From e023a636d245708fad2b2563514dacda9f05e77f Mon Sep 17 00:00:00 2001 From: Karthik Reddy Katta Date: Tue, 3 Jan 2017 11:09:05 +0530 Subject: [PATCH] drivers: soc: qcom: Add overflow check in ADM driver Add overflow check for param length to prevent heap overflow while allocating memory for ADM parameters. CRs-Fixed: 1103334 Change-Id: I1163aeaabbc84dba4cd0739a35ecbdee18b42717 Signed-off-by: Karthik Reddy Katta --- sound/soc/msm/qdsp6v2/q6adm.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/sound/soc/msm/qdsp6v2/q6adm.c b/sound/soc/msm/qdsp6v2/q6adm.c index 5f20b81d8c02..a9d23e75ee15 100644 --- a/sound/soc/msm/qdsp6v2/q6adm.c +++ b/sound/soc/msm/qdsp6v2/q6adm.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2014, 2016, 2017 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -969,9 +969,10 @@ int adm_get_params_v2(int port_id, int copp_idx, uint32_t module_id, char *params, uint32_t client_id) { struct adm_cmd_get_pp_params_v5 *adm_params = NULL; - int sz, rc = 0, i = 0; + int rc = 0, i = 0; int port_idx, idx; int *params_data = (int *)params; + uint64_t sz = 0; port_id = afe_convert_virtual_to_portid(port_id); port_idx = adm_validate_and_get_port_index(port_id); @@ -980,7 +981,16 @@ int adm_get_params_v2(int port_id, int copp_idx, uint32_t module_id, return -EINVAL; } - sz = sizeof(struct adm_cmd_get_pp_params_v5) + params_length; + sz = (uint64_t)sizeof(struct adm_cmd_get_pp_params_v5) + + (uint64_t)params_length; + /* + * Check if the value of "sz" (which is ultimately assigned to + * "hdr.pkt_size") crosses U16_MAX. + */ + if (sz > U16_MAX) { + pr_err("%s: Invalid params_length\n", __func__); + return -EINVAL; + } adm_params = kzalloc(sz, GFP_KERNEL); if (!adm_params) { pr_err("%s: adm params memory alloc failed", __func__);