dsp: asm: validate ADSP data before access
Validate buffer index obtained from ADSP token before using it.
CRs-Fixed: 2372302
Change-Id: I3f5e1b6f515935a10a8c59c324452be0a71f9473
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
diff --git a/dsp/q6asm.c b/dsp/q6asm.c
index 0f7c8ea..c4c90fe 100644
--- a/dsp/q6asm.c
+++ b/dsp/q6asm.c
@@ -1954,6 +1954,7 @@
data->dest_port);
if ((data->opcode != ASM_DATA_EVENT_RENDERED_EOS) &&
(data->opcode != ASM_DATA_EVENT_EOS) &&
+ (data->opcode != ASM_SESSION_EVENTX_OVERFLOW) &&
(data->opcode != ASM_SESSION_EVENT_RX_UNDERFLOW)) {
if (payload == NULL) {
pr_err("%s: payload is null\n", __func__);
@@ -2159,6 +2160,16 @@
}
spin_lock_irqsave(&port->dsp_lock, dsp_flags);
buf_index = asm_token._token.buf_index;
+ if (buf_index < 0 || buf_index >= port->max_buf_cnt) {
+ pr_debug("%s: Invalid buffer index %u\n",
+ __func__, buf_index);
+ spin_unlock_irqrestore(&port->dsp_lock,
+ dsp_flags);
+ spin_unlock_irqrestore(
+ &(session[session_id].session_lock),
+ flags);
+ return -EINVAL;
+ }
if (data->payload_size >= 2 * sizeof(uint32_t) &&
(lower_32_bits(port->buf[buf_index].phys) !=
payload[0] ||
@@ -2268,6 +2279,16 @@
}
spin_lock_irqsave(&port->dsp_lock, dsp_flags);
buf_index = asm_token._token.buf_index;
+ if (buf_index < 0 || buf_index >= port->max_buf_cnt) {
+ pr_debug("%s: Invalid buffer index %u\n",
+ __func__, buf_index);
+ spin_unlock_irqrestore(&port->dsp_lock,
+ dsp_flags);
+ spin_unlock_irqrestore(
+ &(session[session_id].session_lock),
+ flags);
+ return -EINVAL;
+ }
port->buf[buf_index].used = 0;
if (lower_32_bits(port->buf[buf_index].phys) !=
payload[READDONE_IDX_BUFADD_LSW] ||