[2/2] Fix a stack buffer overflow bug in check_input_term

Message ID	20190830214730.27842-1-benquike@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=nNdU=W2=alsa-project.org=alsa-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6C1A62087F From: Hui Peng <benquike@gmail.com> To: stable@vger.kernel.org Date: Fri, 30 Aug 2019 17:47:29 -0400 Message-Id: <20190830214730.27842-1-benquike@gmail.com> MIME-Version: 1.0 Cc: Mathias Payer <mathias.payer@nebelwelt.net>, alsa-devel@alsa-project.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Wenwen Wang <wang6495@umn.edu>, Takashi Iwai <tiwai@suse.com>, Hui Peng <benquike@gmail.com>, linux-kernel@vger.kernel.org Subject: [alsa-devel] [PATCH 2/2] Fix a stack buffer overflow bug in check_input_term Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>
Series	[1/2] Fix an OOB bug in parse_audio_mixer_unit \| expand [1/2] Fix an OOB bug in parse_audio_mixer_unit [2/2] Fix a stack buffer overflow bug in check_input_term

Message ID

20190830214730.27842-1-benquike@gmail.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6C1A62087F
From: Hui Peng <benquike@gmail.com>
To: stable@vger.kernel.org
Date: Fri, 30 Aug 2019 17:47:29 -0400
Message-Id: <20190830214730.27842-1-benquike@gmail.com>
MIME-Version: 1.0
Cc: Mathias Payer <mathias.payer@nebelwelt.net>, alsa-devel@alsa-project.org,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Wenwen Wang <wang6495@umn.edu>, Takashi Iwai <tiwai@suse.com>,
 Hui Peng <benquike@gmail.com>, linux-kernel@vger.kernel.org
Subject: [alsa-devel] [PATCH 2/2] Fix a stack buffer overflow bug in
	check_input_term
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>

Series

[1/2] Fix an OOB bug in parse_audio_mixer_unit | expand

Commit Message

Hui Peng Aug. 30, 2019, 9:47 p.m. UTC

`check_input_term` recursively calls itself with input from
device side (e.g., uac_input_terminal_descriptor.bCSourceID)
as argument (id). In `check_input_term`, if `check_input_term`
is called with the same `id` argument as the caller, it triggers
endless recursive call, resulting kernel space stack overflow.

This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids and stop the execution if some id
has been checked (similar to how parse_audio_unit handles unitid
argument).

CVE: CVE-2018-15118

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
 sound/usb/mixer.c | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

Comments

Hui Peng Aug. 30, 2019, 9:51 p.m. UTC | #1

This is the backported patch for the following fix to v4.4.x and v4.14.x:
19bce474c45b ("ALSA: usb-audio: Fix a stack buffer overflow bug in
check_input_term")

On Fri, Aug 30, 2019 at 5:47 PM Hui Peng <benquike@gmail.com> wrote:

> `check_input_term` recursively calls itself with input from
> device side (e.g., uac_input_terminal_descriptor.bCSourceID)
> as argument (id). In `check_input_term`, if `check_input_term`
> is called with the same `id` argument as the caller, it triggers
> endless recursive call, resulting kernel space stack overflow.
>
> This patch fixes the bug by adding a bitmap to `struct mixer_build`
> to keep track of the checked ids and stop the execution if some id
> has been checked (similar to how parse_audio_unit handles unitid
> argument).
>
> CVE: CVE-2018-15118
>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Hui Peng <benquike@gmail.com>
> ---
>  sound/usb/mixer.c | 29 ++++++++++++++++++++++++-----
>  1 file changed, 24 insertions(+), 5 deletions(-)
>
> diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
> index 10ddec76f906..e24572fd6e30 100644
> --- a/sound/usb/mixer.c
> +++ b/sound/usb/mixer.c
> @@ -81,6 +81,7 @@ struct mixer_build {
>         unsigned char *buffer;
>         unsigned int buflen;
>         DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
> +       DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
>         struct usb_audio_term oterm;
>         const struct usbmix_name_map *map;
>         const struct usbmix_selector_map *selector_map;
> @@ -709,15 +710,24 @@ static int get_term_name(struct mixer_build *state,
> struct usb_audio_term *iterm
>   * parse the source unit recursively until it reaches to a terminal
>   * or a branched unit.
>   */
> -static int check_input_term(struct mixer_build *state, int id,
> +static int __check_input_term(struct mixer_build *state, int id,
>                             struct usb_audio_term *term)
>  {
>         int err;
>         void *p1;
> +       unsigned char *hdr;
>
>         memset(term, 0, sizeof(*term));
> -       while ((p1 = find_audio_control_unit(state, id)) != NULL) {
> -               unsigned char *hdr = p1;
> +       for (;;) {
> +               /* a loop in the terminal chain? */
> +               if (test_and_set_bit(id, state->termbitmap))
> +                       return -EINVAL;
> +
> +               p1 = find_audio_control_unit(state, id);
> +               if (!p1)
> +                       break;
> +
> +               hdr = p1;
>                 term->id = id;
>                 switch (hdr[2]) {
>                 case UAC_INPUT_TERMINAL:
> @@ -732,7 +742,7 @@ static int check_input_term(struct mixer_build *state,
> int id,
>
>                                 /* call recursively to verify that the
>                                  * referenced clock entity is valid */
> -                               err = check_input_term(state,
> d->bCSourceID, term);
> +                               err = __check_input_term(state,
> d->bCSourceID, term);
>                                 if (err < 0)
>                                         return err;
>
> @@ -764,7 +774,7 @@ static int check_input_term(struct mixer_build *state,
> int id,
>                 case UAC2_CLOCK_SELECTOR: {
>                         struct uac_selector_unit_descriptor *d = p1;
>                         /* call recursively to retrieve the channel info */
> -                       err = check_input_term(state, d->baSourceID[0],
> term);
> +                       err = __check_input_term(state, d->baSourceID[0],
> term);
>                         if (err < 0)
>                                 return err;
>                         term->type = d->bDescriptorSubtype << 16; /*
> virtual type */
> @@ -811,6 +821,15 @@ static int check_input_term(struct mixer_build
> *state, int id,
>         return -ENODEV;
>  }
>
> +
> +static int check_input_term(struct mixer_build *state, int id,
> +                           struct usb_audio_term *term)
> +{
> +       memset(term, 0, sizeof(*term));
> +       memset(state->termbitmap, 0, sizeof(state->termbitmap));
> +       return __check_input_term(state, id, term);
> +}
> +
>  /*
>   * Feature Unit
>   */
> --
> 2.17.1
>
>

Salvatore Bonaccorso Sept. 1, 2019, 1 p.m. UTC | #2

Hi Hui,

On Fri, Aug 30, 2019 at 05:47:29PM -0400, Hui Peng wrote:
> `check_input_term` recursively calls itself with input from
> device side (e.g., uac_input_terminal_descriptor.bCSourceID)
> as argument (id). In `check_input_term`, if `check_input_term`
> is called with the same `id` argument as the caller, it triggers
> endless recursive call, resulting kernel space stack overflow.
> 
> This patch fixes the bug by adding a bitmap to `struct mixer_build`
> to keep track of the checked ids and stop the execution if some id
> has been checked (similar to how parse_audio_unit handles unitid
> argument).
> 
> CVE: CVE-2018-15118

Similar to the previous one, this should be CVE-2019-15118 as far I
can tell.

