Age | Commit message (Collapse) | Author |
|
SBMerger: 603054162
Change-Id: Ic1b078bea84007432b464acc1d9080751c9cc428
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Bug: 322896109
Change-Id: I1b5af19507d623208dc8d942da3520d93e2690c1
Signed-off-by: vincenttew <vincenttew@google.com>
(cherry picked from commit d91323baae6f759cf67d18c0431e32bc61046cb9)
|
|
Bug: 291869046
Change-Id: I1b5af19507d623208dc8d942da3520d93e2690c1
Signed-off-by: vincenttew <vincenttew@google.com>
|
|
SBMerger: 571992243
Change-Id: Ie732508ec781d0c969e26668f5f76249aadafa64
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Added integer overflow check for lsm_params_get_info size.
Bug: 309462484
Change-Id: Ide4ec94a2fa6c21d40b1101d8b05b5f7931075c8
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
There is no check for the ADSP returned payload size
for ASM_SESSION_CMD_GET_MTMX_STRTR_PARAMS_V2 cmd response.
This can lead to buffer overread. Fix is to address this.
Bug: 309462901
Change-Id: I44ed1cbc4cf3706a85754c7dfd07f5b50859ec6a
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Added check for bandpassfilter order in order to avoid
coeff len going out of bounds thereby leading to
memory overflow issues.
Bug: 309463056
Change-Id: I59c9a53c5965ae4b68df0524af754c34c7c384d0
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Add check for AVCS_CMD_RSP_LOAD_MODULE response payload
to avoid its access after free.
Bug: 303101067
Change-Id: Ie3991640394d761525afc2e9c1e17955bd4cf355
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Added check for voice session index.
Bug: 303101147
Change-Id: I12c46c9fdcd7a333118bc055021f409642ad7e1b
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.
Bug: 303101456
Change-Id: I81055f2066de71bb290d1936e8cb0806bbc76c02
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Added check for fbsp state in get_calib_data functions
to avoid OOB read issues
Bug: 303107435
Change-Id: I8f3b285e3c577b1dfee128adfc6e64f7f770f2c0
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
add lock in ion free to protect dma buff and avoid
use after free.
Bug: 276762552
Change-Id: Ieb09f676104da7dd9a890f943dbaa924c4e46590
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Fix is to add check for this ADSP returned buf offset + size,
if it is within the available buf size range
Bug: 299146464
Change-Id: I4a1a5d564e7a1ecaa91f6ff5df9301acc44e0dad
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Check for valid num_channels before accessing.
Bug: 299130860
Change-Id: I27a77ebb0b2c342eb8bbac98ff80b782d95b33b9
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Check for the max size of cvs command register
calibration data that can be copied else will
result in buffer overflow.
Bug: 295052588
Change-Id: I60ef7a39d97505b493b53466189237a03e1cf3c1
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Payload size is not checked before payload access. Check size
to avoid out-of-boundary memory access.
Bug: 295052332
Change-Id: Ia22f3346a0f23012ddde65326515c42330466ca3
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
"num_services", a signed integer when compared
with constant results in conversion of signed integer
to max possible unsigned int value when "num_services"
is a negative value. This can lead to OOB read.
Fix is to handle this case.
Bug: 295052084
Change-Id: I6b3a2939451bea905bdbf02015be294af1867b96
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
There is no error check for case when hpcm_start
is called for the same RX or TX tap points multiple times.
This can result in OOB access of struct vss_ivpcm_tap_point.
Handle this scenario with appropriate no_of_tp check.
Bug: 295051886
Change-Id: Ib98cbaea6369e2c023160918fc9662ebe36e58b6
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Avoid OOB access of sidetone iir config array when
iir_num_biquad_stages returned from cal block is > 10
Bug: 295051806
Change-Id: I425472f81a6a9d8916b899308af20da16a868c9d
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Bug: 292447561
SBMerger: 558810260
Change-Id: Ic4051261e70024dd46a78cc27ea0745172a59f08
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Payload size is not checked before payload access for AVCS.
Check size to avoid out-of-boundary memory access.
Bug: 295039120
Change-Id: Ie7dd953c5fc12c73c7114a11ba6e45536c888869
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
Add check for the max hpcm_buf_node size before copy to avoid
buffer out of bounds issue.
Bug: 290061915
Change-Id: Ida4cd1b2f59a751458b10b9d53e50eb39f4e299c
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
There is no check for voip pkt pkt_len,if it contains the
min required data. This can lead to integer underflow.
Add check for the same.
Bug: 295019252
Change-Id: I13925fc3447f18e6c37e4a4978de3fd83b812be7
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
SBMerger: 526756187
Change-Id: I644728000d8457fe91d5a60cc341b2862f37a8e2
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
check for the proper param size before copying,
to avoid buffer overflow.
