dsp: q6core: validate payload size before access for AVCS
Payload size is not checked before payload access for AVCS.
Check size to avoid out-of-boundary memory access.
Bug: 295039120
Change-Id: Ie7dd953c5fc12c73c7114a11ba6e45536c888869
Signed-off-by: Bubble Fang <bubblefang@google.com>
diff --git a/dsp/q6core.c b/dsp/q6core.c
index 093a3db..dae0a03 100644
--- a/dsp/q6core.c
+++ b/dsp/q6core.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/kernel.h>
@@ -474,6 +475,12 @@
case AVCS_CMD_RSP_LOAD_MODULES:
pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n",
__func__);
+ if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload)
+ * rsp_payload->num_modules) + sizeof(uint32_t))) {
+ pr_err("%s: payload size not equal to expected size %d\n",
+ __func__,data->payload_size);
+ return -EINVAL;
+ }
memcpy(rsp_payload, data->payload, data->payload_size);
q6core_lcl.avcs_module_resp_received = 1;
wake_up(&q6core_lcl.avcs_module_load_unload_wait);
@@ -998,6 +1005,8 @@
return -ENOMEM;
}
+ rsp_payload->num_modules = num_modules;
+
memcpy((uint8_t *)mod + sizeof(struct apr_hdr) +
sizeof(struct avcs_load_unload_modules_meminfo),
payload, payload_size);
