dsp: asm: validate payload size before access
Payload size is not checked before payload access. Check it to avoid out-of-boundary memory access. Change-Id: I913e37ba8eaa3451934b88de1e6b14a5e83f493b Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
This commit is contained in:
parent
2e7be3d027
commit
4a0058421a
|
@ -1698,12 +1698,15 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
|
|||
case ASM_DATA_CMD_REMOVE_TRAILING_SILENCE:
|
||||
case ASM_SESSION_CMD_REGISTER_FOR_RX_UNDERFLOW_EVENTS:
|
||||
case ASM_STREAM_CMD_OPEN_WRITE_COMPRESSED:
|
||||
pr_debug("%s: session %d opcode 0x%x token 0x%x Payload = [0x%x] stat 0x%x src %d dest %d\n",
|
||||
__func__, ac->session,
|
||||
data->opcode, data->token,
|
||||
payload[0], payload[1],
|
||||
data->src_port, data->dest_port);
|
||||
if (payload[1] != 0) {
|
||||
if (data->payload_size >= 2 * sizeof(uint32_t)) {
|
||||
pr_debug("%s: session %d opcode 0x%x token 0x%x Payload = [0x%x] stat 0x%x src %d dest %d\n",
|
||||
__func__, ac->session,
|
||||
data->opcode, data->token,
|
||||
payload[0], payload[1],
|
||||
data->src_port, data->dest_port);
|
||||
}
|
||||
if (data->payload_size >= 2 * sizeof(uint32_t) &&
|
||||
payload[1] != 0) {
|
||||
pr_err("%s: cmd = 0x%x returned error = 0x%x\n",
|
||||
__func__, payload[0], payload[1]);
|
||||
if (wakeup_flag) {
|
||||
|
@ -1749,8 +1752,9 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
|
|||
(uint32_t *)data->payload, ac->priv);
|
||||
break;
|
||||
case ASM_DATA_EVENT_WATERMARK: {
|
||||
pr_debug("%s: Watermark opcode[0x%x] status[0x%x]",
|
||||
__func__, payload[0], payload[1]);
|
||||
if (data->payload_size >= 2 * sizeof(uint32_t))
|
||||
pr_debug("%s: Watermark opcode[0x%x] status[0x%x]",
|
||||
__func__, payload[0], payload[1]);
|
||||
break;
|
||||
}
|
||||
case ASM_STREAM_CMD_GET_PP_PARAMS_V2:
|
||||
|
@ -1816,8 +1820,9 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
|
|||
}
|
||||
if (lower_32_bits(port->buf[data->token].phys) !=
|
||||
payload[0] ||
|
||||
(data->payload_size >= 2 * sizeof(uint32_t) &&
|
||||
populate_upper_32_bits(port->buf[data->token].phys) !=
|
||||
payload[1]) {
|
||||
payload[1])) {
|
||||
pr_debug("%s: Expected addr %pK\n",
|
||||
__func__, &port->buf[data->token].phys);
|
||||
pr_err("%s: rxedl[0x%x] rxedu [0x%x]\n",
|
||||
|
@ -1853,18 +1858,26 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
|
|||
} else if (generic_get_data) {
|
||||
generic_get_data->valid = 1;
|
||||
if (generic_get_data->is_inband) {
|
||||
pr_debug("%s: payload[1] = 0x%x, payload[2]=0x%x, payload[3]=0x%x\n",
|
||||
__func__, payload[1], payload[2], payload[3]);
|
||||
generic_get_data->size_in_ints = payload[3]>>2;
|
||||
for (i = 0; i < payload[3]>>2; i++) {
|
||||
generic_get_data->ints[i] =
|
||||
payload[4+i];
|
||||
pr_debug("%s: ASM callback val %i = %i\n",
|
||||
__func__, i, payload[4+i]);
|
||||
if (data->payload_size >= 4 * sizeof(uint32_t)) {
|
||||
pr_debug("%s: payload[1] = 0x%x, payload[2]=0x%x, payload[3]=0x%x\n",
|
||||
__func__, payload[1], payload[2],
|
||||
payload[3]);
|
||||
generic_get_data->size_in_ints =
|
||||
payload[3]>>2;
|
||||
if (data->payload_size >=
|
||||
((payload[3]>>2) + 4)
|
||||
* sizeof(uint32_t)) {
|
||||
for (i = 0; i < payload[3]>>2; i++) {
|
||||
generic_get_data->ints[i] =
|
||||
payload[4+i];
|
||||
pr_debug("%s: ASM callback val %i = %i\n",
|
||||
__func__, i, payload[4+i]);
|
||||
}
|
||||
pr_debug("%s: callback size in ints = %i\n",
|
||||
__func__,
|
||||
generic_get_data->size_in_ints);
|
||||
}
|
||||
}
|
||||
pr_debug("%s: callback size in ints = %i\n",
|
||||
__func__,
|
||||
generic_get_data->size_in_ints);
|
||||
}
|
||||
if (atomic_read(&ac->cmd_state) && wakeup_flag) {
|
||||
atomic_set(&ac->cmd_state, 0);
|
||||
|
@ -1986,10 +1999,12 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
|
|||
q6asm_process_mtmx_get_param_rsp(ac, (void *) payload);
|
||||
break;
|
||||
case ASM_SESSION_CMDRSP_GET_PATH_DELAY_V2:
|
||||
pr_debug("%s: ASM_SESSION_CMDRSP_GET_PATH_DELAY_V2 session %d status 0x%x msw %u lsw %u\n",
|
||||
if (data->payload_size >= 3 * sizeof(uint32_t))
|
||||
pr_debug("%s: ASM_SESSION_CMDRSP_GET_PATH_DELAY_V2 session %d status 0x%x msw %u lsw %u\n",
|
||||
__func__, ac->session, payload[0], payload[2],
|
||||
payload[1]);
|
||||
if (payload[0] == 0) {
|
||||
if (data->payload_size >= 2 * sizeof(uint32_t) &&
|
||||
payload[0] == 0) {
|
||||
atomic_set(&ac->cmd_state, 0);
|
||||
/* ignore msw, as a delay that large shouldn't happen */
|
||||
ac->path_delay = payload[1];
|
||||
|
|
Loading…
Reference in New Issue