57 lines
1.8 KiB
Diff
57 lines
1.8 KiB
Diff
From: Hui Peng <benquike@gmail.com>
|
|
Date: Tue, 13 Aug 2019 22:34:04 -0400
|
|
Subject: ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15117
|
|
Origin: https://git.kernel.org/linus/daac07156b330b18eb5071aec4b3ddca1c377f2c
|
|
|
|
commit daac07156b330b18eb5071aec4b3ddca1c377f2c upstream.
|
|
|
|
The `uac_mixer_unit_descriptor` shown as below is read from the
|
|
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
|
|
accessed from index 0 to `bNrInPins` - 1, the current implementation
|
|
assumes that descriptor is always valid (the length of descriptor
|
|
is no shorter than 5 + `bNrInPins`). If a descriptor read from
|
|
the device side is invalid, it may trigger out-of-bound memory
|
|
access.
|
|
|
|
```
|
|
struct uac_mixer_unit_descriptor {
|
|
__u8 bLength;
|
|
__u8 bDescriptorType;
|
|
__u8 bDescriptorSubtype;
|
|
__u8 bUnitID;
|
|
__u8 bNrInPins;
|
|
__u8 baSourceID[];
|
|
}
|
|
```
|
|
|
|
This patch fixes the bug by add a sanity check on the length of
|
|
the descriptor.
|
|
|
|
Reported-by: Hui Peng <benquike@gmail.com>
|
|
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
|
|
Cc: <stable@vger.kernel.org>
|
|
Signed-off-by: Hui Peng <benquike@gmail.com>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
---
|
|
sound/usb/mixer.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
|
|
index 996126a28072..4b3e1c48ca2f 100644
|
|
--- a/sound/usb/mixer.c
|
|
+++ b/sound/usb/mixer.c
|
|
@@ -760,6 +760,8 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state,
|
|
return -EINVAL;
|
|
if (!desc->bNrInPins)
|
|
return -EINVAL;
|
|
+ if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
|
|
+ return -EINVAL;
|
|
|
|
switch (state->mixer->protocol) {
|
|
case UAC_VERSION_1:
|
|
--
|
|
cgit 1.2-0.3.lf.el7
|
|
|