tegra-alt: adsp: add parameter size checks
Viraj Karandikar [Tue, 14 Mar 2017 05:17:22 +0000 (10:17 +0530)]
Fix possible buffer overflow in case of invalid user
parameter by adding size checks

Bug 1869543
Bug 1888389
Bug 2002359

Change-Id: I82ac00e24a3ca40915eb6c556454c9649cb644bd
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1297227
(cherry-picked from commit 2e4308a3800f3dcd4aa91a1b446cf00cf7ebda59)
Reviewed-on: http://git-master/r/1320244
Signed-off-by: Amulya Y <ayarlagadda@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1656808
Reviewed-by: Jonathan Hunter <jonathanh@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

sound/soc/tegra-alt/tegra210_adsp_alt.c

index 3b5f97b..ad1851c 100644 (file)
@@ -2,7 +2,7 @@
  * tegra210_adsp_alt.c - Tegra ADSP audio driver
  *
  * Author: Sumit Bhattacharya <sumitb@nvidia.com>
- * Copyright (c) 2014-2016, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2014-2018, NVIDIA CORPORATION.  All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -2590,6 +2590,14 @@ static int tegra210_adsp_set_param(struct snd_kcontrol *kcontrol,
                        dev_warn(adsp->dev, "No params to pass to the plugin\n");
                        return 0;
                }
+
+               if (num_params + 2 >
+                       sizeof(apm_msg.msg.fx_set_param_params.params)/
+                       sizeof(apm_msg.msg.fx_set_param_params.params[0])) {
+                       dev_err(adsp->dev, "parameter too large\n");
+                       return -EINVAL;
+               }
+
                apm_msg.msg.fx_set_param_params.params[0] =
                        (sizeof(nvfx_call_params_t) +
                        num_params * sizeof(int32_t));
@@ -2610,6 +2618,12 @@ static int tegra210_adsp_set_param(struct snd_kcontrol *kcontrol,
                nvfx_call_params_t *call_params =
                        (nvfx_call_params_t *)ucontrol->value.bytes.data;
 
+               if (call_params->size >
+                       sizeof(apm_msg.msg.fx_set_param_params.params)) {
+                       dev_err(adsp->dev, "parameter too large\n");
+                       return -EINVAL;
+               }
+
                /* copy parameters */
                memcpy(&apm_msg.msg.fx_set_param_params.params,
                        call_params, call_params->size);