Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / opensource / audio-kernel / 9c429506158aac4d5903f5e157c6c0b51e5b1d31^! / . / dsp / rtac.c
commit9c429506158aac4d5903f5e157c6c0b51e5b1d31[log] [tgz]
authorkunleiz <kunleiz@codeaurora.org>Mon Sep 18 16:10:19 2017 +0800
committerkunleiz <kunleiz@codeaurora.org>Fri Sep 29 13:47:11 2017 +0800
tree8c384eba2e1bf0100dc4606367cb59857c6b9517
parent53a557ad4625fcb621ec15a29e8e7191af72fd21 [diff] [blame]
rtac: add size check when reading cal data kvaddr buffer

Add size check to ensure cal data bytes size fits inside
the cal data when copying to user space buffer.

CRs-Fixed: 2110256
Change-Id: I511999984684a9db4aaf1cf2c65eb1495c36980f
Signed-off-by: kunleiz <kunleiz@codeaurora.org>

diff --git a/dsp/rtac.c b/dsp/rtac.c
index 456ac57..84ef835 100644
--- a/dsp/rtac.c
+++ b/dsp/rtac.c

@@ -909,6 +909,14 @@
 		bytes_returned = ((u32 *)rtac_cal[ADM_RTAC_CAL].cal_data.
 			kvaddr)[2] + 3 * sizeof(u32);
 
+		if (bytes_returned > rtac_cal[ADM_RTAC_CAL].
+			map_data.map_size) {
+			pr_err("%s: Invalid data size = %d\n",
+				__func__, bytes_returned);
+			result = -EINVAL;
+			goto err;
+		}
+
 		if (bytes_returned > user_buf_size) {
 			pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
 				__func__, user_buf_size, bytes_returned);
@@ -1132,6 +1140,14 @@
 		bytes_returned = ((u32 *)rtac_cal[ASM_RTAC_CAL].cal_data.
 			kvaddr)[2] + 3 * sizeof(u32);
 
+		if (bytes_returned > rtac_cal[ASM_RTAC_CAL].
+			map_data.map_size) {
+			pr_err("%s: Invalid data size = %d\n",
+				__func__, bytes_returned);
+			result = -EINVAL;
+			goto err;
+		}
+
 		if (bytes_returned > user_buf_size) {
 			pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
 				__func__, user_buf_size, bytes_returned);
@@ -1392,6 +1408,14 @@
 		bytes_returned = get_resp->param_size +
 				sizeof(struct afe_port_param_data_v2);
 
+		if (bytes_returned > rtac_cal[AFE_RTAC_CAL].
+			map_data.map_size) {
+			pr_err("%s: Invalid data size = %d\n",
+				__func__, bytes_returned);
+			result = -EINVAL;
+			goto err;
+		}
+
 		if (bytes_returned > user_afe_buf.buf_size) {
 			pr_err("%s: user size = 0x%x, returned size = 0x%x\n",
 				__func__, user_afe_buf.buf_size,
@@ -1617,6 +1641,14 @@
 		bytes_returned = ((u32 *)rtac_cal[VOICE_RTAC_CAL].cal_data.
 			kvaddr)[2] + 3 * sizeof(u32);
 
+		if (bytes_returned > rtac_cal[VOICE_RTAC_CAL].
+			map_data.map_size) {
+			pr_err("%s: Invalid data size = %d\n",
+				__func__, bytes_returned);
+			result = -EINVAL;
+			goto err;
+		}
+
 		if (bytes_returned > user_buf_size) {
 			pr_err("%s: User buf not big enough, size = 0x%x, returned size = 0x%x\n",
 				__func__, user_buf_size, bytes_returned);