[thirdparty/kernel/stable-queue.git] / releases / 3.10.16 / asoc-ab8500-codec-info-leak-in-anc_status_control_put.patch

From d63733aed90b432e5cc489ddfa28e342f91b4652 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 13 Sep 2013 10:53:36 +0300
Subject: ASoC: ab8500-codec: info leak in anc_status_control_put()

From: Dan Carpenter <dan.carpenter@oracle.com>

commit d63733aed90b432e5cc489ddfa28e342f91b4652 upstream.

If the user passes an invalid value it leads to an info leak when we
print the error message or it could oops.  This is called with user
supplied data from snd_ctl_elem_write().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/ab8500-codec.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/sound/soc/codecs/ab8500-codec.c
+++ b/sound/soc/codecs/ab8500-codec.c
@@ -1225,13 +1225,18 @@ static int anc_status_control_put(struct
 	struct ab8500_codec_drvdata *drvdata = dev_get_drvdata(codec->dev);
 	struct device *dev = codec->dev;
 	bool apply_fir, apply_iir;
-	int req, status;
+	unsigned int req;
+	int status;
 
 	dev_dbg(dev, "%s: Enter.\n", __func__);
 
 	mutex_lock(&drvdata->anc_lock);
 
 	req = ucontrol->value.integer.value[0];
+	if (req >= ARRAY_SIZE(enum_anc_state)) {
+		status = -EINVAL;
+		goto cleanup;
+	}
 	if (req != ANC_APPLY_FIR_IIR && req != ANC_APPLY_FIR &&
 		req != ANC_APPLY_IIR) {
 		dev_err(dev, "%s: ERROR: Unsupported status to set '%s'!\n",
Commit	Line	Data
c430f7d2 GKH	1	From d63733aed90b432e5cc489ddfa28e342f91b4652 Mon Sep 17 00:00:00 2001
	2	From: Dan Carpenter <dan.carpenter@oracle.com>
	3	Date: Fri, 13 Sep 2013 10:53:36 +0300
	4	Subject: ASoC: ab8500-codec: info leak in anc_status_control_put()
	5
	6	From: Dan Carpenter <dan.carpenter@oracle.com>
	7
	8	commit d63733aed90b432e5cc489ddfa28e342f91b4652 upstream.
	9
	10	If the user passes an invalid value it leads to an info leak when we
	11	print the error message or it could oops. This is called with user
	12	supplied data from snd_ctl_elem_write().
	13
	14	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	15	Signed-off-by: Mark Brown <broonie@linaro.org>
	16	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	17
	18	---
	19	sound/soc/codecs/ab8500-codec.c \| 7 ++++++-
	20	1 file changed, 6 insertions(+), 1 deletion(-)
	21
	22	--- a/sound/soc/codecs/ab8500-codec.c
	23	+++ b/sound/soc/codecs/ab8500-codec.c
	24	@@ -1225,13 +1225,18 @@ static int anc_status_control_put(struct
	25	struct ab8500_codec_drvdata *drvdata = dev_get_drvdata(codec->dev);
	26	struct device *dev = codec->dev;
	27	bool apply_fir, apply_iir;
	28	- int req, status;
	29	+ unsigned int req;
	30	+ int status;
	31
	32	dev_dbg(dev, "%s: Enter.\n", __func__);
	33
	34	mutex_lock(&drvdata->anc_lock);
	35
	36	req = ucontrol->value.integer.value[0];
	37	+ if (req >= ARRAY_SIZE(enum_anc_state)) {
	38	+ status = -EINVAL;
	39	+ goto cleanup;
	40	+ }
	41	if (req != ANC_APPLY_FIR_IIR && req != ANC_APPLY_FIR &&
	42	req != ANC_APPLY_IIR) {
	43	dev_err(dev, "%s: ERROR: Unsupported status to set '%s'!\n",