Check buffer size in qdsp_cvs_callback before access in
ul_pkt.
Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
CVE-2019-10491
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Channel_mapping array size varies for different commands.
Add check for num_channels before calling q6asm_map_channels.
Bug: 129851238
Change-Id: Iccbcfe82f716fc0ffe0a26b1779dcaa1c3cb805b
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
[haggertk: Backport to 3.4/msm8974]
CVE-2019-2328
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Token from DSP might be invalid for array index. Validate the
token before being used as array index.
Bug: 129850483
Change-Id: I9f47e1328d75d9f9acf7e85ddb452019b6eced0a
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
[haggertk: Backport to 3.4/msm8974]
CVE-2019-2326
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
APR registration must be suceessful and a non-NULL handle must be
returned from APR driver before the servicec can be used for
communicating. Add a check in q6core driver to see if the APR
registration is done successfully before sending any APR packet.
CRs-fixed: 2022490
Change-Id: I88b09f3e1f58b0147b81ee734f87906c7ef09167
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Set freed pointers to NULL to avoid double free
in msm_compr_playback_open and msm_compr_playback_free
functions of the compress driver.
CRs-Fixed: 2142216
Bug: 68664502
Change-Id: Ifd011dd85dd9f610c7b69dd460f73d26e006cd66
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>
[haggertk: Backport to 3.4/msm8974]
CVE-2018-3560
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
If two ioctls are triggered with different commands,
there is a possibility to access freed confidence level
memory. To resolve this acquire lock in ioctl.
Also release mutex lock properly in error cases.
CRs-Fixed: 1103085
Change-Id: I7d6b2eff21c8297e5f0755a0c141254be32f777d
Signed-off-by: Yeleswarapu Nagaradhesh <nagaradh@codeaurora.org>
[haggertk]: Backport to 3.4/msm8974
CVE-2017-7368
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In case of large value for bufcnt_t or bufcnt,
cmd_size may overflow. Buffer size allocated by cmd_size might
be not as expected.
Possible buffer overflow could happen.
CRs-Fixed: 1084210
CAF-Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
CVE-2017-0611
Change-Id: Ic2f1c3a19c13b9c0179bb31b3c7bbae2478607ce
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
A copy_from_user is not always expected to succeed. Therefore, check
for an error before operating on the buffer post copy.
CRs-Fixed: 1116070
Change-Id: I21032719e6e85f280ca0cda875c84ac8dee8916b
Signed-off-by: Siena Richard <sienar@codeaurora.org>
CVE-2017-0610 follow-up
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The size of the physical memory allocated for ION buffers
are of type size_t. Change updates the type of variables
sent to ION drivers to size_t to avoid any mismatch.
CAF-Change-Id: I3d33ed922b979652c64027e6f1c6f0a8ed4850a3
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
CVE-2017-0607
[haggertk]: Backport to 3.4/msm8974
Change-Id: Id57c2d879b209afbe46706bc90917e44cd6d1438
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Add out of bounds check in routing put functions
for the mux value before accessing the texts
pointer of soc_enum struct with mux as index.
CRs-fixed: 1097569
Bug: 33649808
CAF-Change-Id: Ib9ef8d398f0765754b0f79666963fac043b66077
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
CVE-2017-0586
Change-Id: I11c140cbd92d69ec2f8e86a52d59486e9dca1c46
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In lsm-related driver files, some pointers are not set as NULL
after the memory is freed, which will leave many dangling pointers.
Set them to NULL explicitly to avoid potential risk.
CRs-Fixed: 880388
Change-Id: I44925240705608510266a51225cc02611637c571
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
[haggertk]: Backport to 3.4
CVE-2016-8450
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Fix overwrite of updt_params allocated in heap, and stack overread
where param pointer is passed from user space.
Bug: 27555224
Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
Signed-off-by: Ravi Kumar Alamanda <arkumar@codeaurora.org>
CVE-2016-2066
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Currently lsm client data is deallocated when q6lsm_open() fails
which can cause memory corruption if lsm client data is accessed
after freed. Fix this issue by deallocating the client data only
in msm_lsm_close().
Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
CVE-2015-8951
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
During sound model registration, the total memory size needed by the
sound model data is the sum of sound model length, number of zero
padding bytes and the calibration size. It is possible this sum
can result into integer overflow causing difficult to debug issues.
Add check for integer overflow to avoid such possible issues.
CRs-fixed: 792367
Change-Id: I9f451aa308214a4eac42b82e2abf1375c858ff30
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
CVE-2015-8940
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
If mediaserver crashes it might hang in es705_wakeup()
on restart, leading to watchdog killing systemserver
and endless wait for service media.audio_policy.
[10750.498808] kworker/0:3 D c0a354b4 0 19414 2 0x00000200
[10750.498840] [<c0a354b4>] (__schedule+0x590/0x7bc) from [<c0a35790>] (schedule_preempt_disabled+0x24/0x34)
[10750.498862] [<c0a35790>] (schedule_preempt_disabled+0x24/0x34) from [<c0a34814>] (__mutex_lock_slowpath+0x170/0x1c8)
[10750.498884] [<c0a34814>] (__mutex_lock_slowpath+0x170/0x1c8) from [<c0a3488c>] (mutex_lock+0x20/0x40)
[10750.498908] [<c0a3488c>] (mutex_lock+0x20/0x40) from [<c08458f4>] (es705_bootup+0x2c/0xa4)
[10750.498927] [<c08458f4>] (es705_bootup+0x2c/0xa4) from [<c08459a0>] (restore_std_fw+0x34/0x60)
[10750.498946] [<c08459a0>] (restore_std_fw+0x34/0x60) from [<c08465b4>] (es705_sleep+0x84/0x1f4)
[10750.498966] [<c08465b4>] (es705_sleep+0x84/0x1f4) from [<c01b012c>] (process_one_work+0x270/0x434)
[10750.498987] [<c01b012c>] (process_one_work+0x270/0x434) from [<c01b0de4>] (worker_thread+0x198/0x2d8)
[10750.499007] [<c01b0de4>] (worker_thread+0x198/0x2d8) from [<c01b52b0>] (kthread+0x84/0x90)
[10750.499026] [<c01b52b0>] (kthread+0x84/0x90) from [<c0106ef0>] (kernel_thread_exit+0x0/0x8)
[10750.499038] mediaserver D c0a354b4 0 21682 1 0x00000201
[10750.499068] [<c0a354b4>] (__schedule+0x590/0x7bc) from [<c0a33bd0>] (schedule_timeout+0x28/0x32c)
[10750.499088] [<c0a33bd0>] (schedule_timeout+0x28/0x32c) from [<c0a35d64>] (wait_for_common+0x11c/0x15c)
[10750.499108] [<c0a35d64>] (wait_for_common+0x11c/0x15c) from [<c01b0b14>] (wait_on_work+0xbc/0x108)
[10750.499129] [<c01b0b14>] (wait_on_work+0xbc/0x108) from [<c01b0bd8>] (__cancel_work_timer+0x78/0xec)
[10750.499149] [<c01b0bd8>] (__cancel_work_timer+0x78/0xec) from [<c0845a30>] (es705_wakeup+0x64/0x270)
[10750.499169] [<c0845a30>] (es705_wakeup+0x64/0x270) from [<c08461ac>] (es705_power_control+0x154/0x4d8)
[10750.499188] [<c08461ac>] (es705_power_control+0x154/0x4d8) from [<c0843360>] (es705_read_write_power_control+0x58/0x60)
[10750.499209] [<c0843360>] (es705_read_write_power_control+0x58/0x60) from [<c0843664>] (es705_get_control_enum+0x18/0x64)
[10750.499233] [<c0843664>] (es705_get_control_enum+0x18/0x64) from [<c07fcd8c>] (snd_ctl_ioctl+0x588/0xb1c)
[10750.499258] [<c07fcd8c>] (snd_ctl_ioctl+0x588/0xb1c) from [<c02681fc>] (vfs_ioctl+0x28/0x3c)
[10750.499279] [<c02681fc>] (vfs_ioctl+0x28/0x3c) from [<c0268c4c>] (do_vfs_ioctl+0x488/0x578)
[10750.499297] [<c0268c4c>] (do_vfs_ioctl+0x488/0x578) from [<c0268d84>] (sys_ioctl+0x48/0x74)
[10750.499317] [<c0268d84>] (sys_ioctl+0x48/0x74) from [<c010651c>] (__sys_trace_return+0x0/0x24)
Change-Id: Ibe0750413b59301d0249c2c1a357880fc4dbde0f
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Protect against memory faults while accessing userspace addresses.
Change-Id: I1433bac73d24d428749558e530e6869c2e5ee98f
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
The params array is used without initialization, which may cause
security issues. Initialize it as all zero after the definition.
CRs-Fixed: 1062271
Change-Id: If462fe3d82f139d72547f82dc7eb564f83cb35bf
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
For VOIP case, hardware pointer is always getting incremented
by fixed pcm count. Because of this, hw_ptr is incrementing much
faster than the actual data consumed by DSP. This leads to
pcm_write failure. Fix is to increment hardware pointer by packet
length of frames consumed by DSP for PCM mode
CRs-Fixed: 811744
Change-Id: I1284bdfbf1e74abd126bcb83b8c3dc80e2efc082
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>
For Headphone and lineout concurrency scenario,call to enable
buck is made twice.First,while transitioning from IDLE to HPH
and next while moving from HPH to HPH+LO state.But,while disabling
it is called only once while changing state from HPH to IDLE.
This leads to buck_users being non-zero and buck not being
disabled after concurrency usecase.
Specs dont require enabling buck for transition from Headphone
to Headphone+Lineout case.Change made to not enable buck during
this scenario.
Change-Id: I07c51838928c1e177c5b6d2469fe5c527cd78969
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>
Handle fake mechanical interrupt during slow insertion of
headset usecase when the plug type is detected as lineout.
CRs-Fixed: 754305
Change-Id: I559309915771b633c6f1677f020459b8afc1f574
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>
EQ index is copied over from userspace. There's potential risk that
this value can exceed the array boundary. A sanity check for the index
is required.
Change-Id: Ic57a00521119c9fa77dfe0971d58da701092f850
CRs-Fixed: 791363
Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
During fast switching of audio playback, we need to wait
for 5ms for the LINE PAs to get settled down before enabling
them again for playback. Same delay is also required after PA
is enabled. Add the required delays after LINE PAs are enabled
or disabled.
Change-Id: Ia4200e0c4bfee3bcd00f0c2f5d1267ea23463f51
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>
Re-enable soft pause feature to smooth drastic gain change as to
remove pop noise for offload playback.
Change-Id: Idf5e1044f11a37e1ebcb00e7df5eea2d80552d45
CRs-Fixed: 745564
Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
While enabling ANC headset,there is a wrong call to
release firmware in the case of hwdep being used for
codec calibration. The change releases firmware only
in the case of hwdep is not used.
CRs-Fixed: 785739
Change-Id: Ie06dd1e626d24e34d24100054ed413d32e65fe3f
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>
Signed-off-by: Rajshekar Eashwarappa <reashw@codeaurora.org>
Due to the difference in usage , this mixer control would
always set the default value of BT SCO Sample Rate as
there is no matching case .
Added change to ensure that the userspace sends the enum
and not the value.
Change-Id: I097b20a4983e7c4eae29e97803e36fcfc14fb8b2
Signed-off-by: Shreyas Nagasandra Chandrasekhar <snagas@codeaurora.org>