From: Hui Peng <benquike@gmail.com>
To: security@kernel.org
Cc: Hui Peng <benquike@gmail.com>,
Mathias Payer <mathias.payer@nebelwelt.net>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org
Subject: [PATCH] Fix an OOB bug in uac_mixer_unit_bmControls
Date: Mon, 19 Aug 2019 18:00:04 -0400 [thread overview]
Message-ID: <20190819220005.10178-1-benquike@gmail.com> (raw)
`uac_mixer_unit_get_channels` calls `uac_mixer_unit_bmControls`
to get pointer to bmControls field. The current implementation of
`uac_mixer_unit_get_channels` does properly check the size of
uac_mixer_unit_descriptor descriptor and may allow OOB access
in `uac_mixer_unit_bmControls`.
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index b5927c3d5bc0..00e6274a63c3 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -738,28 +738,39 @@ static int get_cluster_channels_v3(struct mixer_build *state, unsigned int clust
static int uac_mixer_unit_get_channels(struct mixer_build *state,
struct uac_mixer_unit_descriptor *desc)
{
- int mu_channels;
+ int mu_channels = 0;
void *c;
- if (desc->bLength < sizeof(*desc))
- return -EINVAL;
if (!desc->bNrInPins)
return -EINVAL;
- if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
- return -EINVAL;
switch (state->mixer->protocol) {
case UAC_VERSION_1:
+ // limit derived from uac_mixer_unit_bmControls
+ if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 4)
+ return 0;
+
+ mu_channels = uac_mixer_unit_bNrChannels(desc);
+ break;
+
case UAC_VERSION_2:
- default:
- if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 1)
+ // limit derived from uac_mixer_unit_bmControls
+ if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 6)
return 0; /* no bmControls -> skip */
+
mu_channels = uac_mixer_unit_bNrChannels(desc);
break;
case UAC_VERSION_3:
+ // limit derived from uac_mixer_unit_bmControls
+ if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 2)
+ return 0; /* no bmControls -> skip */
+
mu_channels = get_cluster_channels_v3(state,
uac3_mixer_unit_wClusterDescrID(desc));
break;
+
+ default:
+ break;
}
if (!mu_channels)
--
2.22.1
next reply other threads:[~2019-08-19 22:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-19 22:00 Hui Peng [this message]
2019-08-19 22:01 ` [PATCH] Fix an OOB bug in uac_mixer_unit_bmControls Hui Peng
-- strict thread matches above, loose matches on Subject: below --
2019-08-17 4:32 Hui Peng
2019-08-17 6:55 ` Takashi Iwai
2019-08-17 6:55 ` Takashi Iwai
2019-08-17 15:57 ` Hui Peng
2019-08-17 16:18 ` Takashi Iwai
2019-08-17 16:47 ` Hui Peng
2019-08-17 17:59 ` Takashi Iwai
2019-08-17 17:59 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190819220005.10178-1-benquike@gmail.com \
--to=benquike@gmail.com \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathias.payer@nebelwelt.net \
--cc=perex@perex.cz \
--cc=security@kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.