From 21eccc591074209509e2105bd61aeefec247583f Mon Sep 17 00:00:00 2001 From: Sandhya Mutha Naga Venkata Date: Fri, 8 Mar 2024 13:22:08 +0530 Subject: [PATCH 1/9] dsp: q6voice: Add buf size check for cvs cal data Check for the max size of cvs command register calibration data that can be copied else will result in buffer overflow. Change-Id: Ib1f0bf1f5548f5213514123bc56a42d32287100d Signed-off-by: Sandhya Mutha Naga Venkata (cherry picked from commit a6408aac7879641124823b3742f05167310d84ad) --- 4.0/dsp/q6voice.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/4.0/dsp/q6voice.c b/4.0/dsp/q6voice.c index 5e90104beee0..46b70c626e78 100644 --- a/4.0/dsp/q6voice.c +++ b/4.0/dsp/q6voice.c @@ -2757,6 +2757,13 @@ static int voice_send_cvs_register_cal_cmd(struct voice_data *v) goto unlock; } + if (col_data->cal_data.size >= MAX_COL_INFO_SIZE) { + pr_err("%s: Invalid cal data size %d!\n", + __func__, col_data->cal_data.size); + ret = -EINVAL; + goto unlock; + } + memcpy(&cvs_reg_cal_cmd.cvs_cal_data.column_info[0], (void *) &((struct audio_cal_info_voc_col *) col_data->cal_info)->data, From d1220c8b70615e33842e6cbbabd038a359c3958e Mon Sep 17 00:00:00 2001 From: Sandhya Mutha Naga Venkata Date: Wed, 13 Mar 2024 17:12:08 +0530 Subject: [PATCH 2/9] audio-kernel: Add changes in multiple files to unblock CR's Change is created as part of blocking cr's Change-Id: I300d30ea223891cbffc2efe07b55df7fc818b381 Signed-off-by: Sandhya Mutha Naga Venkata --- 4.0/asoc/msm-audio-effects-q6-v2.c | 9 +++++++++ 4.0/asoc/msm-pcm-host-voice-v2.c | 8 +++++++- 4.0/dsp/q6afe.c | 16 ++++++++++++++++ 4.0/dsp/q6asm.c | 22 +++++++++++++++++++++- 4.0/dsp/q6core.c | 3 ++- 5 files changed, 55 insertions(+), 3 deletions(-) diff --git a/4.0/asoc/msm-audio-effects-q6-v2.c b/4.0/asoc/msm-audio-effects-q6-v2.c index db3bd87ebc0e..49b5a9060fef 100644 --- a/4.0/asoc/msm-audio-effects-q6-v2.c +++ b/4.0/asoc/msm-audio-effects-q6-v2.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -953,6 +954,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac, goto invalid_config; } + if ((pbe->config.bandpass_filter_order > 3) || + (pbe->config.bandpass_filter_order < 1)) { + pr_err("%s: Invalid BPF order\n", + __func__); + rc = -EINVAL; + goto invalid_config; + } + pbe->config.real_bass_mix = GET_NEXT(values, param_max_offset, rc); pbe->config.bass_color_control = diff --git a/4.0/asoc/msm-pcm-host-voice-v2.c b/4.0/asoc/msm-pcm-host-voice-v2.c index 0e90f558ef6a..2ec3e65ca6c7 100644 --- a/4.0/asoc/msm-pcm-host-voice-v2.c +++ b/4.0/asoc/msm-pcm-host-voice-v2.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved. - * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -625,6 +625,12 @@ static int hpcm_start_vocpcm(char *pcm_id, struct hpcm_drv *prtd, } } + if (*no_of_tp != no_of_tp_req && *no_of_tp > 2) { + pr_err("%s:: Invalid hpcm start request\n", __func__); + memset(&prtd->start_cmd, 0, sizeof(struct start_cmd)); + return -EINVAL; + } + if ((prtd->mixer_conf.tx.enable || prtd->mixer_conf.rx.enable) && *no_of_tp == no_of_tp_req) { voc_send_cvp_start_vocpcm(voc_get_session_id(sess_name), diff --git a/4.0/dsp/q6afe.c b/4.0/dsp/q6afe.c index 85e095c37fbb..bdf37d1a5e84 100644 --- a/4.0/dsp/q6afe.c +++ b/4.0/dsp/q6afe.