From: Takashi Iwai <tiwai@suse.de>
To: "Benoît Sevens" <bsevens@google.com>
Cc: Takashi Iwai <tiwai@suse.de>, Takashi Iwai <tiwai@suse.com>,
linux-sound@vger.kernel.org, stable@kernel.org
Subject: Re: [PATCH] ALSA: usb-audio: Fix out of bounds reads when finding clock sources
Date: Fri, 22 Nov 2024 14:14:02 +0100 [thread overview]
Message-ID: <87bjy71kdh.wl-tiwai@suse.de> (raw)
In-Reply-To: <CAGCho0VHB=Zewhu2mtN8xHw2fF9LOhXjcJ5JaB0qucG-5gxGhQ@mail.gmail.com>
On Fri, 22 Nov 2024 14:01:53 +0100,
Benoît Sevens wrote:
>
> On Fri, 22 Nov 2024 at 13:09, Takashi Iwai <tiwai@suse.de> wrote:
> >
> > On Fri, 22 Nov 2024 11:06:57 +0100,
> > Benoît Sevens wrote:
> > >
> > > Hi Takashi,
> > >
> > > Thank you for the review. Except for one question below, this patch
> > > looks good to me. Would you like me to send your patch as a revised
> > > patch to this mailing list?
> >
> > I'm going to submit the proper patch if the fix works for you.
> >
> > > On Thu, 21 Nov 2024 at 15:53, Takashi Iwai <tiwai@suse.de> wrote:
> > > > @@ -65,13 +73,23 @@ static bool validate_clock_selector(void *p, int id, int proto)
> > > > {
> > > > union uac23_clock_selector_desc *cs = p;
> > > >
> > > > - return GET_VAL(cs, proto, bClockID) == id;
> > > > + if (!DESC_LENGTH_CHECK(cs, proto))
> > > > + return false;
> > > > + if (GET_VAL(cs, proto, bClockID) != id)
> > > > + return false;
> > > > + /* additional length check for baCSourceID, bmControls and iClockSelector */
> > > > + if (proto == UAC_VERSION_3)
> > > > + return cs->v3.bLength >= sizeof(cs->v3.bLength) + cs->v3.bNrInPins + 6;
> > >
> > > Why can't we just do this here?
> > >
> > > return cs->v3.bLength >= sizeof(cs->v3) + cs->v3.bNrInPins;
> >
> > Argh, it was just a wrong check.
> >
> > But the clock selector descriptor must have two more fields in
> > addition to baCSourceID array. Those two are 6 bytes (= 4 bytes for
> > bmControls + 2 bytes for wCSelectorDescrStr) for UAC3, while...
> >
> > > > + else
> > > > + return cs->v2.bLength >= sizeof(cs->v2.bLength) + cs->v2.bNrInPins + 2;
> > >
> > > And same question here, why not:
> > >
> > > return cs->v2.bLength >= sizeof(cs->v2) + cs->v2.bNrInPins;
> >
> > ... for UAC2, they are 2 bytes (= 1 byte for bmControls + 1 byte for
> > iClockSelector). So those numbers appeared in the patch.
> >
> > Below is the revised patch. Let me know if this works for you.
> >
>
> Looks perfect to me. Thank you for the patch and explanations!
>
> Can we cc stable to get it backported?
Sure, I'll add it when submitting properly.
thanks,
Takashi
next prev parent reply other threads:[~2024-11-22 13:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-21 14:06 [PATCH] ALSA: usb-audio: Fix out of bounds reads when finding clock sources Benoît Sevens
2024-11-21 14:53 ` Takashi Iwai
2024-11-22 10:06 ` Benoît Sevens
2024-11-22 12:09 ` Takashi Iwai
2024-11-22 13:01 ` Benoît Sevens
2024-11-22 13:14 ` Takashi Iwai [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-11-25 14:46 Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjy71kdh.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=bsevens@google.com \
--cc=linux-sound@vger.kernel.org \
--cc=stable@kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox