commit daac07156b330b18eb5071aec4b3ddca1c377f2c upstream.
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
CVE-2019-15117
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I4173c102a7f0752d8113823f5070ccb7de5f8914
Check buffer size in qdsp_cvs_callback before access in
ul_pkt.
Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
CVE-2019-10491
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Channel_mapping array size varies for different commands.
Add check for num_channels before calling q6asm_map_channels.
Bug: 129851238
Change-Id: Iccbcfe82f716fc0ffe0a26b1779dcaa1c3cb805b
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
[haggertk: Backport to 3.4/msm8974]
CVE-2019-2328
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Token from DSP might be invalid for array index. Validate the
token before being used as array index.
Bug: 129850483
Change-Id: I9f47e1328d75d9f9acf7e85ddb452019b6eced0a
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
[haggertk: Backport to 3.4/msm8974]
CVE-2019-2326
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with 0's.
Debugging Note : &pK prints only Zeros as address. If you need actual
address information, write 0 to kptr_restrict.
echo 0 > /proc/sys/kernel/kptr_restrict
CRs-fixed: 1052849
Change-Id: I0e98145730380ea983fa8f46a28d15dd6c2c31df
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
Signed-off-by: Yasir Malik <ymalik@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
APR registration must be suceessful and a non-NULL handle must be
returned from APR driver before the servicec can be used for
communicating. Add a check in q6core driver to see if the APR
registration is done successfully before sending any APR packet.
CRs-fixed: 2022490
Change-Id: I88b09f3e1f58b0147b81ee734f87906c7ef09167
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Set freed pointers to NULL to avoid double free
in msm_compr_playback_open and msm_compr_playback_free
functions of the compress driver.
CRs-Fixed: 2142216
Bug: 68664502
Change-Id: Ifd011dd85dd9f610c7b69dd460f73d26e006cd66
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>
[haggertk: Backport to 3.4/msm8974]
CVE-2018-3560
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
If two ioctls are triggered with different commands,
there is a possibility to access freed confidence level
memory. To resolve this acquire lock in ioctl.
Also release mutex lock properly in error cases.
CRs-Fixed: 1103085
Change-Id: I7d6b2eff21c8297e5f0755a0c141254be32f777d
Signed-off-by: Yeleswarapu Nagaradhesh <nagaradh@codeaurora.org>
[haggertk]: Backport to 3.4/msm8974
CVE-2017-7368
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In case of large value for bufcnt_t or bufcnt,
cmd_size may overflow. Buffer size allocated by cmd_size might
be not as expected.
Possible buffer overflow could happen.
CRs-Fixed: 1084210
CAF-Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
CVE-2017-0611
Change-Id: Ic2f1c3a19c13b9c0179bb31b3c7bbae2478607ce
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
A copy_from_user is not always expected to succeed. Therefore, check
for an error before operating on the buffer post copy.
CRs-Fixed: 1116070
Change-Id: I21032719e6e85f280ca0cda875c84ac8dee8916b
Signed-off-by: Siena Richard <sienar@codeaurora.org>
CVE-2017-0610 follow-up
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The size of the physical memory allocated for ION buffers
are of type size_t. Change updates the type of variables
sent to ION drivers to size_t to avoid any mismatch.
CAF-Change-Id: I3d33ed922b979652c64027e6f1c6f0a8ed4850a3
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
CVE-2017-0607
[haggertk]: Backport to 3.4/msm8974
Change-Id: Id57c2d879b209afbe46706bc90917e44cd6d1438
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Add out of bounds check in routing put functions
for the mux value before accessing the texts
pointer of soc_enum struct with mux as index.
CRs-fixed: 1097569
Bug: 33649808
CAF-Change-Id: Ib9ef8d398f0765754b0f79666963fac043b66077
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
CVE-2017-0586
Change-Id: I11c140cbd92d69ec2f8e86a52d59486e9dca1c46
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.
Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed(). This is potentially racy, since the stream
may get released even during the irq handler is running. Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.
As a quick workaround, move kill_fasync() call inside the stream
lock. The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.
Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler. But this oneliner should suffice for most
cases, so far.
Change-Id: Iad00158de5e6acd5adfa331c2e11450f2cf42390
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
CVE-2016-9794
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In lsm-related driver files, some pointers are not set as NULL
after the memory is freed, which will leave many dangling pointers.
Set them to NULL explicitly to avoid potential risk.
CRs-Fixed: 880388
Change-Id: I44925240705608510266a51225cc02611637c571
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
[haggertk]: Backport to 3.4
CVE-2016-8450
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
commit 0f886ca12765d20124bd06291c82951fd49a33be upstream.
create_fixed_stream_quirk() may cause a NULL-pointer dereference by
accessing the non-existing endpoint when a USB device with a malformed
USB descriptor is used.
This patch avoids it simply by adding a sanity check of bNumEndpoints
before the accesses.
Change-Id: I94025f3eec256347b50805b388940774e559dae2
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2:
- There's no altsd variable
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
CVE-2016-2184
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Fix overwrite of updt_params allocated in heap, and stack overread
where param pointer is passed from user space.
Bug: 27555224
Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
Signed-off-by: Ravi Kumar Alamanda <arkumar@codeaurora.org>
CVE-2016-2066
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Currently lsm client data is deallocated when q6lsm_open() fails
which can cause memory corruption if lsm client data is accessed
after freed. Fix this issue by deallocating the client data only
in msm_lsm_close().
Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
CVE-2015-8951
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
During sound model registration, the total memory size needed by the
sound model data is the sum of sound model length, number of zero
padding bytes and the calibration size. It is possible this sum
can result into integer overflow causing difficult to debug issues.
Add check for integer overflow to avoid such possible issues.
CRs-fixed: 792367
Change-Id: I9f451aa308214a4eac42b82e2abf1375c858ff30
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
CVE-2015-8940
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
I previously added an integer overflow check here but looking at it now,
it's still buggy.
The bug happens in snd_compr_allocate_buffer(). We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
CVE-2014-9904
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I04ed32d9c858ac971ff48235eed8f231ef39a277
If mediaserver crashes it might hang in es705_wakeup()
on restart, leading to watchdog killing systemserver
and endless wait for service media.audio_policy.
[10750.498808] kworker/0:3 D c0a354b4 0 19414 2 0x00000200
[10750.498840] [<c0a354b4>] (__schedule+0x590/0x7bc) from [<c0a35790>] (schedule_preempt_disabled+0x24/0x34)
[10750.498862] [<c0a35790>] (schedule_preempt_disabled+0x24/0x34) from [<c0a34814>] (__mutex_lock_slowpath+0x170/0x1c8)
[10750.498884] [<c0a34814>] (__mutex_lock_slowpath+0x170/0x1c8) from [<c0a3488c>] (mutex_lock+0x20/0x40)
[10750.498908] [<c0a3488c>] (mutex_lock+0x20/0x40) from [<c08458f4>] (es705_bootup+0x2c/0xa4)
[10750.498927] [<c08458f4>] (es705_bootup+0x2c/0xa4) from [<c08459a0>] (restore_std_fw+0x34/0x60)
[10750.498946] [<c08459a0>] (restore_std_fw+0x34/0x60) from [<c08465b4>] (es705_sleep+0x84/0x1f4)
[10750.498966] [<c08465b4>] (es705_sleep+0x84/0x1f4) from [<c01b012c>] (process_one_work+0x270/0x434)
[10750.498987] [<c01b012c>] (process_one_work+0x270/0x434) from [<c01b0de4>] (worker_thread+0x198/0x2d8)
[10750.499007] [<c01b0de4>] (worker_thread+0x198/0x2d8) from [<c01b52b0>] (kthread+0x84/0x90)
[10750.499026] [<c01b52b0>] (kthread+0x84/0x90) from [<c0106ef0>] (kernel_thread_exit+0x0/0x8)
[10750.499038] mediaserver D c0a354b4 0 21682 1 0x00000201
[10750.499068] [<c0a354b4>] (__schedule+0x590/0x7bc) from [<c0a33bd0>] (schedule_timeout+0x28/0x32c)
[10750.499088] [<c0a33bd0>] (schedule_timeout+0x28/0x32c) from [<c0a35d64>] (wait_for_common+0x11c/0x15c)
[10750.499108] [<c0a35d64>] (wait_for_common+0x11c/0x15c) from [<c01b0b14>] (wait_on_work+0xbc/0x108)
[10750.499129] [<c01b0b14>] (wait_on_work+0xbc/0x108) from [<c01b0bd8>] (__cancel_work_timer+0x78/0xec)
[10750.499149] [<c01b0bd8>] (__cancel_work_timer+0x78/0xec) from [<c0845a30>] (es705_wakeup+0x64/0x270)
[10750.499169] [<c0845a30>] (es705_wakeup+0x64/0x270) from [<c08461ac>] (es705_power_control+0x154/0x4d8)
[10750.499188] [<c08461ac>] (es705_power_control+0x154/0x4d8) from [<c0843360>] (es705_read_write_power_control+0x58/0x60)
[10750.499209] [<c0843360>] (es705_read_write_power_control+0x58/0x60) from [<c0843664>] (es705_get_control_enum+0x18/0x64)
[10750.499233] [<c0843664>] (es705_get_control_enum+0x18/0x64) from [<c07fcd8c>] (snd_ctl_ioctl+0x588/0xb1c)
[10750.499258] [<c07fcd8c>] (snd_ctl_ioctl+0x588/0xb1c) from [<c02681fc>] (vfs_ioctl+0x28/0x3c)
[10750.499279] [<c02681fc>] (vfs_ioctl+0x28/0x3c) from [<c0268c4c>] (do_vfs_ioctl+0x488/0x578)
[10750.499297] [<c0268c4c>] (do_vfs_ioctl+0x488/0x578) from [<c0268d84>] (sys_ioctl+0x48/0x74)
[10750.499317] [<c0268d84>] (sys_ioctl+0x48/0x74) from [<c010651c>] (__sys_trace_return+0x0/0x24)
Change-Id: Ibe0750413b59301d0249c2c1a357880fc4dbde0f
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
b/28980217
Git-commit: e4ec8cc8039a7063e24204299b462bd1383184a5
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit e4ec8cc8039a7063e24204299b462bd1383184a5)
Change-Id: I53aa15632e941199010aae670cefb65c8fd56833
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
b/28980217
Git-commit: 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6)
Change-Id: I12949efac2aba669d302908704005fb94ba7efd7
The stack object "tread" has a total size of 32 bytes. Its field
"event" and "val" both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Change-Id: Ief5bbada3a144447aaecc236f86aa91da968bb3f
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Git-commit: cec8f96e49d9be372fdb0c3836dcf31ec71e457e
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Protect against memory faults while accessing userspace addresses.
Change-Id: I1433bac73d24d428749558e530e6869c2e5ee98f
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object. A simplistic fix is to make
each ioctl exclusive. We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.
The downside is, of course, the worse concurrency. But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.
Change-Id: Ic177ce2a35996d450cd2807aa22a69c8a90b1139
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Git-commit: af368027a49a751d6ff4ee9e3f9961f35bb4fede
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client. This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.
This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.
Change-Id: I74a0789b15ad8c823adff8652498d95e3304b7a4
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Git-commit: 3567eb6af614dac436c4b16a8d426f9faed639b3
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
The params array is used without initialization, which may cause
security issues. Initialize it as all zero after the definition.
CRs-Fixed: 1062271
Change-Id: If462fe3d82f139d72547f82dc7eb564f83cb35bf
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking. Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too. Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected
accesses.
This patch tries to address these issues. It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places. For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.
Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().
Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links. This is a noop, and calling it may confuse
readers wrt locking. Further cleanup will follow in a later patch.
Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit b5a663aa426f4884c71cd8580adae73f33570f0d)
Change-Id: I7e7e4e1ab476f93131111d60d8f4e6a1add43193
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
For VOIP case, hardware pointer is always getting incremented
by fixed pcm count. Because of this, hw_ptr is incrementing much
faster than the actual data consumed by DSP. This leads to
pcm_write failure. Fix is to increment hardware pointer by packet
length of frames consumed by DSP for PCM mode
CRs-Fixed: 811744
Change-Id: I1284bdfbf1e74abd126bcb83b8c3dc80e2efc082
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>
For Headphone and lineout concurrency scenario,call to enable
buck is made twice.First,while transitioning from IDLE to HPH
and next while moving from HPH to HPH+LO state.But,while disabling
it is called only once while changing state from HPH to IDLE.
This leads to buck_users being non-zero and buck not being
disabled after concurrency usecase.
Specs dont require enabling buck for transition from Headphone
to Headphone+Lineout case.Change made to not enable buck during
this scenario.
Change-Id: I07c51838928c1e177c5b6d2469fe5c527cd78969
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>
