Re: [PATCH v2 5.10.y] ALSA: usb-audio: Fix out of bounds reads when finding clock sources

[Greg KH <gregkh@linuxfoundation.org>]

On Thu, Dec 05, 2024 at 03:14:46PM +0100, Benoît Sevens wrote:
> On Thu, 5 Dec 2024 at 15:12, Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, Dec 05, 2024 at 01:07:58PM +0000, Benoît Sevens wrote:
> > > From: Takashi Iwai <tiwai@suse.de>
> > >
> > > Upstream commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6
> > >
> > > The current USB-audio driver code doesn't check bLength of each
> > > descriptor at traversing for clock descriptors.  That is, when a
> > > device provides a bogus descriptor with a shorter bLength, the driver
> > > might hit out-of-bounds reads.
> > >
> > > For addressing it, this patch adds sanity checks to the validator
> > > functions for the clock descriptor traversal.  When the descriptor
> > > length is shorter than expected, it's skipped in the loop.
> > >
> > > For the clock source and clock multiplier descriptors, we can just
> > > check bLength against the sizeof() of each descriptor type.
> > > OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
> > > of bNrInPins elements and two more fields at its tail, hence those
> > > have to be checked in addition to the sizeof() check.
> > >
> > > This patch ports the upstream commit a3dd4d63eeb4 to trees that do not
> > > include the refactoring commit 9ec730052fa2 ("ALSA: usb-audio:
> > > Refactoring UAC2/3 clock setup code"). That commit provides union
> > > objects for pointing both UAC2 and UAC3 objects and unifies the clock
> > > source, selector and multiplier helper functions. This means we need to
> > > perform the check in each version specific helper function, but on the
> > > other hand do not need to do version specific union dereferencing in the
> > > macros and helper functions.
> > >
> > > Reported-by: Benoît Sevens <bsevens@google.com>
> > > Cc: <stable@vger.kernel.org>
> > > Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com
> > > Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de
> > > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > > (cherry picked from commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6)
> > > Signed-off-by: Benoît Sevens <bsevens@google.com>
> > > ---
> > >  sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++--
> > >  1 file changed, 30 insertions(+), 2 deletions(-)
> >
> > What changed in v2?
> 
> Only the commit description. Should I resend it in that case in reply
> to the previous thread?

change information always goes below the --- line, please fix that up
and send a v3.

thanks,

greg k-h