Received: by 10.223.185.116 with SMTP id b49csp822851wrg;
        Sat, 10 Feb 2018 21:13:10 -0800 (PST)
X-Google-Smtp-Source: AH8x227Am96XAYjdLHYIJ4ujbg0frq652FuhT5mIKa2eysE6lDvFmz70t8ifBXvHEsHT+5GxmChc
X-Received: by 2002:a17:902:43e4:: with SMTP id j91-v6mr7104585pld.153.1518325990120;
        Sat, 10 Feb 2018 21:13:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518325990; cv=none;
        d=google.com; s=arc-20160816;
        b=zTEs7x7Tf6N/DdOutoAvBeZZdXi0t6jlts6uHfpqrx6QEay6S1uXRqRgzumtJgWW3A
         iptCLYrELseNdE3DHmH9JwGWktK5rFnfwNNoIhtEd7g8H8AOOOtT3cM3SowFQwG9gM/n
         S0/znENftzubFdmaVONLnaR5X6PHTBNl+9RJ4jsREI1ayNrW+q97lxVT25VRffa4S1/x
         hVanngtZbsQSG5maBMccyUHJsH6BIWMnIwHZM2ImuFiNQNTRj123+Jws9w/+GUIWvBET
         4p1NptimQMt3+TpxOTu1R46i+Xp54IXRwtt4stu3p7ZRKBG1kPsviZeL7dhbQnZRKZxW
         iLgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=vX4u+ANjzGk7zVTOO8D6cAVX7jtHv5r+60sSFj287u4=;
        b=MiZ8bte9TQZE+dh5OTxVR3cXN/G9yWn/dDWe+oQRUv81D/SMywofvkeEkdDKkhCbos
         zF3MKzrQhuhzeA6gUZG8uLIo+xj28qcuVnXu95IdtmnvxkD+4nKqoVERgjd8UL2W2Q/S
         9ZrKUgo0S5U0RSUEHp27UYi45SWnLm6Bx/u7/YUtvOM0mM5Xyjtr04Lhd6DqqNzaZPgl
         kdEiakdWeLKHwPYFc5x3e7XLHYJzr8TvQjFNH6OCyJJKngnlg9jZ3BxuHBZJgSDpnbgJ
         bQ1aZtkTBElWwQY9M5pidAJZKz5MowgtZPOdfCh5hRlByEl7oeyjQTWKmK22CudYA9eC
         yKYg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 23si4325116pfm.48.2018.02.10.21.12.56;
        Sat, 10 Feb 2018 21:13:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753911AbeBKFLH (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Sun, 11 Feb 2018 00:11:07 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41432 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1752642AbeBKEdm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 10 Feb 2018 23:33:42 -0500
Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1ekjKd-0002hE-Qz; Sun, 11 Feb 2018 04:33:39 +0000
Received: from ben by deadeye with local (Exim 4.90)
        (envelope-from <ben@decadent.org.uk>)
        id 1ekjKY-0004Vw-GO; Sun, 11 Feb 2018 04:33:34 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, "Takashi Iwai" <tiwai@suse.de>
Date:   Sun, 11 Feb 2018 04:20:06 +0000
Message-ID: <lsq.1518322806.400806207@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.2 56/79] ALSA: usb-audio: Fix potential out-of-bound
 access at parsing SU
In-Reply-To: <lsq.1518322802.943358572@decadent.org.uk>
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream.

The usb-audio driver may trigger an out-of-bound access at parsing a
malformed selector unit, as it checks the header length only after
evaluating bNrInPins field, which can be already above the given
length.  Fix it by adding the length check beforehand.

Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/mixer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1845,7 +1845,8 @@ static int parse_audio_selector_unit(str
 	const struct usbmix_name_map *map;
 	char **namelist;
 
-	if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
+	if (desc->bLength < 5 || !desc->bNrInPins ||
+	    desc->bLength < 5 + desc->bNrInPins) {
 		snd_printk(KERN_ERR "invalid SELECTOR UNIT descriptor %d\n", unitid);
 		return -EINVAL;
 	}