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include #include @@ -7014,6 +7015,14 @@ static int afe_sidetone_iir(u16 tx_port_id) pr_debug("%s: adding 2 to size:%d\n", __func__, size); size = size + 2; } + + if (size > MAX_SIDETONE_IIR_DATA_SIZE) { + pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size); + mutex_unlock(&this_afe.cal_data[cal_index]->lock); + ret = -EINVAL; + goto done; + } + memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size); mutex_unlock(&this_afe.cal_data[cal_index]->lock); @@ -8322,6 +8331,7 @@ int afe_spk_prot_get_calib_data(struct afe_spkr_prot_get_vi_calib *calib_resp) struct param_hdr_v3 param_hdr; int port = SLIMBUS_4_TX; int ret = -EINVAL; + uint32_t th_vi_ca_state; if (!calib_resp) { pr_err("%s: Invalid params\n", __func__); @@ -8343,6 +8353,12 @@ int afe_spk_prot_get_calib_data(struct afe_spkr_prot_get_vi_calib *calib_resp) __func__, port, param_hdr.param_id, ret); goto get_params_fail; } + th_vi_ca_state = this_afe.calib_data.res_cfg.th_vi_ca_state; + if (th_vi_ca_state < FBSP_INCORRECT_OP_MODE || + th_vi_ca_state > MAX_FBSP_STATE) { + pr_err("%s: invalid fbsp state %d\n", __func__, th_vi_ca_state); + goto get_params_fail; + } memcpy(&calib_resp->res_cfg, &this_afe.calib_data.res_cfg, sizeof(this_afe.calib_data.res_cfg)); pr_info("%s: state %s resistance %d %d\n", __func__, diff --git a/4.0/dsp/q6asm.c b/4.0/dsp/q6asm.c index 3a807df8bd3d..010000044ddf 100644 --- a/4.0/dsp/q6asm.c +++ b/4.0/dsp/q6asm.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. * Author: Brian Swetland * * This software is licensed under the terms of the GNU General Public @@ -2288,6 +2289,16 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv) config_debug_fs_read_cb(); + if (data->payload_size != (READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)) { + pr_err("%s: payload size of %d is less than expected %d.\n", + __func__, data->payload_size, + ((READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t))); + spin_unlock_irqrestore( + &(session[session_id].session_lock), + flags); + return -EINVAL; + } + dev_vdbg(ac->dev, "%s: ReadDone: status=%d buff_add=0x%x act_size=%d offset=%d\n", __func__, payload[READDONE_IDX_STATUS], payload[READDONE_IDX_BUFADD_LSW], @@ -2394,7 +2405,16 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv) __func__, data->payload_size); break; case ASM_SESSION_CMDRSP_GET_MTMX_STRTR_PARAMS_V2: - q6asm_process_mtmx_get_param_rsp(ac, (void *) payload); + payload_size = sizeof(struct asm_mtmx_strtr_get_params_cmdrsp); + if (data->payload_size < payload_size) { + pr_err("%s: insufficient payload size = %d\n", + __func__, data->payload_size); + spin_unlock_irqrestore( + &(session[session_id].session_lock), flags); + return -EINVAL; + } + q6asm_process_mtmx_get_param_rsp(ac, + (struct asm_mtmx_strtr_get_params_cmdrsp *) payload); break; case ASM_STREAM_PP_EVENT: case ASM_STREAM_CMD_ENCDEC_EVENTS: diff --git a/4.0/dsp/q6core.c b/4.0/dsp/q6core.c index 7a6d16fdfcfe..11459bbf4f88 100644 --- a/4.0/dsp/q6core.c +++ b/4.0/dsp/q6core.