From: "Benoît Sevens" <bsevens@google.com>
To: Takashi Iwai <tiwai@suse.com>
Cc: linux-sound@vger.kernel.org, "Benoît Sevens" <bsevens@google.com>,
stable@kernel.org
Subject: [PATCH] ALSA: usb-audio: Fix out of bounds reads when finding clock sources
Date: Thu, 21 Nov 2024 14:06:13 +0000 [thread overview]
Message-ID: <20241121140613.3651-1-bsevens@google.com> (raw)
A bogus device can provide a clock selector descriptor that contains a
bNrInPins that is larger than the actual size of baCSourceID. This can
lead to out-of-bound reads in __uac_clock_find_source. These out-of-bound
values can be leaked back to the device via the uac_clock_selector_get_val
calls.
Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices")
CC: stable@kernel.org
Signed-off-by: Benoît Sevens <bsevens@google.com>
---
sound/usb/clock.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 8f85200292f3..94fb628f116e 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -270,7 +270,7 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
union uac23_clock_source_desc *source;
union uac23_clock_selector_desc *selector;
union uac23_clock_multiplier_desc *multiplier;
- int ret, i, cur, err, pins, clock_id;
+ int ret, i, cur, err, length, pins, clock_id;
const u8 *sources;
int proto = fmt->protocol;
bool readable, writeable;
@@ -301,11 +301,19 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
selector = snd_usb_find_clock_selector(chip, entity_id, fmt);
if (selector) {
+ length = GET_VAL(selector, proto, bLength);
pins = GET_VAL(selector, proto, bNrInPins);
clock_id = GET_VAL(selector, proto, bClockID);
sources = GET_VAL(selector, proto, baCSourceID);
cur = 0;
+ if (length < sizeof(selector) + pins) {
+ usb_audio_err(chip,
+ "%s(): invalid number of input pins for descriptor size, id %d\n",
+ __func__, clock_id);
+ return -EINVAL;
+ }
+
if (proto == UAC_VERSION_3)
bmControls = le32_to_cpu(*(__le32 *)(&selector->v3.baCSourceID[0] + pins));
else
--
2.47.0.338.g60cca15819-goog
next reply other threads:[~2024-11-21 14:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-21 14:06 Benoît Sevens [this message]
2024-11-21 14:53 ` [PATCH] ALSA: usb-audio: Fix out of bounds reads when finding clock sources Takashi Iwai
2024-11-22 10:06 ` Benoît Sevens
2024-11-22 12:09 ` Takashi Iwai
2024-11-22 13:01 ` Benoît Sevens
2024-11-22 13:14 ` Takashi Iwai
-- strict thread matches above, loose matches on Subject: below --
2024-11-25 14:46 Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241121140613.3651-1-bsevens@google.com \
--to=bsevens@google.com \
--cc=linux-sound@vger.kernel.org \
--cc=stable@kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox