From 5fe501ba844ec59801b0043b16339f99db4fd7be Mon Sep 17 00:00:00 2001
From: Viraj Karandikar <vkarandikar@nvidia.com>
Date: Wed, 1 Feb 2017 16:21:19 +0530
Subject: [PATCH] tegra-alt: adsp: add parameter size checks

Fix possible buffer overflow in case of invalid user
parameter by adding size checks

Bug 1869543

Change-Id: I82ac00e24a3ca40915eb6c556454c9649cb644bd
Signed-off-by: Viraj Karandikar <vkarandikar@nvidia.com>
Reviewed-on: http://git-master/r/1297227
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dipesh Gandhi <dipeshg@nvidia.com>
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
---
 sound/soc/tegra-alt/tegra210_adsp_alt.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sound/soc/tegra-alt/tegra210_adsp_alt.c b/sound/soc/tegra-alt/tegra210_adsp_alt.c
index aa63f6d7..5928bb81 100644
--- a/sound/soc/tegra-alt/tegra210_adsp_alt.c
+++ b/sound/soc/tegra-alt/tegra210_adsp_alt.c
@@ -3312,6 +3312,14 @@ static int tegra210_adsp_set_param(struct snd_kcontrol *kcontrol,
 			dev_warn(adsp->dev, "No params to pass to the plugin\n");
 			return 0;
 		}
+
+		if (num_params + 2 >
+			sizeof(apm_msg.msg.fx_set_param_params.params)/
+			sizeof(apm_msg.msg.fx_set_param_params.params[0])) {
+			dev_err(adsp->dev, "parameter too large\n");
+			return -EINVAL;
+		}
+
 		apm_msg.msg.fx_set_param_params.params[0] =
 			(sizeof(nvfx_call_params_t) +
 			num_params * sizeof(int32_t));
@@ -3332,6 +3340,12 @@ static int tegra210_adsp_set_param(struct snd_kcontrol *kcontrol,
 		nvfx_call_params_t *call_params =
 			(nvfx_call_params_t *)ucontrol->value.bytes.data;
 
+		if (call_params->size >
+			sizeof(apm_msg.msg.fx_set_param_params.params)) {
+			dev_err(adsp->dev, "parameter too large\n");
+			return -EINVAL;
+		}
+
 		/* copy parameters */
 		memcpy(&apm_msg.msg.fx_set_param_params.params,
 			call_params, call_params->size);