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -197,7 +198,7 @@ EXPORT_SYMBOL(q6core_send_uevent); static int parse_fwk_version_info(uint32_t *payload, uint16_t payload_size) { size_t ver_size; - int num_services; + uint16_t num_services; pr_debug("%s: Payload info num services %d\n", __func__, payload[4]); From ac66f26674c94d4081f1b0c69e6b9f82b83b45b9 Mon Sep 17 00:00:00 2001 From: Sandhya Mutha Naga Venkata Date: Wed, 17 Apr 2024 17:50:35 +0530 Subject: [PATCH 3/9] ASoC: msm-audio-effects-q6-v2: Add BPF order check Added check for bandpassfilter order in order to avoid coeff len going out of bounds thereby leading to memory overflow issues. Change-Id: I633d89c58f8af5f12e11e4cdcc928f873a712d13 Signed-off-by: Sandhya Mutha Naga Venkata --- 4.0/asoc/msm-audio-effects-q6-v2.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/4.0/asoc/msm-audio-effects-q6-v2.c b/4.0/asoc/msm-audio-effects-q6-v2.c index 49b5a9060fef..a943904cd7d0 100644 --- a/4.0/asoc/msm-audio-effects-q6-v2.c +++ b/4.0/asoc/msm-audio-effects-q6-v2.c @@ -1011,6 +1011,15 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac, pbe->config.reserved = GET_NEXT(values, param_max_offset, rc); + if ((pbe->config.bandpass_filter_order > 3) || + (pbe->config.bandpass_filter_order < 1)) { + pr_err("%s: Invalid BPF order\n", + __func__); + rc = -EINVAL; + goto invalid_config; + } + + p_coeffs = &pbe->config.p1LowPassCoeffs[0]; lpf_len = (pbe->config.xover_filter_order == 3) ? 10 : 5; hpf_len = (pbe->config.xover_filter_order == 3) ? 10 : 5; From 9b89e4b1d7d6075fbb170ba674a438ec0ebde0d0 Mon Sep 17 00:00:00 2001 From: Kumar Anurag Singh Date: Thu, 4 Apr 2024 21:27:36 -0700 Subject: [PATCH 4/9] Fix for OOB access issue Added payload size check to avoid OOB read issues. Change-Id: I4f15bdfdcf15e388ebc49dd0e8cf7a99ed03d0d5 Signed-off-by: Kumar Anurag Singh (cherry picked from commit fb09ec8587ea689fc274c0e1b9d096b55cea36c8) --- dsp/q6adm.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/dsp/q6adm.c b/dsp/q6adm.c index 89e25a9c9671..e97bcb90c0ae 100644 --- a/dsp/q6adm.c +++ b/dsp/q6adm.c @@ -1604,16 +1604,11 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) if (data->opcode == APR_BASIC_RSP_RESULT) { pr_debug("%s: APR_BASIC_RSP_RESULT id 0x%x\n", __func__, payload[0]); - - if (!((client_id != ADM_CLIENT_ID_SOURCE_TRACKING) && - ((payload[0] == ADM_CMD_SET_PP_PARAMS_V5) || - (payload[0] == ADM_CMD_SET_PP_PARAMS_V6)))) { - if (data->payload_size < - (2 * sizeof(uint32_t))) { - pr_err("%s: Invalid payload size %d\n", - __func__, data->payload_size); - return 0; - } + if (data->payload_size < + (2 * sizeof(uint32_t))) { + pr_err("%s: Invalid payload size %d\n", + __func__, data->payload_size); + return 0; } if (payload[1] != 0) { From 6bc6c071412fa8ffcdcaacf8b20a0815db86c54b Mon Sep 17 00:00:00 2001 From: Sandhya Mutha Naga Venkata Date: Mon, 29 Apr 2024 14:05:28 +0530 Subject: [PATCH 5/9] Fix for OOB access issue Added payload size check to avoid OOB read issues. Change-Id: I601ab1ac26168db50a0ada1d202d6ca197dd0241 Signed-off-by: Sandhya Mutha Naga Venkata (Source change ID: Change-Id: I4f15bdfdcf15e388ebc49dd0e8cf7a99ed03d0d5 ) --- 4.0/dsp/q6adm.