ASoC: soc: prevent risk of buffer overflow
In case of large value for bufcnt_t or bufcnt, cmd_size may overflow. Buffer size allocated by cmd_size might be not as expected. Possible buffer overflow could happen. CRs-Fixed: 1084210 CAF-Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08 Signed-off-by: Xiaojun Sang <xsang@codeaurora.org> CVE-2017-0611 Change-Id: Ic2f1c3a19c13b9c0179bb31b3c7bbae2478607ce Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This commit is contained in:
parent
f370b53808
commit
24538e44a9
|
@ -3290,7 +3290,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
|
|||
struct asm_buffer_node *buffer_node = NULL;
|
||||
int rc = 0;
|
||||
int i = 0;
|
||||
int cmd_size = 0;
|
||||
uint32_t cmd_size = 0;
|
||||
uint32_t bufcnt_t;
|
||||
uint32_t bufsz_t;
|
||||
|
||||
|
@ -3308,10 +3308,25 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
|
|||
bufsz_t = PAGE_ALIGN(bufsz_t);
|
||||
}
|
||||
|
||||
if (bufcnt_t > (UINT_MAX
|
||||
- sizeof(struct avs_cmd_shared_mem_map_regions))
|
||||
/ sizeof(struct avs_shared_map_region_payload)) {
|
||||
pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n",
|
||||
__func__, bufcnt_t);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions)
|
||||
+ (sizeof(struct avs_shared_map_region_payload)
|
||||
* bufcnt_t);
|
||||
|
||||
|
||||
if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) {
|
||||
pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
|
||||
__func__, bufcnt);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt,
|
||||
GFP_KERNEL);
|
||||
if (!buffer_node) {
|
||||
|
|
Loading…
Reference in New Issue