diff options
author | Nick Desaulniers <ndesaulniers@google.com> | 2017-04-17 16:24:36 +0900 |
---|---|---|
committer | David C. Park <davidc.park@lge.com> | 2017-05-03 11:19:25 -0700 |
commit | 9d815ef2c3a51c0bc6f1558b4c8447e471bf27cb (patch) | |
tree | 97ac3f4a24a5bdea0c60c73c8c0ada5a4a06cad8 | |
parent | d878eff8e78f729717557806256454b73abae615 (diff) |
ASoC: msm: qdsp6v2: Fix out-of-bounds access in put functionsandroid-wear-7.1.1_r0.27
Add out of bounds check in routing put functions
for the mux value before accessing the texts
pointer of soc_enum struct with mux as index.
CRs-fixed: 1097569
Bug: 33649808
References: CVE-2017-0586
Change-Id: Ib9ef8d398f0765754b0f79666963fac043b66077
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
Signed-off-by: Haynes Mathew George <hgeorge@codeaurora.org>
-rw-r--r-- | sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c index 5c8383456cde..d363a0e94594 100644 --- a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c +++ b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1848,6 +1848,11 @@ static int msm_routing_ec_ref_rx_put(struct snd_kcontrol *kcontrol, struct soc_enum *e = (struct soc_enum *)kcontrol->private_value; struct snd_soc_dapm_update *update = NULL; + if (mux >= e->items) { + pr_err("%s: Invalid mux value %d\n", __func__, mux); + return -EINVAL; + } + mutex_lock(&routing_lock); switch (ucontrol->value.integer.value[0]) { case 0: @@ -1996,6 +2001,11 @@ static int msm_routing_ext_ec_put(struct snd_kcontrol *kcontrol, __func__, msm_route_ext_ec_ref, ucontrol->value.integer.value[0]); + if (mux >= e->items) { + pr_err("%s: Invalid mux value %d\n", __func__, mux); + return -EINVAL; + } + mutex_lock(&routing_lock); switch (ucontrol->value.integer.value[0]) { case EC_PORT_ID_PRIMARY_MI2S_TX: |