Asoc:msm:Added Buffer overflow check
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1
CVE-2014-9874
CRs-Fixed: 563086
Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c
index 88f46ba..2b93612 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_utils.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c
@@ -24,6 +24,7 @@
#include <asm/ioctls.h>
#include "audio_utils.h"
+#define FRAME_SIZE (1 + ((1536+sizeof(struct meta_out_dsp)) * 5))
static int audio_in_pause(struct q6audio_in *audio)
{
int rc;
@@ -329,6 +330,11 @@
rc = -EINVAL;
break;
}
+ if ((cfg.buffer_size > FRAME_SIZE) ||
+ (cfg.buffer_count != FRAME_NUM)) {
+ rc = -EINVAL;
+ break;
+ }
audio->str_cfg.buffer_size = cfg.buffer_size;
audio->str_cfg.buffer_count = cfg.buffer_count;
if (audio->opened) {
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
index 618efed..f9227a1 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@@ -52,6 +52,7 @@
ASM_RTAC_APR_CAL,
ASM_MAX_CAL_TYPES
};
+#define FRAME_NUM (8)
/* TODO, combine them together */
static DEFINE_MUTEX(session_lock);
@@ -1051,6 +1052,8 @@
pr_debug("%s: buffer already allocated\n", __func__);
return 0;
}
+ if (bufcnt != FRAME_NUM)
+ goto fail;
mutex_lock(&ac->cmd_lock);
buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
GFP_KERNEL);