From patchwork Sat Aug 17 04:32:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hui Peng X-Patchwork-Id: 11098549 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 33AFA1395 for ; Sat, 17 Aug 2019 04:33:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 114CA28A92 for ; Sat, 17 Aug 2019 04:33:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F012328A99; Sat, 17 Aug 2019 04:33:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id DB00328A92 for ; Sat, 17 Aug 2019 04:33:21 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 880511616; Sat, 17 Aug 2019 06:32:29 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 880511616 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1566016399; bh=AICxfMoFESrWztqVak4rOuxWzzoeJa9D4xRqNIYS3u4=; h=From:To:Date:Cc:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=ZVg1P1tHdLXIQzMRbgHfRerOeZF233rFpWB3xFPG4XlVSJSN0RDXMN6eHV5W4yies AyJYvq1MmOJAZO9Z4MOi/mcZnrqnm8yudS2nOjMQCIfpF+s/0ekI2yJuDfBWzafpw7 9mZhaIkDD56tvG0fy+uodnlZJIPdQzy6cK0IQJc4= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id 8E637F80290; Sat, 17 Aug 2019 06:32:28 +0200 (CEST) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa1.perex.cz (Postfix, from userid 50401) id A941CF8044C; Sat, 17 Aug 2019 06:32:25 +0200 (CEST) Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id 2AD9FF8011F for ; Sat, 17 Aug 2019 06:32:20 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 2AD9FF8011F Authentication-Results: alsa1.perex.cz; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mqntU7Qd" Received: by mail-io1-xd42.google.com with SMTP id s21so10375555ioa.1 for ; Fri, 16 Aug 2019 21:32:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3ZgzZCpDIRuYNI4rsUcoYKrHpCVfBSnxQC5KIpwxRrk=; b=mqntU7QdosCf34NpRFUhRvfJTPenC0urzJszWL8hgX+lez+r/0/VnstICJ1lHhOFB3 36bXJUhUmAB0nApDJFFEqJ6GL73czg3U34yhSv6gjK6vH+N4uXYSDapt1+poh4oBG0Na geW2TddD+7AlnuJQlIGN4MPMI4VrCr8m3l8JGRJvz8ZmfCk7xoIkZLq6zT4Y7xJe/7md vjAyZ4+/kjpXz6xx04FhRQ7N0E51SZibeANTQcu8BQ7XZcBJSvxilCc+jRGhDvo0u+iG Ykpn7Lw4O72tWVc1itxClv7iDmn8NjDmw2RiVDGi11xKUia5xRuotzyl3BewiQstqykJ XhQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3ZgzZCpDIRuYNI4rsUcoYKrHpCVfBSnxQC5KIpwxRrk=; b=Y0HwiaQWPgk0gbUQB6Rx89i2Pl2ATP/f/md4qalCRL1KcqxgUZQuNvyt+yE/9wjPwP osoIabH8ewzjG/0XY3xo1iReH6McjCe29yPElgEonGAfTkmgsMuY+b2p2VPJaIshZhTQ bMj45z+WWVhMx1dDHCyZ6pZHdOdUnPzllVpDrPiKc9WM3WlTpHpMawTL1X8dpneYpIiR wpOEnY8LV1y1Eu1pX0QNTs13Zk4HjCyQDLbevDWfLEm7TamIQZRg6s3qu7c3Xa2Co4ii d53tEKgQSj8wFHSxhD//G1g41JqYBCD2lJz5z1YCRMsK0LQcJlrCD/qquFli4dGkhhs+ L8tQ== X-Gm-Message-State: APjAAAUnXn6SIKkFL3K65Fum7dJubCbGgRIqVZLcTDVn1evpwZdUC5dP tvjqWSiXHVmuu3myDKYfFe8= X-Google-Smtp-Source: APXvYqxZ4v+ooEvYx6XqCPFcFfUXrei6ZbQ3InDv2xx+UX4w0j2LaJk6s4+n2vyT+l1L95YnNrZWyg== X-Received: by 2002:a02:a492:: with SMTP id d18mr15323165jam.27.1566016338760; Fri, 16 Aug 2019 21:32:18 -0700 (PDT) Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27]) by smtp.googlemail.com with ESMTPSA id q12sm4294754ioh.8.2019.08.16.21.32.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Aug 2019 21:32:17 -0700 (PDT) From: Hui Peng To: security@kernel.org Date: Sat, 17 Aug 2019 00:32:07 -0400 Message-Id: <20190817043208.12433-1-benquike@gmail.com> X-Mailer: git-send-email 2.22.1 MIME-Version: 1.0 Cc: Mathias Payer , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org, Wenwen Wang , YueHaibing , Takashi Iwai , Thomas Gleixner , Hui Peng Subject: [alsa-devel] [PATCH] Fix an OOB bug in uac_mixer_unit_bmControls X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" X-Virus-Scanned: ClamAV using ClamSMTP `uac_mixer_unit_get_channels` calls `uac_mixer_unit_bmControls` to get pointer to bmControls field. The current implementation of `uac_mixer_unit_get_channels` does properly check the size of uac_mixer_unit_descriptor descriptor and may allow OOB access in `uac_mixer_unit_bmControls`. Reported-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- sound/usb/mixer.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index b5927c3d5bc0..00e6274a63c3 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -738,28 +738,39 @@ static int get_cluster_channels_v3(struct mixer_build *state, unsigned int clust static int uac_mixer_unit_get_channels(struct mixer_build *state, struct uac_mixer_unit_descriptor *desc) { - int mu_channels; + int mu_channels = 0; void *c; - if (desc->bLength < sizeof(*desc)) - return -EINVAL; if (!desc->bNrInPins) return -EINVAL; - if (desc->bLength < sizeof(*desc) + desc->bNrInPins) - return -EINVAL; switch (state->mixer->protocol) { case UAC_VERSION_1: + // limit derived from uac_mixer_unit_bmControls + if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 4) + return 0; + + mu_channels = uac_mixer_unit_bNrChannels(desc); + break; + case UAC_VERSION_2: - default: - if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 1) + // limit derived from uac_mixer_unit_bmControls + if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 6) return 0; /* no bmControls -> skip */ + mu_channels = uac_mixer_unit_bNrChannels(desc); break; case UAC_VERSION_3: + // limit derived from uac_mixer_unit_bmControls + if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 2) + return 0; /* no bmControls -> skip */ + mu_channels = get_cluster_channels_v3(state, uac3_mixer_unit_wClusterDescrID(desc)); break; + + default: + break; } if (!mu_channels)