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/4.0/dsp/q6adm.c b/4.0/dsp/q6adm.c index 5a038c97796b..0eb010a2208c 100644 --- a/4.0/dsp/q6adm.c +++ b/4.0/dsp/q6adm.c @@ -1565,16 +1565,11 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) if (data->opcode == APR_BASIC_RSP_RESULT) { pr_debug("%s: APR_BASIC_RSP_RESULT id 0x%x\n", __func__, payload[0]); - - if (!((client_id != ADM_CLIENT_ID_SOURCE_TRACKING) && - ((payload[0] == ADM_CMD_SET_PP_PARAMS_V5) || - (payload[0] == ADM_CMD_SET_PP_PARAMS_V6)))) { - if (data->payload_size < - (2 * sizeof(uint32_t))) { - pr_err("%s: Invalid payload size %d\n", - __func__, data->payload_size); - return 0; - } + if (data->payload_size < + (2 * sizeof(uint32_t))) { + pr_err("%s: Invalid payload size %d\n", + __func__, data->payload_size); + return 0; } if (payload[1] != 0) { From a39bc609e7499bfa82d6fc1eba93bd808e9febae Mon Sep 17 00:00:00 2001 From: Sandhya Mutha Naga Venkata Date: Mon, 15 Apr 2024 00:50:50 -0700 Subject: [PATCH 6/9] dsp: q6lsm: Check size of payload before access check size of payload before access in q6lsm_mmapcallback. Change-Id: I6a755ca4cf54078f0d00f38e303f1b1da29b244c Signed-off-by: Kumar Anurag Singh (cherry picked from commit bbe748c8dfa4de303462edaba96d4ce283c13bc7) Signed-off-by: Sandhya Mutha Naga Venkata --- dsp/q6lsm.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/dsp/q6lsm.c b/dsp/q6lsm.c index fdff509e594d..74fb34a5151c 100644 --- a/dsp/q6lsm.c +++ b/dsp/q6lsm.c @@ -1,15 +1,6 @@ /* * Copyright (c) 2013-2019, Linux Foundation. All rights reserved. - * - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 and - * only version 2 as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include #include @@ -1823,6 +1814,12 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv) return 0; } + if (data->payload_size < (2 * sizeof(uint32_t))) { + pr_err("%s: payload has invalid size[%d]\n", __func__, + data->payload_size); + return -EINVAL; + } + command = payload[0]; retcode = payload[1]; sid = (data->token >> 8) & 0x0F; From 7afa37f24bc49e6c2dde1f9e9a2c2a194e4d582d Mon Sep 17 00:00:00 2001 From: Sandhya Mutha Naga Venkata Date: Tue, 7 May 2024 11:31:09 +0530 Subject: [PATCH 7/9] dsp: q6lsm: Check size of payload before access check size of payload before access in q6lsm_mmapcallback. Change-Id: I03df98f7ce7bb74f463225f904a0f402cf3da75e Signed-off-by: Sandhya Mutha Naga Venkata (Source change-Id: I6a755ca4cf54078f0d00f38e303f1b1da29b244c) --- 4.0/dsp/q6lsm.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/4.0/dsp/q6lsm.c b/4.0/dsp/q6lsm.c index 058e8a8e8666..8644305381ef 100644 --- a/4.0/dsp/q6lsm.c +++ b/4.0/dsp/q6lsm.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2013-2019, Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include #include @@ -1901,6 +1901,12 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv) return 0; } + if (data->payload_size < (2 * sizeof(uint32_t))) { + pr_err("%s: payload has invalid size[%d]\n", __func__, + data->payload_size); + return -EINVAL; + } + command = payload[0]; retcode = payload[1]; sid = (data->token >> 8) & 0x0F; From a5297b52fc13bf5a7b1e771b3f0fb8278655df25 Mon Sep 17 00:00:00 2001 From: Sandhya Mutha Naga Venkata Date: Wed, 1 May 2024 09:51:35 +0530 Subject: [PATCH 8/9] dsp: q6voice: Adds checks for an integer overflow there is no check for cvs_voc_pkt[2],when recieves 0xffffffff from ADSP which results in an integer overflow Fix is to address this. Change-Id: Ie935dd8823981ec260d77f5117f4ef0b0fc08f60 Signed-off-by: Ramireddy KrishnaKanth Reddy (cherry picked from commit 4524418cd14dce47e4ea7234618f919e28dbbe5a) Signed-off-by: Sandhya Mutha Naga Venkata --- dsp/q6voice.