Regards,
Salvatore

Hui Peng Sept. 1, 2019, 7:47 p.m. UTC | #3

On 9/1/19 9:00 AM, Salvatore Bonaccorso wrote:
> Hi Hui,
>
> On Fri, Aug 30, 2019 at 05:47:29PM -0400, Hui Peng wrote:
>> `check_input_term` recursively calls itself with input from
>> device side (e.g., uac_input_terminal_descriptor.bCSourceID)
>> as argument (id). In `check_input_term`, if `check_input_term`
>> is called with the same `id` argument as the caller, it triggers
>> endless recursive call, resulting kernel space stack overflow.
>>
>> This patch fixes the bug by adding a bitmap to `struct mixer_build`
>> to keep track of the checked ids and stop the execution if some id
>> has been checked (similar to how parse_audio_unit handles unitid
>> argument).
>>
>> CVE: CVE-2018-15118
> Similar to the previous one, this should be CVE-2019-15118 as far I
> can tell.

Same here: CVE id updated.

Can you apply it to  v4.4.190 and v4.14.141?

Thanks.

>
> Regards,
> Salvatore

Greg KH Sept. 2, 2019, 4 p.m. UTC | #4

On Fri, Aug 30, 2019 at 05:51:17PM -0400, Hui Peng wrote:
> This is the backported patch for the following fix to v4.4.x and v4.14.x:
> 19bce474c45b ("ALSA: usb-audio: Fix a stack buffer overflow bug in
> check_input_term")

Now queued up, thanks.

greg k-h

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 10ddec76f906..e24572fd6e30 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -81,6 +81,7 @@  struct mixer_build {
 	unsigned char *buffer;
 	unsigned int buflen;
 	DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
+	DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
 	struct usb_audio_term oterm;
 	const struct usbmix_name_map *map;
 	const struct usbmix_selector_map *selector_map;
@@ -709,15 +710,24 @@  static int get_term_name(struct mixer_build *state, struct usb_audio_term *iterm
  * parse the source unit recursively until it reaches to a terminal
  * or a branched unit.
  */
-static int check_input_term(struct mixer_build *state, int id,
+static int __check_input_term(struct mixer_build *state, int id,
 			    struct usb_audio_term *term)
 {
 	int err;
 	void *p1;
+	unsigned char *hdr;
 
 	memset(term, 0, sizeof(*term));
-	while ((p1 = find_audio_control_unit(state, id)) != NULL) {
-		unsigned char *hdr = p1;
+	for (;;) {
+		/* a loop in the terminal chain? */
+		if (test_and_set_bit(id, state->termbitmap))
+			return -EINVAL;
+
+		p1 = find_audio_control_unit(state, id);
+		if (!p1)
+			break;
+
+		hdr = p1;
 		term->id = id;
 		switch (hdr[2]) {
 		case UAC_INPUT_TERMINAL:
@@ -732,7 +742,7 @@  static int check_input_term(struct mixer_build *state, int id,
 
 				/* call recursively to verify that the
 				 * referenced clock entity is valid */
-				err = check_input_term(state, d->bCSourceID, term);
+				err = __check_input_term(state, d->bCSourceID, term);
 				if (err < 0)
 					return err;
 
@@ -764,7 +774,7 @@  static int check_input_term(struct mixer_build *state, int id,
 		case UAC2_CLOCK_SELECTOR: {
 			struct uac_selector_unit_descriptor *d = p1;
 			/* call recursively to retrieve the channel info */
-			err = check_input_term(state, d->baSourceID[0], term);
+			err = __check_input_term(state, d->baSourceID[0], term);
 			if (err < 0)
 				return err;
 			term->type = d->bDescriptorSubtype << 16; /* virtual type */
@@ -811,6 +821,15 @@  static int check_input_term(struct mixer_build *state, int id,
 	return -ENODEV;
 }
 
+
+static int check_input_term(struct mixer_build *state, int id,
+			    struct usb_audio_term *term)
+{
+	memset(term, 0, sizeof(*term));
+	memset(state->termbitmap, 0, sizeof(state->termbitmap));
+	return __check_input_term(state, id, term);
+}
+
 /*
  * Feature Unit
  */

[2/2] Fix a stack buffer overflow bug in check_input_term

Commit Message

Comments

Patch