Received: by 10.223.185.116 with SMTP id b49csp6360789wrg; Wed, 28 Feb 2018 08:09:42 -0800 (PST) X-Google-Smtp-Source: AG47ELt9lHVpYh+fKWycUxhh7+a/5kk+sl7hzNLMuX7lhj3S67vp5VGGKP3M68sN0RXef3UVYnQe X-Received: by 2002:a17:902:b690:: with SMTP id c16-v6mr10349287pls.264.1519834182241; Wed, 28 Feb 2018 08:09:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834182; cv=none; d=google.com; s=arc-20160816; b=uGmZ8cC9nD4aMnFHSj+vvedWyVdtCJppRA4cRuWSJfv8hm6gbIF8jOEPr8WFKZ3kQt ovhr6+aD8dS7VuiG2DasNL/XUURzx0Kwu4WA7KFz9LgEwOQP2ATqdmG/OU5kQthnWyCS Hhw7PXpiWEAihbFI/177MTMU61nifeTJNbst/1BMuInfr5G8LM6nSdkSzdUCO/xEOwzL A6vAbIYm12YyDu8x9LMyCyMp2kJxdOfge8KeNlcTnmBJRCUDRz+u0w5kHRWsxjpTV5sM KG47CkRE4EBAv7UwzeIdedhH995zQjtfFlVAto+HKKwjLOSEZEVxrWBm6A4+67Xe2A9E 3wHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=wE2fl0YNkPWF7SmK/HZBwFyXv5BzoK3+Ffm49ru76uw=; b=ouptOK67pNciW727eX2Vk4/CK2AuVB27Pahhy52GoEDT90muPbA9Ul9oEvsmvtx0dW ZFA0NcNLEibH4AXRk04K3V6etqH3B6+45Vn44jBOpKVZE18itXEEwQXfrPlKOJh0gkV3 aEjVEhEWNS5zrdKHkhUnnnWvRYU08w+A7d+W4Ms6xiWbA/HdcwWnRNgCrRRaYCfVLTFC 5bL3UT0xFr+iA8tAK3R021g8ZQMyFOB7o6e3G8ciK4onzduwphbGsB4CqEqQlSjdnbcb A/la0JS+yR5gaDzuyf4igJ7mVpJvb586ah5WVn0XbXMmWZloiUm8kgOVCSVKJe9MhbRZ qa9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j6-v6si1391544pll.799.2018.02.28.08.09.26; Wed, 28 Feb 2018 08:09:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934468AbeB1QFP (ORCPT + 99 others); Wed, 28 Feb 2018 11:05:15 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34870 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934454AbeB1QFJ (ORCPT ); Wed, 28 Feb 2018 11:05:09 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yu-0006Xc-9J; Wed, 28 Feb 2018 15:22:32 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Ye-0008Qo-CR; Wed, 28 Feb 2018 15:22:16 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Takashi Iwai" , "Jaejoong Kim" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 049/254] ALSA: usb-audio: Fix out-of-bound error In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jaejoong Kim commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream. The snd_usb_copy_string_desc() retrieves the usb string corresponding to the index number through the usb_string(). The problem is that the usb_string() returns the length of the string (>= 0) when successful, but it can also return a negative value about the error case or status of usb_control_msg(). If iClockSource is '0' as shown below, usb_string() will returns -EINVAL. This will result in '0' being inserted into buf[-22], and the following KASAN out-of-bound error message will be output. AudioControl Interface Descriptor: bLength 8 bDescriptorType 36 bDescriptorSubtype 10 (CLOCK_SOURCE) bClockID 1 bmAttributes 0x07 Internal programmable Clock (synced to SOF) bmControls 0x07 Clock Frequency Control (read/write) Clock Validity Control (read-only) bAssocTerminal 0 iClockSource 0 To fix it, check usb_string()'return value and bail out. ================================================================== BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio] Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376 CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3 Hardware name: LG Electronics 15N540-RFLGL/White Tip Mountain, BIOS 15N5 Call Trace: dump_stack+0x63/0x8d print_address_description+0x70/0x290 ? parse_audio_unit+0x1327/0x1960 [snd_usb_audio] kasan_report+0x265/0x350 __asan_store1+0x4a/0x50 parse_audio_unit+0x1327/0x1960 [snd_usb_audio] ? save_stack+0xb5/0xd0 ? save_stack_trace+0x1b/0x20 ? save_stack+0x46/0xd0 ? kasan_kmalloc+0xad/0xe0 ? kmem_cache_alloc_trace+0xff/0x230 ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio] ? usb_audio_probe+0x4de/0xf40 [snd_usb_audio] ? usb_probe_interface+0x1f5/0x440 ? driver_probe_device+0x3ed/0x660 ? build_feature_ctl+0xb10/0xb10 [snd_usb_audio] ? save_stack_trace+0x1b/0x20 ? init_object+0x69/0xa0 ? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio] snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio] ? build_audio_procunit+0x890/0x890 [snd_usb_audio] ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio] ? kmem_cache_alloc_trace+0xff/0x230 ? usb_ifnum_to_if+0xbd/0xf0 snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio] ? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio] usb_audio_probe+0x4de/0xf40 [snd_usb_audio] ? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio] ? __pm_runtime_idle+0x90/0x90 ? kernfs_activate+0xa6/0xc0 ? usb_match_one_id_intf+0xdc/0x130 ? __pm_runtime_set_status+0x2d4/0x450 usb_probe_interface+0x1f5/0x440 Signed-off-by: Jaejoong Kim Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/usb/mixer.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -199,6 +199,10 @@ static int snd_usb_copy_string_desc(stru int index, char *buf, int maxlen) { int len = usb_string(state->chip->dev, index, buf, maxlen - 1); + + if (len < 0) + return 0; + buf[len] = 0; return len; }