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/dsp/q6voice.c b/dsp/q6voice.c index 0089adbd5680..d9b444715f9e 100644 --- a/dsp/q6voice.c +++ b/dsp/q6voice.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include #include @@ -7777,7 +7777,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) { int ret = 0; u16 cvs_handle; - uint32_t *cvs_voc_pkt; + uint32_t *cvs_voc_pkt, tot_buf_sz; struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd; void *apr_cvs; @@ -7806,9 +7806,14 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED; cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data; + + if (__builtin_add_overflow(cvs_voc_pkt[2], 3 * sizeof(uint32_t), &tot_buf_sz)) { + pr_err("%s: integer overflow detected\n", __func__); + return -EINVAL; + } + if (cvs_voc_pkt != NULL && common.mvs_info.ul_cb != NULL) { - if (v->shmem_info.sh_buf.buf[1].size < - ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) { + if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) { pr_err("%s: invalid voc pkt size\n", __func__); return -EINVAL; } From f3b2f5980b9da91842ee4432bfa1090fdc3f2156 Mon Sep 17 00:00:00 2001 From: Shaik Jabida Date: Mon, 3 Jun 2024 16:38:47 +0530 Subject: [PATCH 9/9] dsp: q6voice: Adds checks for an integer overflow there is no check for cvs_voc_pkt[2],when receives 0xffffffff from ADSP which results in an integer overflow Fix is to address this. Signed-off-by: Shaik Jabida (cherry picked from commit 4524418cd14dce47e4ea7234618f919e28dbbe5a) Change-Id: I2edaef7a22bf0e8d517b3269d004992a3ca35d4f --- 4.0/dsp/q6voice.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/4.0/dsp/q6voice.c b/4.0/dsp/q6voice.c index 46b70c626e78..5003b9945b0f 100644 --- a/4.0/dsp/q6voice.c +++ b/4.0/dsp/q6voice.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include #include @@ -7905,7 +7906,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) { int ret = 0; u16 cvs_handle; - uint32_t *cvs_voc_pkt; + uint32_t *cvs_voc_pkt, tot_buf_sz; struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd; void *apr_cvs; @@ -7934,9 +7935,14 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv) VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED; cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data; + + if (__builtin_add_overflow(cvs_voc_pkt[2], 3 * sizeof(uint32_t), &tot_buf_sz)) { + pr_err("%s: integer overflow detected\n", __func__); + return -EINVAL; + } + if (cvs_voc_pkt != NULL && common.mvs_info.ul_cb != NULL) { - if (v->shmem_info.sh_buf.buf[1].size < - ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) { + if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) { pr_err("%s: invalid voc pkt size\n", __func__); return -EINVAL; }