Asoc:msm:Added Buffer overflow check

The overflow check is required to ensure that user space data in kernel may not go beyond buffer boundary. Bug: 28751152 Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1 CRs-Fixed: 563086 Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
2024-11-06 23:17:41 +00:00 · 2013-12-12 14:26:42 +05:30 · 2013-12-12 14:26:42 +05:30 · 24147c05f0
commit 24147c05f0
parent 6bcdea884d
2 changed files with 9 additions and 0 deletions
--- a/arch/arm/mach-msm/qdsp6v2/audio_utils.c
+++ b/arch/arm/mach-msm/qdsp6v2/audio_utils.c
@ -23,6 +23,7 @@
 #include <asm/ioctls.h>
 #include "audio_utils.h"

+#define FRAME_SIZE            (1 + ((1536+sizeof(struct meta_out_dsp)) * 5))
 static int audio_in_pause(struct q6audio_in  *audio)
 {
 	int rc;
@ -257,6 +258,11 @@ long audio_in_ioctl(struct file *file,
 			rc = -EINVAL;
 			break;
 		}
+		if ((cfg.buffer_size > FRAME_SIZE) ||
+			(cfg.buffer_count != FRAME_NUM)) {
+			rc = -EINVAL;
+			break;
+		}
 		audio->str_cfg.buffer_size = cfg.buffer_size;
 		audio->str_cfg.buffer_count = cfg.buffer_count;
 		rc = q6asm_audio_client_buf_alloc(OUT, audio->ac,
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@ -55,6 +55,7 @@
 #define READDONE_IDX_FLAGS 8
 #define READDONE_IDX_NUMFRAMES 9
 #define READDONE_IDX_SEQ_ID 10
+#define FRAME_NUM             (8)

 /* TODO, combine them together */
 static DEFINE_MUTEX(session_lock);
@ -608,6 +609,8 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,
 			pr_debug("%s: buffer already allocated\n", __func__);
 			return 0;
 		}
+		if (bufcnt != FRAME_NUM)
+			goto fail;
 		mutex_lock(&ac->cmd_lock);
 		buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
 				GFP_KERNEL);