Received: by 10.223.185.116 with SMTP id b49csp821984wrg; Sat, 10 Feb 2018 21:11:40 -0800 (PST) X-Google-Smtp-Source: AH8x225z/XI6INKI5fSxGKzdklKH6MZDpT+rGTl/0ncm3QmF3jszQSFxARCOCAg9vnXSofRBkDDc X-Received: by 10.101.74.4 with SMTP id s4mr6659220pgq.105.1518325900561; Sat, 10 Feb 2018 21:11:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518325900; cv=none; d=google.com; s=arc-20160816; b=tD8LHI+/AxQK4evni6Eliy8AVbYK1Smzjt2K3Dyfw4A5SavhwuMpI9v9DV3mP1ab3N GW6NcMj7X8StP9viFvi/tkdRYxI6hgPRHJu8lG2zm3v1xixstRCG5oNi9IOpkPrdgDpW h3VJHhwkDxVgB7nclaTj2W9CpqykL++kmU+etycF2b0VCjYTfBWgsrQ2hsNKT566hZaB tHXbPtyCMaYB3gqmMo0LhiNbQo0dNaUnj6lgQo9vXiOPA/dKYox2bF/MrRnOB9LPhVKH ZcGUgXdwNRW8DNtD6hafiAwiFF4rRpB0PsUJfnabiMQTeg3cPHYEqPWN0sQSMIaaWhy7 x8rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=oJnpw8RyShxNMPEkS+Cu8hCt6KADhWlvrvDNwQzhysA=; b=LqTaBTIIi+9UgkdYD0gTGIv5Vwwyt2QpIuv4vit9PsZR6llSIeVi/Th7I8f++hNag3 iHCgW78GN5wEDn2SSEAspMv/PZPTZSOMAot7OD+JxrD/XcAnwsBIEZocU+B4/BcMvP97 zvKbU/Qqvl0OnnLXgz9eUAK4xpP+B/069U9VHgRHgT79FgdpRWMvWc6/BLgTCfRBLAAw ngce/VxN1R3npe364YvrSrVdgJgROD5qpLKt6+XavII8WN/xYPHQIFlbV4LtUGyusZop z/FmsE6WAx/h3RPxOyL3bq8uqmCxFP6w2rhfXlD/T60/UVXc6qVsvn3YrOXZh58HN3uB ExIA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 23si4332348pfs.322.2018.02.10.21.11.27; Sat, 10 Feb 2018 21:11:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753593AbeBKFKY (ORCPT + 99 others); Sun, 11 Feb 2018 00:10:24 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41446 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752647AbeBKEdm (ORCPT ); Sat, 10 Feb 2018 23:33:42 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ekjKd-0002hR-Nz; Sun, 11 Feb 2018 04:33:39 +0000 Received: from ben by deadeye with local (Exim 4.90) (envelope-from ) id 1ekjKY-0004W6-Hy; Sun, 11 Feb 2018 04:33:34 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Andrey Konovalov" , "Takashi Iwai" Date: Sun, 11 Feb 2018 04:20:06 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.2 58/79] ALSA: usb-audio: Add sanity checks in v2 clock parsers In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.2.99-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream. The helper functions to parse and look for the clock source, selector and multiplier unit may return the descriptor with a too short length than required, while there is no sanity check in the caller side. Add some sanity checks in the parsers, at least, to guarantee the given descriptor size, for avoiding the potential crashes. Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices") Reported-by: Andrey Konovalov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/usb/clock.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -42,7 +42,7 @@ static struct uac_clock_source_descripto while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, cs, UAC2_CLOCK_SOURCE))) { - if (cs->bClockID == clock_id) + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) return cs; } @@ -58,8 +58,11 @@ static struct uac_clock_selector_descrip while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, cs, UAC2_CLOCK_SELECTOR))) { - if (cs->bClockID == clock_id) + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { + if (cs->bLength < 5 + cs->bNrInPins) + return NULL; return cs; + } } return NULL; @@ -74,7 +77,7 @@ static struct uac_clock_multiplier_descr while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, cs, UAC2_CLOCK_MULTIPLIER))) { - if (cs->bClockID == clock_id) + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) return cs; }