From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.18 07/32] ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
Date: Tue, 10 Oct 2017 21:50:28 +0200 [thread overview]
Message-ID: <20171010184827.299421750@linuxfoundation.org> (raw)
In-Reply-To: <20171010184827.005589196@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 upstream.
When a USB-audio device receives a maliciously adjusted or corrupted
buffer descriptor, the USB-audio driver may access an out-of-bounce
value at its parser. This was detected by syzkaller, something like:
BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x22f/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
snd_usb_create_streams sound/usb/card.c:248
usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
This patch adds the checks of out-of-bounce accesses at appropriate
places and bails out when it goes out of the given buffer.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/card.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -220,6 +220,7 @@ static int snd_usb_create_streams(struct
struct usb_interface_descriptor *altsd;
void *control_header;
int i, protocol;
+ int rest_bytes;
/* find audiocontrol interface */
host_iface = &usb_ifnum_to_if(dev, ctrlif)->altsetting[0];
@@ -234,6 +235,15 @@ static int snd_usb_create_streams(struct
return -EINVAL;
}
+ rest_bytes = (void *)(host_iface->extra + host_iface->extralen) -
+ control_header;
+
+ /* just to be sure -- this shouldn't hit at all */
+ if (rest_bytes <= 0) {
+ dev_err(&dev->dev, "invalid control header\n");
+ return -EINVAL;
+ }
+
switch (protocol) {
default:
dev_warn(&dev->dev,
@@ -244,11 +254,21 @@ static int snd_usb_create_streams(struct
case UAC_VERSION_1: {
struct uac1_ac_header_descriptor *h1 = control_header;
+ if (rest_bytes < sizeof(*h1)) {
+ dev_err(&dev->dev, "too short v1 buffer descriptor\n");
+ return -EINVAL;
+ }
+
if (!h1->bInCollection) {
dev_info(&dev->dev, "skipping empty audio interface (v1)\n");
return -EINVAL;
}
+ if (rest_bytes < h1->bLength) {
+ dev_err(&dev->dev, "invalid buffer length (v1)\n");
+ return -EINVAL;
+ }
+
if (h1->bLength < sizeof(*h1) + h1->bInCollection) {
dev_err(&dev->dev, "invalid UAC_HEADER (v1)\n");
return -EINVAL;
next prev parent reply other threads:[~2017-10-10 19:52 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-10 19:50 [PATCH 3.18 00/32] 3.18.75-stable review Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 01/32] usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 02/32] USB: gadgetfs: Fix crash caused by inadequate synchronization Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 03/32] USB: gadgetfs: fix copy_to_user while holding spinlock Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 04/32] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 05/32] usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 06/32] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction Greg Kroah-Hartman
2017-10-10 19:50 ` Greg Kroah-Hartman [this message]
2017-10-10 19:50 ` [PATCH 3.18 08/32] usb: pci-quirks.c: Corrected timeout values used in handshake Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 09/32] USB: dummy-hcd: fix connection failures (wrong speed) Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 10/32] USB: dummy-hcd: fix infinite-loop resubmission bug Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 11/32] USB: devio: Dont corrupt user memory Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 12/32] USB: uas: fix bug in handling of alternate settings Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 13/32] usb: Increase quirk delay for USB devices Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 14/32] USB: fix out-of-bounds in usb_set_configuration Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 15/32] xhci: fix finding correct bus_state structure for USB 3.1 hosts Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 16/32] iio: ad_sigma_delta: Implement a dedicated reset function Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 17/32] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 18/32] iio: core: Return error for failed read_reg Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 19/32] iio: ad7793: Fix the serial interface reset Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 20/32] iio: adc: mcp320x: Fix oops on module unload Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 21/32] uwb: properly check kthread_run return value Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 22/32] uwb: ensure that endpoint is interrupt Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 23/32] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 24/32] ALSA: usx2y: Suppress kernel warning at page allocation failures Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 25/32] driver core: platform: Dont read past the end of "driver_override" buffer Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 26/32] HID: i2c-hid: allocate hid buffers for real worst case Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 28/32] ext4: only call ext4_truncate when size <= isize Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 29/32] fs/super.c: fix race between freeze_super() and thaw_super() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 30/32] ext4: fix data corruption for mmap writes Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 31/32] ext4: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 3.18 32/32] ext4: validate s_first_meta_bg at mount time Greg Kroah-Hartman
2017-10-11 0:20 ` [PATCH 3.18 00/32] 3.18.75-stable review Shuah Khan
2017-10-11 13:11 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171010184827.299421750@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).