dsp: asm: validate payload size before access

Payload size is not checked before payload access. Check it to avoid out-of-boundary memory access. Change-Id: I913e37ba8eaa3451934b88de1e6b14a5e83f493b Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
2019-02-12 17:42:38 +08:00 · 2019-02-12 17:42:38 +08:00 · 4a0058421a
parent 2e7be3d027
commit 4a0058421a
1 changed files with 37 additions and 22 deletions
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@ -1698,12 +1698,15 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
 		case ASM_DATA_CMD_REMOVE_TRAILING_SILENCE:
 		case ASM_SESSION_CMD_REGISTER_FOR_RX_UNDERFLOW_EVENTS:
 		case ASM_STREAM_CMD_OPEN_WRITE_COMPRESSED:
-			pr_debug("%s: session %d opcode 0x%x token 0x%x Payload = [0x%x] stat 0x%x src %d dest %d\n",
-				__func__, ac->session,
-				data->opcode, data->token,
-				payload[0], payload[1],
-				data->src_port, data->dest_port);
-			if (payload[1] != 0) {
+			if (data->payload_size >= 2 * sizeof(uint32_t)) {
+				pr_debug("%s: session %d opcode 0x%x token 0x%x Payload = [0x%x] stat 0x%x src %d dest %d\n",
+					__func__, ac->session,
+					data->opcode, data->token,
+					payload[0], payload[1],
+					data->src_port, data->dest_port);
+			}
+			if (data->payload_size >= 2 * sizeof(uint32_t) &&
+				payload[1] != 0) {
 				pr_err("%s: cmd = 0x%x returned error = 0x%x\n",
 					__func__, payload[0], payload[1]);
 				if (wakeup_flag) {
@ -1749,8 +1752,9 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
 					(uint32_t *)data->payload, ac->priv);
 			break;
 		case ASM_DATA_EVENT_WATERMARK: {
-			pr_debug("%s: Watermark opcode[0x%x] status[0x%x]",
-				 __func__, payload[0], payload[1]);
+			if (data->payload_size >= 2 * sizeof(uint32_t))
+				pr_debug("%s: Watermark opcode[0x%x] status[0x%x]",
+					 __func__, payload[0], payload[1]);
 			break;
 		}
 		case ASM_STREAM_CMD_GET_PP_PARAMS_V2:
@ -1816,8 +1820,9 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
 			}
 			if (lower_32_bits(port->buf[data->token].phys) !=
 			payload[0] ||
+			(data->payload_size >= 2 * sizeof(uint32_t) &&
 			populate_upper_32_bits(port->buf[data->token].phys) !=
-			payload[1]) {
+			payload[1])) {
 				pr_debug("%s: Expected addr %pK\n",
 				__func__, &port->buf[data->token].phys);
 				pr_err("%s: rxedl[0x%x] rxedu [0x%x]\n",
@ -1853,18 +1858,26 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
 		} else if (generic_get_data) {
 			generic_get_data->valid = 1;
 			if (generic_get_data->is_inband) {
-				pr_debug("%s: payload[1] = 0x%x, payload[2]=0x%x, payload[3]=0x%x\n",
-				  __func__, payload[1], payload[2], payload[3]);
-				generic_get_data->size_in_ints = payload[3]>>2;
-				for (i = 0; i < payload[3]>>2; i++) {
-					generic_get_data->ints[i] =
-								   payload[4+i];
-					pr_debug("%s: ASM callback val %i = %i\n",
-						 __func__, i, payload[4+i]);
+				if (data->payload_size >= 4 * sizeof(uint32_t)) {
+					pr_debug("%s: payload[1] = 0x%x, payload[2]=0x%x, payload[3]=0x%x\n",
+					 __func__, payload[1], payload[2],
+						 payload[3]);
+					generic_get_data->size_in_ints =
+						payload[3]>>2;
+					if (data->payload_size >=
+						((payload[3]>>2) + 4)
+						* sizeof(uint32_t)) {
+						for (i = 0; i < payload[3]>>2; i++) {
+	 					    generic_get_data->ints[i] =
+								  payload[4+i];
+						    pr_debug("%s: ASM callback val %i = %i\n",
+							 __func__, i, payload[4+i]);
+						}
+						pr_debug("%s: callback size in ints = %i\n",
+							 __func__,
+						generic_get_data->size_in_ints);
+					}
 				}
-				pr_debug("%s: callback size in ints = %i\n",
-					 __func__,
-					generic_get_data->size_in_ints);
 			}
 			if (atomic_read(&ac->cmd_state) && wakeup_flag) {
 				atomic_set(&ac->cmd_state, 0);
@ -1986,10 +1999,12 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
 		q6asm_process_mtmx_get_param_rsp(ac, (void *) payload);
 		break;
 	case ASM_SESSION_CMDRSP_GET_PATH_DELAY_V2:
-		pr_debug("%s: ASM_SESSION_CMDRSP_GET_PATH_DELAY_V2 session %d status 0x%x msw %u lsw %u\n",
+		if (data->payload_size >= 3 * sizeof(uint32_t))
+			pr_debug("%s: ASM_SESSION_CMDRSP_GET_PATH_DELAY_V2 session %d status 0x%x msw %u lsw %u\n",
 				__func__, ac->session, payload[0], payload[2],
 				payload[1]);
-		if (payload[0] == 0) {
+		if (data->payload_size >= 2 * sizeof(uint32_t) &&
+			payload[0] == 0) {
 			atomic_set(&ac->cmd_state, 0);
 			/* ignore msw, as a delay that large shouldn't happen */
 			ac->path_delay = payload[1];