Merge tag 'LA.UM.9.1.r1-16300-SMxxx0.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel

"LA.UM.9.1.r1-16300-SMxxx0.QSSI14.0" * tag 'LA.UM.9.1.r1-16300-SMxxx0.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel: dsp: q6voice: Adds checks for an integer overflow dsp: q6voice: Adds checks for an integer overflow dsp: q6lsm: Check size of payload before access dsp: q6lsm: Check size of payload before access Fix for OOB access issue Fix for OOB access issue ASoC: msm-audio-effects-q6-v2: Add BPF order check audio-kernel: Add changes in multiple files to unblock CR's dsp: q6voice: Add buf size check for cvs cal data Change-Id: I5a461411130da487544d758966e75808d1eb2936 Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
2025-02-20 11:45:48 +08:00 · 2024-07-23 18:00:56 -03:00 · 2024-07-23 18:00:56 -03:00 · d1df81d98d
commit d1df81d98d
parent 1b2f5d541c 315167b3e7
11 changed files with 113 additions and 41 deletions
--- a/techpack/audio/4.0/asoc/msm-audio-effects-q6-v2.c
+++ b/techpack/audio/4.0/asoc/msm-audio-effects-q6-v2.c
@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */

 #include <linux/slab.h>
@ -953,6 +954,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
 				goto invalid_config;
 			}

+			if ((pbe->config.bandpass_filter_order > 3) ||
+				(pbe->config.bandpass_filter_order < 1)) {
+				pr_err("%s: Invalid BPF order\n",
+					__func__);
+				rc = -EINVAL;
+				goto invalid_config;
+			}
+
 			pbe->config.real_bass_mix =
 				GET_NEXT(values, param_max_offset, rc);
 			pbe->config.bass_color_control =
@ -1002,6 +1011,15 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
 			pbe->config.reserved =
 				GET_NEXT(values, param_max_offset, rc);

+			if ((pbe->config.bandpass_filter_order > 3) ||
+				(pbe->config.bandpass_filter_order < 1)) {
+				pr_err("%s: Invalid BPF order\n",
+					__func__);
+				rc = -EINVAL;
+				goto invalid_config;
+			}
+
+
 			p_coeffs = &pbe->config.p1LowPassCoeffs[0];
 			lpf_len = (pbe->config.xover_filter_order == 3) ? 10 : 5;
 			hpf_len = (pbe->config.xover_filter_order == 3) ? 10 : 5;
--- a/techpack/audio/4.0/asoc/msm-pcm-host-voice-v2.c
+++ b/techpack/audio/4.0/asoc/msm-pcm-host-voice-v2.c
@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */

 #include <linux/init.h>
@ -625,6 +625,12 @@ static int hpcm_start_vocpcm(char *pcm_id, struct hpcm_drv *prtd,
 		}
 	}

+	if (*no_of_tp != no_of_tp_req && *no_of_tp > 2) {
+		pr_err("%s:: Invalid hpcm start request\n", __func__);
+		memset(&prtd->start_cmd, 0, sizeof(struct start_cmd));
+		return -EINVAL;
+	}
+
 	if ((prtd->mixer_conf.tx.enable || prtd->mixer_conf.rx.enable) &&
 	    *no_of_tp == no_of_tp_req) {
 		voc_send_cvp_start_vocpcm(voc_get_session_id(sess_name),
--- a/techpack/audio/4.0/dsp/q6adm.c
+++ b/techpack/audio/4.0/dsp/q6adm.c
@ -1565,16 +1565,11 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
 		if (data->opcode == APR_BASIC_RSP_RESULT) {
 			pr_debug("%s: APR_BASIC_RSP_RESULT id 0x%x\n",
 				__func__, payload[0]);
-
-			if (!((client_id != ADM_CLIENT_ID_SOURCE_TRACKING) &&
-			     ((payload[0] == ADM_CMD_SET_PP_PARAMS_V5) ||
-			      (payload[0] == ADM_CMD_SET_PP_PARAMS_V6)))) {
-				if (data->payload_size <
-						(2 * sizeof(uint32_t))) {
-					pr_err("%s: Invalid payload size %d\n",
-						__func__, data->payload_size);
-					return 0;
-				}
+			if (data->payload_size <
+					(2 * sizeof(uint32_t))) {
+				pr_err("%s: Invalid payload size %d\n",
+					__func__, data->payload_size);
+				return 0;
 			}

 			if (payload[1] != 0) {
--- a/techpack/audio/4.0/dsp/q6afe.c
+++ b/techpack/audio/4.0/dsp/q6afe.c
@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/slab.h>
 #include <linux/debugfs.h>
@ -7014,6 +7015,14 @@ static int afe_sidetone_iir(u16 tx_port_id)
 		pr_debug("%s: adding 2 to size:%d\n", __func__, size);
 		size = size + 2;
 	}
+
+	if (size > MAX_SIDETONE_IIR_DATA_SIZE) {
+		pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size);
+		mutex_unlock(&this_afe.cal_data[cal_index]->lock);
+		ret = -EINVAL;
+		goto done;
+	}
+
 	memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size);
 	mutex_unlock(&this_afe.cal_data[cal_index]->lock);

@ -8322,6 +8331,7 @@ int afe_spk_prot_get_calib_data(struct afe_spkr_prot_get_vi_calib *calib_resp)
 	struct param_hdr_v3 param_hdr;
 	int port = SLIMBUS_4_TX;
 	int ret = -EINVAL;
+	uint32_t th_vi_ca_state;

 	if (!calib_resp) {
 		pr_err("%s: Invalid params\n", __func__);
@ -8343,6 +8353,12 @@ int afe_spk_prot_get_calib_data(struct afe_spkr_prot_get_vi_calib *calib_resp)
 		       __func__, port, param_hdr.param_id, ret);
 		goto get_params_fail;
 	}
+	th_vi_ca_state = this_afe.calib_data.res_cfg.th_vi_ca_state;
+	if (th_vi_ca_state < FBSP_INCORRECT_OP_MODE ||
+		th_vi_ca_state > MAX_FBSP_STATE) {
+		pr_err("%s: invalid fbsp state %d\n", __func__, th_vi_ca_state);
+		goto get_params_fail;
+	}
 	memcpy(&calib_resp->res_cfg, &this_afe.calib_data.res_cfg,
 		sizeof(this_afe.calib_data.res_cfg));
 	pr_info("%s: state %s resistance %d %d\n", __func__,
--- a/techpack/audio/4.0/dsp/q6asm.c
+++ b/techpack/audio/4.0/dsp/q6asm.c
@ -1,5 +1,6 @@
 /*
 * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved.
 * Author: Brian Swetland <swetland@google.com>
 *
 * This software is licensed under the terms of the GNU General Public
@ -2288,6 +2289,16 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)

 		config_debug_fs_read_cb();

+		if (data->payload_size != (READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)) {
+			pr_err("%s:  payload size of %d is less than expected %d.\n",
+					__func__, data->payload_size,
+					((READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)));
+			spin_unlock_irqrestore(
+				&(session[session_id].session_lock),
+				flags);
+			return -EINVAL;
+		}
+
 		dev_vdbg(ac->dev, "%s: ReadDone: status=%d buff_add=0x%x act_size=%d offset=%d\n",
 				__func__, payload[READDONE_IDX_STATUS],
 				payload[READDONE_IDX_BUFADD_LSW],
@ -2394,7 +2405,16 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv)
 				__func__, data->payload_size);
 		break;
 	case ASM_SESSION_CMDRSP_GET_MTMX_STRTR_PARAMS_V2:
-		q6asm_process_mtmx_get_param_rsp(ac, (void *) payload);
+		payload_size = sizeof(struct asm_mtmx_strtr_get_params_cmdrsp);
+		if (data->payload_size < payload_size) {
+			pr_err("%s: insufficient payload size = %d\n",
+				__func__, data->payload_size);
+			spin_unlock_irqrestore(
+				&(session[session_id].session_lock), flags);
+			return -EINVAL;
+		}
+		q6asm_process_mtmx_get_param_rsp(ac,
+			(struct asm_mtmx_strtr_get_params_cmdrsp *) payload);
 		break;
 	case ASM_STREAM_PP_EVENT:
 	case ASM_STREAM_CMD_ENCDEC_EVENTS:
--- a/techpack/audio/4.0/dsp/q6core.c
+++ b/techpack/audio/4.0/dsp/q6core.c
@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */

 #include <linux/kernel.h>
@ -197,7 +198,7 @@ EXPORT_SYMBOL(q6core_send_uevent);
 static int parse_fwk_version_info(uint32_t *payload, uint16_t payload_size)
 {
 	size_t ver_size;
-	int num_services;
+	uint16_t num_services;

 	pr_debug("%s: Payload info num services %d\n",
 		 __func__, payload[4]);
--- a/techpack/audio/4.0/dsp/q6lsm.c
+++ b/techpack/audio/4.0/dsp/q6lsm.c
@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2013-2019, Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/fs.h>
 #include <linux/mutex.h>
@ -1901,6 +1901,12 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
 		return 0;
 	}

+	if (data->payload_size < (2 * sizeof(uint32_t))) {
+		pr_err("%s: payload has invalid size[%d]\n", __func__,
+			data->payload_size);
+		return -EINVAL;
+	}
+
 	command = payload[0];
 	retcode = payload[1];
 	sid = (data->token >> 8) & 0x0F;
--- a/techpack/audio/4.0/dsp/q6voice.c
+++ b/techpack/audio/4.0/dsp/q6voice.c
@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/slab.h>
 #include <linux/kthread.h>
@ -2757,6 +2758,13 @@ static int voice_send_cvs_register_cal_cmd(struct voice_data *v)
 		goto unlock;
 	}

