From aa8fb19232c123a6a30b6db76840c548cebdaa1d Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Wed, 28 Aug 2019 13:29:10 +0200 Subject: [PATCH] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) [carnil: Use 4.19.67-2+deb10u1 version for buster-security branch] --- debian/changelog | 7 +++ ...an-OOB-bug-in-parse_audio_mixer_unit.patch | 56 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 64 insertions(+) create mode 100644 debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch diff --git a/debian/changelog b/debian/changelog index af78ce0a6..23c14ed63 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium + + [ Romain Perier ] + * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) + + -- Romain Perier Wed, 28 Aug 2019 13:28:09 +0200 + linux (4.19.67-2) buster; urgency=medium [ Salvatore Bonaccorso ] diff --git a/debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch b/debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch new file mode 100644 index 000000000..362b284d4 --- /dev/null +++ b/debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch @@ -0,0 +1,56 @@ +From: Hui Peng +Date: Tue, 13 Aug 2019 22:34:04 -0400 +Subject: ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15117 +Origin: https://git.kernel.org/linus/daac07156b330b18eb5071aec4b3ddca1c377f2c + +commit daac07156b330b18eb5071aec4b3ddca1c377f2c upstream. + +The `uac_mixer_unit_descriptor` shown as below is read from the +device side. In `parse_audio_mixer_unit`, `baSourceID` field is +accessed from index 0 to `bNrInPins` - 1, the current implementation +assumes that descriptor is always valid (the length of descriptor +is no shorter than 5 + `bNrInPins`). If a descriptor read from +the device side is invalid, it may trigger out-of-bound memory +access. + +``` +struct uac_mixer_unit_descriptor { + __u8 bLength; + __u8 bDescriptorType; + __u8 bDescriptorSubtype; + __u8 bUnitID; + __u8 bNrInPins; + __u8 baSourceID[]; +} +``` + +This patch fixes the bug by add a sanity check on the length of +the descriptor. + +Reported-by: Hui Peng +Reported-by: Mathias Payer +Cc: +Signed-off-by: Hui Peng +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 996126a28072..4b3e1c48ca2f 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -760,6 +760,8 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state, + return -EINVAL; + if (!desc->bNrInPins) + return -EINVAL; ++ if (desc->bLength < sizeof(*desc) + desc->bNrInPins) ++ return -EINVAL; + + switch (state->mixer->protocol) { + case UAC_VERSION_1: +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 04db48f77..65e6a8fc2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -162,6 +162,7 @@ features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch +bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch