From: Johan Hovold <johan@kernel.org>
To: Takashi Iwai <tiwai@suse.de>
Cc: linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
Johan Hovold <johan@kernel.org>, stable <stable@vger.kernel.org>
Subject: Re: [alsa-devel] [PATCH] ALSA: usb-audio: fix set_format altsetting sanity check
Date: Fri, 20 Dec 2019 11:23:15 +0100 [thread overview]
Message-ID: <20191220102315.GU22665@localhost> (raw)
In-Reply-To: <s5hbls35nxx.wl-tiwai@suse.de>
On Fri, Dec 20, 2019 at 10:46:50AM +0100, Takashi Iwai wrote:
> On Fri, 20 Dec 2019 10:31:34 +0100,
> Johan Hovold wrote:
> >
> > Make sure to check the return value of usb_altnum_to_altsetting() to
> > avoid dereferencing a NULL pointer when the requested alternate settings
> > is missing.
> >
> > The format altsetting number may come from a quirk table and there does
> > not seem to be any other validation of it (the corresponding index is
> > checked however).
> >
> > Fixes: b099b9693d23 ("ALSA: usb-audio: Avoid superfluous usb_set_interface() calls")
> > Cc: stable <stable@vger.kernel.org> # 4.18
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> > sound/usb/pcm.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
> > index 9c8930bb00c8..73dd9d21bb42 100644
> > --- a/sound/usb/pcm.c
> > +++ b/sound/usb/pcm.c
> > @@ -506,9 +506,9 @@ static int set_format(struct snd_usb_substream *subs, struct audioformat *fmt)
> > if (WARN_ON(!iface))
> > return -EINVAL;
> > alts = usb_altnum_to_altsetting(iface, fmt->altsetting);
> > - altsd = get_iface_desc(alts);
> > - if (WARN_ON(altsd->bAlternateSetting != fmt->altsetting))
> > + if (WARN_ON(!alts))
> > return -EINVAL;
>
> Do we need WARN_ON() here? If this may hit on syzbot, it'll stop at
> this point because of panic_on_warn.
Yeah, I considered that too and decided to leave it in. Just like for
the WARN_ON(iface), those numbers should be verified at probe.
I tried tracking where fmt->altsetting comes from, and it seems like
a sanity check needs to be added at least to create_fixed_stream_quirk()
where, for example, fmt->iface, fmt->altset_idx and the number of
endpoints are verified.
If there are other paths that can end up setting these fields to invalid
values, we want that WARN_ON() in there so we can fix those.
Johan
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
WARNING: multiple messages have this Message-ID (diff)
From: Johan Hovold <johan@kernel.org>
To: Takashi Iwai <tiwai@suse.de>
Cc: Johan Hovold <johan@kernel.org>, Jaroslav Kysela <perex@perex.cz>,
alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
stable <stable@vger.kernel.org>
Subject: Re: [PATCH] ALSA: usb-audio: fix set_format altsetting sanity check
Date: Fri, 20 Dec 2019 11:23:15 +0100 [thread overview]
Message-ID: <20191220102315.GU22665@localhost> (raw)
In-Reply-To: <s5hbls35nxx.wl-tiwai@suse.de>
On Fri, Dec 20, 2019 at 10:46:50AM +0100, Takashi Iwai wrote:
> On Fri, 20 Dec 2019 10:31:34 +0100,
> Johan Hovold wrote:
> >
> > Make sure to check the return value of usb_altnum_to_altsetting() to
> > avoid dereferencing a NULL pointer when the requested alternate settings
> > is missing.
> >
> > The format altsetting number may come from a quirk table and there does
> > not seem to be any other validation of it (the corresponding index is
> > checked however).
> >
> > Fixes: b099b9693d23 ("ALSA: usb-audio: Avoid superfluous usb_set_interface() calls")
> > Cc: stable <stable@vger.kernel.org> # 4.18
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> > sound/usb/pcm.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
> > index 9c8930bb00c8..73dd9d21bb42 100644
> > --- a/sound/usb/pcm.c
> > +++ b/sound/usb/pcm.c
> > @@ -506,9 +506,9 @@ static int set_format(struct snd_usb_substream *subs, struct audioformat *fmt)
> > if (WARN_ON(!iface))
> > return -EINVAL;
> > alts = usb_altnum_to_altsetting(iface, fmt->altsetting);
> > - altsd = get_iface_desc(alts);
> > - if (WARN_ON(altsd->bAlternateSetting != fmt->altsetting))
> > + if (WARN_ON(!alts))
> > return -EINVAL;
>
> Do we need WARN_ON() here? If this may hit on syzbot, it'll stop at
> this point because of panic_on_warn.
Yeah, I considered that too and decided to leave it in. Just like for
the WARN_ON(iface), those numbers should be verified at probe.
I tried tracking where fmt->altsetting comes from, and it seems like
a sanity check needs to be added at least to create_fixed_stream_quirk()
where, for example, fmt->iface, fmt->altset_idx and the number of
endpoints are verified.
If there are other paths that can end up setting these fields to invalid
values, we want that WARN_ON() in there so we can fix those.
Johan
next prev parent reply other threads:[~2019-12-20 10:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-20 9:31 [alsa-devel] [PATCH] ALSA: usb-audio: fix set_format altsetting sanity check Johan Hovold
2019-12-20 9:31 ` Johan Hovold
2019-12-20 9:46 ` [alsa-devel] " Takashi Iwai
2019-12-20 9:46 ` Takashi Iwai
2019-12-20 10:23 ` Johan Hovold [this message]
2019-12-20 10:23 ` Johan Hovold
2019-12-20 10:32 ` [alsa-devel] " Takashi Iwai
2019-12-20 10:32 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191220102315.GU22665@localhost \
--to=johan@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.