From 8292fe595c99ccbcb5e73debdba21d5f1ad91ef6 Mon Sep 17 00:00:00 2001
From: Ben Romberger <bromberg@codeaurora.org>
Date: Thu, 14 Apr 2016 14:35:10 -0700
Subject: [PATCH] ASoC: msm: Add bounds checking to ADM get params

Add additional bounds checking to ADM get params.
Validate that all buffer sizes are valid before
dereferencing.

BUG=27947307

Change-Id: Iae3643985b5b72b78606f4dff94f8068ee0ddc09
---
 sound/soc/msm/qdsp6v2/q6adm.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/sound/soc/msm/qdsp6v2/q6adm.c b/sound/soc/msm/qdsp6v2/q6adm.c
index 08caf510f8b4..14565cc22acb 100644
--- a/sound/soc/msm/qdsp6v2/q6adm.c
+++ b/sound/soc/msm/qdsp6v2/q6adm.c
@@ -508,9 +508,18 @@ int adm_get_params(int port_id, uint32_t module_id, uint32_t param_id,
 		rc = -EINVAL;
 		goto adm_get_param_return;
 	}
-	if (params_data) {
+	if ((params_data) &&
+	    (ARRAY_SIZE(adm_get_parameters) > 0) &&
+	    (ARRAY_SIZE(adm_get_parameters) >= 1+adm_get_parameters[0]) &&
+	    (params_length/sizeof(int) >= adm_get_parameters[0])) {
 		for (i = 0; i < adm_get_parameters[0]; i++)
 			params_data[i] = adm_get_parameters[1+i];
+	} else {
+		pr_err("%s: Get param data not copied! get_param array size %zd, index %d, params array size %zd, index %d\n",
+		__func__, ARRAY_SIZE(adm_get_parameters),
+		(1+adm_get_parameters[0]),
+		params_length/sizeof(int),
+		adm_get_parameters[0]);
 	}
 	rc = 0;
 adm_get_param_return:
@@ -799,17 +808,18 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
 					data->payload_size))
 				break;
 
-			if (payload[0] == 0) {
-				if (data->payload_size >
-				    (4 * sizeof(uint32_t))) {
-					adm_get_parameters[0] = payload[3];
+			if ((payload[0] == 0) &&
+			    (data->payload_size > (4 * sizeof(*payload))) &&
+			    (data->payload_size/sizeof(*payload)-4 >= payload[3]) &&
+			    (ARRAY_SIZE(adm_get_parameters) > 0) &&
+			    (ARRAY_SIZE(adm_get_parameters)-1 >= payload[3])) {
+			                adm_get_parameters[0] = payload[3];
 					pr_debug("GET_PP PARAM:received parameter length: 0x%x\n",
 						adm_get_parameters[0]);
 					/* storing param size then params */
 					for (i = 0; i < payload[3]; i++)
 						adm_get_parameters[1+i] =
 								payload[4+i];
-				}
 			} else {
 				adm_get_parameters[0] = -1;
 				pr_err("%s: GET_PP_PARAMS failed, setting size to %d\n",
-- 
GitLab