From: Greg KH <gregkh@linuxfoundation.org>
To: "Benoît Sevens" <bsevens@google.com>
Cc: stable@vger.kernel.org, Takashi Iwai <tiwai@suse.de>
Subject: Re: [PATCH v2 5.10.y] ALSA: usb-audio: Fix out of bounds reads when finding clock sources
Date: Thu, 5 Dec 2024 15:12:35 +0100 [thread overview]
Message-ID: <2024120523-sash-ravioli-e697@gregkh> (raw)
In-Reply-To: <20241205130758.981732-1-bsevens@google.com>
On Thu, Dec 05, 2024 at 01:07:58PM +0000, Benoît Sevens wrote:
> From: Takashi Iwai <tiwai@suse.de>
>
> Upstream commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6
>
> The current USB-audio driver code doesn't check bLength of each
> descriptor at traversing for clock descriptors. That is, when a
> device provides a bogus descriptor with a shorter bLength, the driver
> might hit out-of-bounds reads.
>
> For addressing it, this patch adds sanity checks to the validator
> functions for the clock descriptor traversal. When the descriptor
> length is shorter than expected, it's skipped in the loop.
>
> For the clock source and clock multiplier descriptors, we can just
> check bLength against the sizeof() of each descriptor type.
> OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
> of bNrInPins elements and two more fields at its tail, hence those
> have to be checked in addition to the sizeof() check.
>
> This patch ports the upstream commit a3dd4d63eeb4 to trees that do not
> include the refactoring commit 9ec730052fa2 ("ALSA: usb-audio:
> Refactoring UAC2/3 clock setup code"). That commit provides union
> objects for pointing both UAC2 and UAC3 objects and unifies the clock
> source, selector and multiplier helper functions. This means we need to
> perform the check in each version specific helper function, but on the
> other hand do not need to do version specific union dereferencing in the
> macros and helper functions.
>
> Reported-by: Benoît Sevens <bsevens@google.com>
> Cc: <stable@vger.kernel.org>
> Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com
> Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> (cherry picked from commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6)
> Signed-off-by: Benoît Sevens <bsevens@google.com>
> ---
> sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++--
> 1 file changed, 30 insertions(+), 2 deletions(-)
What changed in v2?
next prev parent reply other threads:[~2024-12-05 14:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-05 13:07 [PATCH v2 5.10.y] ALSA: usb-audio: Fix out of bounds reads when finding clock sources Benoît Sevens
2024-12-05 13:34 ` Sasha Levin
2024-12-05 14:12 ` Greg KH [this message]
2024-12-05 14:14 ` Benoît Sevens
2024-12-06 6:06 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024120523-sash-ravioli-e697@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=bsevens@google.com \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox