Bug: 303101067 Change-Id: Ie3991640394d761525afc2e9c1e17955bd4cf355 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-10-31ASoC: msm-pcm-host-voice: Check validity of session idxBubble Fang
Added check for voice session index. Bug: 303101147 Change-Id: I12c46c9fdcd7a333118bc055021f409642ad7e1b Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-10-31dsp: q6lsm: Address use after free for mmap handleBubble Fang
The global declared mmap_handle can be left dangling for case when the handle is freed by the calling function. Fix is to address this. Also add a check to make sure the mmap_handle is accessed legally. Bug: 303101456 Change-Id: I81055f2066de71bb290d1936e8cb0806bbc76c02 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-10-31dsp: q6afe: Add check for fbsp stateBubble Fang
Added check for fbsp state in get_calib_data functions to avoid OOB read issues Bug: 303107435 Change-Id: I8f3b285e3c577b1dfee128adfc6e64f7f770f2c0 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26dsp: add lock in ion free to avoid use after freeandroid-u-qpr2-beta-1_r0.8android-14.0.0_r0.20Bubble Fang
add lock in ion free to protect dma buff and avoid use after free. Bug: 276762552 Change-Id: Ieb09f676104da7dd9a890f943dbaa924c4e46590 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26ASoC: msm-pcm-q6-v2: Add dsp buf checkBubble Fang
Fix is to add check for this ADSP returned buf offset + size, if it is within the available buf size range Bug: 299146464 Change-Id: I4a1a5d564e7a1ecaa91f6ff5df9301acc44e0dad Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26dsp: afe: Add check for num_channelsBubble Fang
Check for valid num_channels before accessing. Bug: 299130860 Change-Id: I27a77ebb0b2c342eb8bbac98ff80b782d95b33b9 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26dsp: q6voice: Add buf size check for cvs cal dataBubble Fang
Check for the max size of cvs command register calibration data that can be copied else will result in buffer overflow. Bug: 295052588 Change-Id: I60ef7a39d97505b493b53466189237a03e1cf3c1 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26dsp: asm: validate payload size before accessBubble Fang
Payload size is not checked before payload access. Check size to avoid out-of-boundary memory access. Bug: 295052332 Change-Id: Ia22f3346a0f23012ddde65326515c42330466ca3 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26dsp: q6core: Avoid OOB access in q6coreBubble Fang
"num_services", a signed integer when compared with constant results in conversion of signed integer to max possible unsigned int value when "num_services" is a negative value. This can lead to OOB read. Fix is to handle this case. Bug: 295052084 Change-Id: I6b3a2939451bea905bdbf02015be294af1867b96 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26ASoC: msm-pcm-host-voice: Handle OOB access in hpcm_startBubble Fang
There is no error check for case when hpcm_start is called for the same RX or TX tap points multiple times. This can result in OOB access of struct vss_ivpcm_tap_point. Handle this scenario with appropriate no_of_tp check. Bug: 295051886 Change-Id: Ib98cbaea6369e2c023160918fc9662ebe36e58b6 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-26dsp: afe: Add check for sidetone iir config copy sizeBubble Fang
Avoid OOB access of sidetone iir config array when iir_num_biquad_stages returned from cal block is > 10 Bug: 295051806 Change-Id: I425472f81a6a9d8916b899308af20da16a868c9d Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-12Merge android-msm-pixel-4.19-udc into android-msm-pixel-4.19-udc-qpr1PixelBot AutoMerger
