Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2469208imd; Fri, 2 Nov 2018 11:58:01 -0700 (PDT) X-Google-Smtp-Source: AJdET5eKs7lYUfa9frr+PC6BdYP1kzoALG3flelapkeY2Cb5NHRXIF3LjkwYcS1CYRarSLbmgxO+ X-Received: by 2002:a63:d513:: with SMTP id c19mr11923126pgg.287.1541185081303; Fri, 02 Nov 2018 11:58:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541185081; cv=none; d=google.com; s=arc-20160816; b=X0QR6YHlK6qH4nQv8qdFp7wfVrqswtK054RNylpMf3xlJulRdiWT6HeI5CWNvNkoV0 8CUCLVvKbB9iO4Z2a/YsAi2yUvLYlsje/S20m9mYHRbH60rrudHTt3D7MPLZU2/0B4Ln omIYNc0JhWrkbLehH/qwom3VMEd9h5Hp/lUT9KiUlP3P+3KwDPrOJS2emGCmzM6jR5xx VQnSCGszFa3Vs1VB0mTwsjGTqLIvtcmNElHkiYd+qec98vCn418d44Y1NmIKnX5m0NAk NVMSzrAnCjzmiD6CMIRwWYPCedjyrP5FELsqXd6Cqv/2GFJsghnk7MBl7txe9RNGQY3t KenA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MyibOV18kCsodzwg0w2fEk22kbLa1NV8l3LDBo65Yzw=; b=Zz9tjxgfMAoJbpAdZC7hrKzng3wK2bHMSh7ynI9sICrVtErtwlATYrTqDhG7N0WGJ9 z22AXC4angcRkCERGigiFmP97N9BJrRdcxd8Hpw/HAEqfQqj0rlYv6FwCCbgyOKCX9DF IG87xJBBFk9YFmvOl0T+qoKcmhGTVcFKFlSWVY02FyHtW6FvQGzg1c3A+c+dcq0Lha0Z TAF3jIAhPxOfo6eysntQWgi7QMvAyHtiUDKPup9apcicNPZ/cxF2QUQ/nfR+0S+YS2Q9 3i5OFLl0q6l7QkGAHC/dysTlvg7ddVHv07oh1YOo60cw/fCuitgbbr5GU6fq8/Fh56lR kj8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=m2im7FiF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i25-v6si34117757pgi.426.2018.11.02.11.57.46; Fri, 02 Nov 2018 11:58:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=m2im7FiF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731577AbeKCEE1 (ORCPT + 99 others); Sat, 3 Nov 2018 00:04:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:60494 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726051AbeKCEE1 (ORCPT ); Sat, 3 Nov 2018 00:04:27 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A671D2084A; Fri, 2 Nov 2018 18:56:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541184970; bh=QTIe4oj4JjKN6hFajRxpIDNmBdXCBPWa+1IzpbJtY/I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m2im7FiFbRr6UolmV1MoLsVE2s98/j5C5Jz/uvSeRXAd990CmLjzk3L8q5+FjXgyi 0vOhau8qW6JpT+an+Ocigq2CVPstRPXh5kCdFbyoPIYds0A4IrYVRreIbksHsSw7kI RzUx31vh5mzf3hk9CtbXgkkU5ELgRRwbW8rMdfEw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrey Konovalov , Takashi Iwai , Sudip Mukherjee , Sasha Levin Subject: [PATCH 4.14 111/143] ALSA: usx2y: Fix invalid stream URBs Date: Fri, 2 Nov 2018 19:34:56 +0100 Message-Id: <20181102182906.708873574@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182857.064326086@linuxfoundation.org> References: <20181102182857.064326086@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ commit f9a1c372299fed53d4b72bb601f7f3bfe6f9999c upstream The us122l driver creates URBs per the fixed endpoints, and this may end up with URBs with inconsistent pipes when a fuzzer or a malicious program deals with the manipulated endpoints. It ends up with a kernel warning like: usb 1-1: BOGUS urb xfer, pipe 0 != type 3 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:471 usb_submit_urb+0x113e/0x1400 Call Trace: usb_stream_start+0x48a/0x9f0 sound/usb/usx2y/usb_stream.c:690 us122l_start+0x116/0x290 sound/usb/usx2y/us122l.c:365 us122l_create_card sound/usb/usx2y/us122l.c:502 us122l_usb_probe sound/usb/usx2y/us122l.c:588 .... For avoiding the bad access, this patch adds a few sanity checks of the validity of created URBs like previous similar fixes using the new usb_urb_ep_type_check() helper function. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Takashi Iwai Signed-off-by: Sudip Mukherjee Signed-off-by: Sasha Levin --- sound/usb/usx2y/usb_stream.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c index e229abd21652..b0f8979ff2d2 100644 --- a/sound/usb/usx2y/usb_stream.c +++ b/sound/usb/usx2y/usb_stream.c @@ -56,7 +56,7 @@ static void playback_prep_freqn(struct usb_stream_kernel *sk, struct urb *urb) lb, s->period_size); } -static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, +static int init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, struct urb **urbs, char *transfer, struct usb_device *dev, int pipe) { @@ -77,6 +77,8 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, urb->interval = 1; if (usb_pipeout(pipe)) continue; + if (usb_urb_ep_type_check(urb)) + return -EINVAL; urb->transfer_buffer_length = transfer_length; desc = urb->iso_frame_desc; @@ -87,9 +89,11 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, desc[p].length = maxpacket; } } + + return 0; } -static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, +static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, struct usb_device *dev, int in_pipe, int out_pipe) { struct usb_stream *s = sk->s; @@ -103,9 +107,12 @@ static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL); } - init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe); - init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev, - out_pipe); + if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe) || + init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev, + out_pipe)) + return -EINVAL; + + return 0; } @@ -226,7 +233,11 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk, else sk->freqn = get_usb_high_speed_rate(sample_rate); - init_urbs(sk, use_packsize, dev, in_pipe, out_pipe); + if (init_urbs(sk, use_packsize, dev, in_pipe, out_pipe) < 0) { + usb_stream_free(sk); + return NULL; + } + sk->s->state = usb_stream_stopped; out: return sk->s; -- 2.17.1