Bug: 290061247
Change-Id: I8f643fe49a7afde11bd52f6e9c96e2a5bcc1c369
Signed-off-by: Arnold Chuang <cchuangg@google.com>
|
|
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19
Bug: 272199761
Change-Id: Ic3fe2e078b1f522bf400899923341d6e732362ac
Signed-off-by: JohnnLee <johnnlee@google.com>
|
|
SBMerger: 516612970
Change-Id: I220c551142464321c68a42841b3767ccccfb777b
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Date: Fri, 6 Jan 2023 14:37:20 +0530
Subject: [PATCH] ASoC: msm-pcm-q6-v2: Add dsp buf check
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Bug: 271880369
Note: From a4374817ccc8686f86aa708243ecda95da28e216
Test: Local test
Change-Id: I964d760a19c574f0151f00cf9aba2a9592aabc29
Signed-off-by: Bubble Fang <bubblefang@google.com>
|
|
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19
Change-Id: Ia5bd6362505ae2c799c07f2942fc7d7e786a5166
|
|
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: I7753cc6db394704dbb959477150141d42b836bef
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
|
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19
Bug: 261541074
Change-Id: I9afc4042670bd395febcc0906666b49ca88f044d
Signed-off-by: JohnnLee <johnnlee@google.com>
|
|
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19
Change-Id: I4b5bfeacc3b1799d29f54922654f330242dfc636
|
|
-> If enumeration is changed runtime, dev_num gets changed
-> so it might result in different dev_num for same device
-> between swrm_connect_port and swr_disconnect_port while powering
up and down of widget
-> This results in not emptying the port_req list, hence swrm not
going to suspend state
-> This results into adsp not going to sleep state
Change-Id: I80326a35f0cac7f7be30cbbee119a8ba247a0f76
|
|
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19
Bug: 253163588
Change-Id: Id8f721dfcc23ead6f4c6adc36a7b8471f3584aab
Signed-off-by: JohnnLee <johnnlee@google.com>
|
|
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19
Change-Id: I9fada88babca9903940b66d51ce9e94cd0c8bcf7
|
|
fix for nullptr deref issue
Change-Id: I26acf2c5c696038c6d5c64d858174b2f2c58a7d3
Signed-off-by: Shazmaan Ali <quic_shazmaan@quicinc.com>
|
|
'qcom-msm-4.19-7250' into android-msm-pixel-4.19
Bug: 223958127
Signed-off-by: JohnnLee <johnnlee@google.com>
Change-Id: I8f0ea5df66808aad098a2da633f62ede0d8cc792
|
|
Add changes to fix KW errors.
Change-Id: I87fc8bf5b2753cef6af881713637e9521389708d
Signed-off-by: Lakshman Chaluvaraju <quic_lchalu@quicinc.com>
|
|
'qcom-msm-4.19-7250-audio-drivers.lnx.4.0.r3' into android-msm-pixel-4.19
Bug: 210578498
Signed-off-by: JohnnLee <johnnlee@google.com>
Change-Id: I9ba8fa5ddf164cb72f578b4e2820a733ebf52516
|
|
SBMerger: 410055097
Change-Id: I779faebb5351fc3eeebd5f6c09afbb98ebfe56b1
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>
|
|
SBMerger: 410055097
Change-Id: Ie6dbecd41666345280346e33848e0e6b7c594071
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I6652548d397f3ece7171c9818b74a787f8d7adf1
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I5391cae04af7410dcc81eacfe0af07db013db78e
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I4b7c4b507445afd9f5bee23ee2fb7e8f728443ef
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: Iab9a6c665744bb1534a4ae729feba2b43a4b850e
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Change-Id: I81665aae9d704afcbcb3a969a67245508b2e31f9
|
|
Change-Id: Iaa12e82b4f6b2ef4786dc4934d3df12b17679882
|
|
android-msm-barbet-4.19-sc-qpr1
Jan 2022.1
Bug: 204278602
Change-Id: If0896ff2c81f88271be9ac79679b62e13fac3fd9
|
|
android-msm-pixel-4.19-sc-qpr1
Jan 2022.1
Bug: 204278602
Change-Id: Id767184f62836ddb9e70edbdaadab6c2c0feab31
|
|
Add check to return if session id is invalid.
From 28a5f166422bf0b8b91dc348d02e62212ee0b261 Mon Sep 17 00:00:00 2001
From: Lakshman Chaluvaraju <lchalu@codeaurora.org>
Date: Tue, 8 Jun 2021 10:43:20 +0530
Bug: 190503256
Signed-off-by: Bubble Fang <bubblefang@google.com>
Change-Id: I2833f375e7c971d2006de3d0c3d0a05ccf535111
(cherry picked from commit 43667cf179dda119cb8e6224fff04511c4c0045d)
|