Bug: 292447561 SBMerger: 558810260 Change-Id: Ic4051261e70024dd46a78cc27ea0745172a59f08 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2023-09-08dsp: q6core: validate payload size before access for AVCSandroid-14.0.0_r0.47android-14.0.0_r0.12android-msm-redbull-4.19-android14-releaseandroid-msm-redbull-4.19-android14Bubble Fang
Payload size is not checked before payload access for AVCS. Check size to avoid out-of-boundary memory access. Bug: 295039120 Change-Id: Ie7dd953c5fc12c73c7114a11ba6e45536c888869 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-01ASoC: msm-pcm-host-voice: Address buffer overflow in hpcm copyBubble Fang
Add check for the max hpcm_buf_node size before copy to avoid buffer out of bounds issue. Bug: 290061915 Change-Id: Ida4cd1b2f59a751458b10b9d53e50eb39f4e299c Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-09-01ASoC: msm-pcm-voip: Avoid interger underflowBubble Fang
There is no check for voip pkt pkt_len,if it contains the min required data. This can lead to integer underflow. Add check for the same. Bug: 295019252 Change-Id: I13925fc3447f18e6c37e4a4978de3fd83b812be7 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-08-13Merge android-msm-pixel-4.19-udc into android-msm-pixel-4.19-udc-qpr1PixelBot AutoMerger
SBMerger: 526756187 Change-Id: I644728000d8457fe91d5a60cc341b2862f37a8e2 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2023-08-08dsp: afe: check for param size before copyingandroid-u-qpr1-beta-1_r0.6android-u-beta-5.3_r0.6android-14.0.0_r0.1android-msm-redbull-4.19-u-beta5.3android-msm-redbull-4.19-android14-qpr1-betaArnold Chuang
check for the proper param size before copying, to avoid buffer overflow. Bug: 290061247 Change-Id: I8f643fe49a7afde11bd52f6e9c96e2a5bcc1c369 Signed-off-by: Arnold Chuang <cchuangg@google.com>
2023-04-26Merge branch 'LA.UM.9.12.C10.11.00.00.840.535' via branch ↵android-u-beta-5_r0.6android-u-beta-5.2_r0.2android-u-beta-4_r0.6android-u-beta-3_r0.1android-msm-redbull-4.19-u-beta5.2android-msm-redbull-4.19-u-beta5android-msm-redbull-4.19-u-beta4android-msm-redbull-4.19-u-beta3JohnnLee
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19 Bug: 272199761 Change-Id: Ic3fe2e078b1f522bf400899923341d6e732362ac Signed-off-by: JohnnLee <johnnlee@google.com>
2023-04-16Merge android-msm-pixel-4.19-tm-qpr3 into android-msm-pixel-4.19PixelBot AutoMerger
SBMerger: 516612970 Change-Id: I220c551142464321c68a42841b3767ccccfb777b Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2023-03-21From: Soumya Managoli <quic_c_smanag@quicinc.com>android-t-qpr3-beta-3_r0.2android-t-qpr3-beta-3.1_r0.2android-13.0.0_r0.81android-13.0.0_r0.122android-13.0.0_r0.111android-13.0.0_r0.102android-msm-redbull-4.19-t-qpr3-beta-3android-msm-redbull-4.19-android13-qpr3Bubble Fang
Date: Fri, 6 Jan 2023 14:37:20 +0530 Subject: [PATCH] ASoC: msm-pcm-q6-v2: Add dsp buf check Current logic copies user buf size of data from the avail dsp buf at a given offset. If this offset returned from DSP in READ_DONE event goes out of bounds or is corrupted, then it can lead to out of bounds DSP buffer access, resulting in memory fault. Fix is to add check for this buf offset, if it is within the buf size range. Bug: 271880369 Note: From a4374817ccc8686f86aa708243ecda95da28e216 Test: Local test Change-Id: I964d760a19c574f0151f00cf9aba2a9592aabc29 Signed-off-by: Bubble Fang <bubblefang@google.com>
2023-03-06Merge branch 'LA.UM.9.12.C10.11.00.00.840.535' via branch ↵Wilson Sung
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19 Change-Id: Ia5bd6362505ae2c799c07f2942fc7d7e786a5166
2023-01-18ASoC: msm-pcm-q6-v2: Add dsp buf checkSoumya Managoli
