From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:35052 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752820AbdK0QDx (ORCPT ); Mon, 27 Nov 2017 11:03:53 -0500 Subject: Patch "ALSA: usb-audio: Add sanity checks in v2 clock parsers" has been added to the 4.14-stable tree To: tiwai@suse.de, andreyknvl@google.com, gregkh@linuxfoundation.org Cc: , From: Date: Mon, 27 Nov 2017 17:03:49 +0100 Message-ID: <151179862924793@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled ALSA: usb-audio: Add sanity checks in v2 clock parsers to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 21 Nov 2017 17:28:06 +0100 Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers From: Takashi Iwai commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream. The helper functions to parse and look for the clock source, selector and multiplier unit may return the descriptor with a too short length than required, while there is no sanity check in the caller side. Add some sanity checks in the parsers, at least, to guarantee the given descriptor size, for avoiding the potential crashes. Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices") Reported-by: Andrey Konovalov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/clock.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -43,7 +43,7 @@ static struct uac_clock_source_descripto while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, cs, UAC2_CLOCK_SOURCE))) { - if (cs->bClockID == clock_id) + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) return cs; } @@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, cs, UAC2_CLOCK_SELECTOR))) { - if (cs->bClockID == clock_id) + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { + if (cs->bLength < 5 + cs->bNrInPins) + return NULL; return cs; + } } return NULL; @@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, cs, UAC2_CLOCK_MULTIPLIER))) { - if (cs->bClockID == clock_id) + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) return cs; } Patches currently in stable-queue which might be from tiwai@suse.de are queue-4.14/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch queue-4.14/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch queue-4.14/alsa-hda-add-raven-pci-id.patch queue-4.14/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch queue-4.14/alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch queue-4.14/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch queue-4.14/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch queue-4.14/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch queue-4.14/alsa-hda-fix-yet-remaining-issue-with-vmaster-0db-initialization.patch queue-4.14/alsa-hda-realtek-fix-alc275-no-sound-issue.patch queue-4.14/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch