ASoC: msm-pcm-q6-v2: Add dsp buf check
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: I7753cc6db394704dbb959477150141d42b836bef
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
Issue: FP3SEC-987
(cherry picked from commit 28658bc2a0a290fdfcab61bed67e89874e99ca47)
diff --git a/asoc/msm-pcm-q6-v2.c b/asoc/msm-pcm-q6-v2.c
index 6e50f0f..3b302e5 100644
--- a/asoc/msm-pcm-q6-v2.c
+++ b/asoc/msm-pcm-q6-v2.c
@@ -1,4 +1,5 @@
/* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -981,6 +982,14 @@
xfer = size;
offset = prtd->in_frame_info[idx].offset;
pr_debug("Offset value = %d\n", offset);
+
+ if (offset >= size) {
+ pr_err("%s: Invalid dsp buf offset\n", __func__);
+ ret = -EFAULT;
+ q6asm_cpu_buf_release(OUT, prtd->audio_client);
+ goto fail;
+ }
+
if (size == 0 || size < prtd->pcm_count) {
memset(bufptr + offset + size, 0, prtd->pcm_count - size);
if (fbytes > prtd->pcm_count)