Current logic copies user buf size of data from the avail dsp buf at a given offset. If this offset returned from DSP in READ_DONE event goes out of bounds or is corrupted, then it can lead to out of bounds DSP buffer access, resulting in memory fault. Fix is to add check for this buf offset, if it is within the buf size range. Change-Id: I7753cc6db394704dbb959477150141d42b836bef Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
2022-12-21Merge branch 'LA.UM.9.12.C10.11.00.00.840.478' via branch ↵android-u-preview-2_r0.1android-u-beta-2_r0.1android-u-beta-2.1_r0.1android-u-beta-1_r0.2android-msm-redbull-4.19-u-preview-2android-msm-redbull-4.19-u-beta2android-msm-redbull-4.19-u-beta1JohnnLee
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19 Bug: 261541074 Change-Id: I9afc4042670bd395febcc0906666b49ca88f044d Signed-off-by: JohnnLee <johnnlee@google.com>
2022-12-20Merge branch 'LA.UM.9.12.C10.11.00.00.840.478' via branch ↵Wilson Sung
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19 Change-Id: I4b5bfeacc3b1799d29f54922654f330242dfc636
2022-11-01soc: swr-mstr: Store and compare dev_addr along with dev_numShalini Manjunatha
-> If enumeration is changed runtime, dev_num gets changed -> so it might result in different dev_num for same device -> between swrm_connect_port and swr_disconnect_port while powering up and down of widget -> This results in not emptying the port_req list, hence swrm not going to suspend state -> This results into adsp not going to sleep state Change-Id: I80326a35f0cac7f7be30cbbee119a8ba247a0f76
2022-10-27Merge branch 'LA.UM.9.12.C10.11.00.00.840.415' via branch ↵android-u-preview-1_r0.1android-msm-redbull-4.19-u-preview-1JohnnLee
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19 Bug: 253163588 Change-Id: Id8f721dfcc23ead6f4c6adc36a7b8471f3584aab Signed-off-by: JohnnLee <johnnlee@google.com>
2022-10-26Merge branch 'LA.UM.9.12.C10.11.00.00.840.415' via branch ↵Wilson Sung
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19 Change-Id: I9fada88babca9903940b66d51ce9e94cd0c8bcf7
2022-05-10asoc: codecs: Add nullptr checkShazmaan Ali
fix for nullptr deref issue Change-Id: I26acf2c5c696038c6d5c64d858174b2f2c58a7d3 Signed-off-by: Shazmaan Ali <quic_shazmaan@quicinc.com>
2022-03-25Merge branch 'LA.UM.9.12.C10.11.00.00.840.265' via branch ↵android-t-qpr3-beta-2_r0.2android-t-qpr3-beta-1_r0.2android-t-qpr2-beta-3_r0.2android-t-qpr2-beta-3.2_r0.3android-t-qpr2-beta-2_r0.2android-t-qpr2-beta-1_r0.3android-t-qpr1-beta-3_r0.1android-t-qpr1-beta-2_r0.3android-t-qpr1-beta-1_r0.2android-t-beta-4_r0.3android-t-beta-3_r0.3android-t-beta-3.3_r0.3android-t-beta-3.2_r0.3android-13.0.0_r0.72android-13.0.0_r0.67android-13.0.0_r0.62android-13.0.0_r0.57android-13.0.0_r0.52android-13.0.0_r0.47android-13.0.0_r0.42android-13.0.0_r0.3android-13.0.0_r0.18android-13.0.0_r0.13android-msm-redbull-4.19-t-qpr3-beta-2android-msm-redbull-4.19-t-qpr2-beta-3.2android-msm-redbull-4.19-t-qpr2-beta-1android-msm-redbull-4.19-t-qpr1-beta-2android-msm-redbull-4.19-t-beta-4android-msm-redbull-4.19-t-beta-3android-msm-redbull-4.19-android13-qpr3-beta1android-msm-redbull-4.19-android13-qpr2-betaandroid-msm-redbull-4.19-android13-qpr2android-msm-redbull-4.19-android13-qpr1-beta-3android-msm-redbull-4.19-android13-qpr1-betaandroid-msm-redbull-4.19-android13-qpr1android-msm-redbull-4.19-android13JohnnLee
'qcom-msm-4.19-7250' into android-msm-pixel-4.19 Bug: 223958127 Signed-off-by: JohnnLee <johnnlee@google.com> Change-Id: I8f0ea5df66808aad098a2da633f62ede0d8cc792
2022-01-31asoc: changes to fix KW errorsLakshman Chaluvaraju
Add changes to fix KW errors. Change-Id: I87fc8bf5b2753cef6af881713637e9521389708d Signed-off-by: Lakshman Chaluvaraju <quic_lchalu@quicinc.com>
2022-01-27Merge branch 'LA.UM.9.12.C10.11.00.00.840.201' via branch ↵android-t-beta-2_r0.3android-msm-redbull-4.19-t-beta-2JohnnLee