+	if (col_data->cal_data.size >= MAX_COL_INFO_SIZE) {
+		pr_err("%s: Invalid cal data size %d!\n",
+			__func__, col_data->cal_data.size);
+		ret = -EINVAL;
+		goto unlock;
+	}
+
 	memcpy(&cvs_reg_cal_cmd.cvs_cal_data.column_info[0],
 	       (void *) &((struct audio_cal_info_voc_col *)
 	       col_data->cal_info)->data,
@ -7898,7 +7906,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
 			 VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) {
 		int ret = 0;
 		u16 cvs_handle;
-		uint32_t *cvs_voc_pkt;
+		uint32_t *cvs_voc_pkt, tot_buf_sz;
 		struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd;
 		void *apr_cvs;

@ -7927,9 +7935,14 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
 			VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED;

 		cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;
+		
+		if (__builtin_add_overflow(cvs_voc_pkt[2], 3 * sizeof(uint32_t), &tot_buf_sz)) {
+			pr_err("%s: integer overflow detected\n", __func__);
+			return -EINVAL;
+		}
+
 		if (cvs_voc_pkt != NULL &&  common.mvs_info.ul_cb != NULL) {
-			if (v->shmem_info.sh_buf.buf[1].size <
-			    ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {
+			if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) {
 				pr_err("%s: invalid voc pkt size\n", __func__);
 				return -EINVAL;
 			}
--- a/techpack/audio/dsp/q6adm.c
+++ b/techpack/audio/dsp/q6adm.c
@ -1604,16 +1604,11 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
 		if (data->opcode == APR_BASIC_RSP_RESULT) {
 			pr_debug("%s: APR_BASIC_RSP_RESULT id 0x%x\n",
 				__func__, payload[0]);
-
-			if (!((client_id != ADM_CLIENT_ID_SOURCE_TRACKING) &&
-			     ((payload[0] == ADM_CMD_SET_PP_PARAMS_V5) ||
-			      (payload[0] == ADM_CMD_SET_PP_PARAMS_V6)))) {
-				if (data->payload_size <
-						(2 * sizeof(uint32_t))) {
-					pr_err("%s: Invalid payload size %d\n",
-						__func__, data->payload_size);
-					return 0;
-				}
+			if (data->payload_size <
+					(2 * sizeof(uint32_t))) {
+				pr_err("%s: Invalid payload size %d\n",
+					__func__, data->payload_size);
+				return 0;
 			}

 			if (payload[1] != 0) {
--- a/techpack/audio/dsp/q6lsm.c
+++ b/techpack/audio/dsp/q6lsm.c
@ -1,15 +1,6 @@
 /*
 * Copyright (c) 2013-2019, Linux Foundation. All rights reserved.
- *
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 and
- * only version 2 as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
+ * Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/fs.h>
 #include <linux/mutex.h>
@ -1823,6 +1814,12 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
 		return 0;
 	}

+	if (data->payload_size < (2 * sizeof(uint32_t))) {
+		pr_err("%s: payload has invalid size[%d]\n", __func__,
+			data->payload_size);
+		return -EINVAL;
+	}
+
 	command = payload[0];
 	retcode = payload[1];
 	sid = (data->token >> 8) & 0x0F;
--- a/techpack/audio/dsp/q6voice.c
+++ b/techpack/audio/dsp/q6voice.c
@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/slab.h>
 #include <linux/kthread.h>
@ -7777,7 +7777,7 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
 			 VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_READY) {
 		int ret = 0;
 		u16 cvs_handle;
-		uint32_t *cvs_voc_pkt;
+		uint32_t *cvs_voc_pkt, tot_buf_sz;
 		struct cvs_enc_buffer_consumed_cmd send_enc_buf_consumed_cmd;
 		void *apr_cvs;

@ -7806,9 +7806,14 @@ static int32_t qdsp_cvs_callback(struct apr_client_data *data, void *priv)
 			VSS_ISTREAM_EVT_OOB_NOTIFY_ENC_BUFFER_CONSUMED;

 		cvs_voc_pkt = v->shmem_info.sh_buf.buf[1].data;
+
+		if (__builtin_add_overflow(cvs_voc_pkt[2], 3 * sizeof(uint32_t), &tot_buf_sz)) {
+			 pr_err("%s: integer overflow detected\n", __func__);
+			 return -EINVAL;
+		}
+
 		if (cvs_voc_pkt != NULL &&  common.mvs_info.ul_cb != NULL) {
-			if (v->shmem_info.sh_buf.buf[1].size <
-			    ((3 * sizeof(uint32_t)) + cvs_voc_pkt[2])) {
+			if (v->shmem_info.sh_buf.buf[1].size < tot_buf_sz) {
 				pr_err("%s: invalid voc pkt size\n", __func__);
 				return -EINVAL;
 			}