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19 Bug: 210578498 Signed-off-by: JohnnLee <johnnlee@google.com> Change-Id: I9ba8fa5ddf164cb72f578b4e2820a733ebf52516
2022-01-18Merge android-msm-pixel-4.19-sc-qpr3 into android-msm-pixel-4.19android-t-preview-2_r0.3android-t-beta-1_r0.3android-msm-redbull-4.19-t-preview-2android-msm-redbull-4.19-t-beta-1Lucas Wei
SBMerger: 410055097 Change-Id: I779faebb5351fc3eeebd5f6c09afbb98ebfe56b1 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> Signed-off-by: Lucas Wei <lucaswei@google.com>
2022-01-16Merge android-msm-barbet-4.19-sc-qpr3 into android-msm-pixel-4.19PixelBot AutoMerger
SBMerger: 410055097 Change-Id: Ie6dbecd41666345280346e33848e0e6b7c594071 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-16Merge android-msm-barbet-4.19-sc-v2 into android-msm-barbet-4.19-sc-qpr3android-s-qpr3-beta-3_r0.4android-s-qpr3-beta-2_r0.4android-s-qpr3-beta-1_r0.4android-12.1.0_r0.34android-12.1.0_r0.27android-msm-barbet-4.19-s-qpr3-beta-3android-msm-barbet-4.19-s-qpr3-beta-2android-msm-barbet-4.19-android12-qpr3PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I6652548d397f3ece7171c9818b74a787f8d7adf1 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-16Merge android-msm-barbet-4.19-sc-qpr1 into android-msm-barbet-4.19-sc-v2android-12.1.0_r0.21android-12.1.0_r0.15android-msm-barbet-4.19-android12LPixelBot AutoMerger
SBMerger: 410055097 Change-Id: I5391cae04af7410dcc81eacfe0af07db013db78e Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-16Merge android-msm-pixel-4.19-sc-v2 into android-msm-pixel-4.19-sc-qpr3android-s-qpr3-beta-3_r0.3android-s-qpr3-beta-2_r0.3android-s-qpr3-beta-1_r0.3android-12.1.0_r0.33android-12.1.0_r0.26android-msm-redbull-4.19-s-qpr3-beta-3android-msm-redbull-4.19-s-qpr3-beta-2android-msm-redbull-4.19-android12-qpr3PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I4b7c4b507445afd9f5bee23ee2fb7e8f728443ef Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-09Merge android-msm-pixel-4.19-sc-qpr1 into android-msm-pixel-4.19-sc-v2android-s-v2-beta-3_r0.4android-12.1.0_r0.4android-12.1.0_r0.20android-12.1.0_r0.14android-msm-redbull-4.19-s-v2-beta-3android-msm-redbull-4.19-android12LPixelBot AutoMerger
SBMerger: 410055097 Change-Id: Iab9a6c665744bb1534a4ae729feba2b43a4b850e Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-05Merge branch 'LA.UM.9.12.C10.11.00.00.840.201' into HEADWilson Sung
Change-Id: I81665aae9d704afcbcb3a969a67245508b2e31f9
2021-12-02Merge branch 'LA.UM.9.12.C10.11.00.00.840.150' into HEADWilson Sung
Change-Id: Iaa12e82b4f6b2ef4786dc4934d3df12b17679882
2021-11-24Merge branch 'android-msm-barbet-4.19-sc-security' into ↵android-12.0.0_r0.41android-12.0.0_r0.35android-msm-barbet-4.19-android12-qpr1Eva Huang
android-msm-barbet-4.19-sc-qpr1 Jan 2022.1 Bug: 204278602 Change-Id: If0896ff2c81f88271be9ac79679b62e13fac3fd9
2021-11-24Merge branch 'android-msm-pixel-4.19-sc-security' into ↵android-12.0.0_r0.40android-12.0.0_r0.34android-msm-redbull-4.19-android12-qpr1Eva Huang
android-msm-pixel-4.19-sc-qpr1 Jan 2022.1 Bug: 204278602 Change-Id: Id767184f62836ddb9e70edbdaadab6c2c0feab31
2021-11-24Asoc: check for invalid voice session idBubble Fang
Add check to return if session id is invalid. From 28a5f166422bf0b8b91dc348d02e62212ee0b261 Mon Sep 17 00:00:00 2001 From: Lakshman Chaluvaraju <lchalu@codeaurora.org> Date: Tue, 8 Jun 2021 10:43:20 +0530 Bug: 190503256 Signed-off-by: Bubble Fang <bubblefang@google.com> Change-Id: I2833f375e7c971d2006de3d0c3d0a05ccf535111 (cherry picked from commit 43667cf179dda119cb8e6224fff04511c4c0045d)
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-21 18:19:03 +0000