Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp230984ybl; Tue, 13 Aug 2019 19:38:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqyNl/ek0+kt3+rbc7jD+rzuvTjSc2s33jo1I7OpYFAoZkaM6KGXjJb+8hcxx0Za8RxFoCjJ X-Received: by 2002:a63:c009:: with SMTP id h9mr36922781pgg.166.1565750286036; Tue, 13 Aug 2019 19:38:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565750286; cv=none; d=google.com; s=arc-20160816; b=NaZRh5qTEjMkZqI9g6Js/+kkNK4EIMSaExDMwjujY2GGo2zJbV2Hcu9SYYcDN/Vbis ldM7aYeZW0KPXw/aCFM707UoqxpIKqji7ZW5dWpBp48CpgytQnwrY0rmvVldMgjKqSOn eYuqcjFIX/va0gRUsSWSxZT/ne5Fs5zIuBGBX8Q6h+jrjrJbYD3IONgYnpjsZ6KOvGVD o+x5qrRMM7WYq2ikvMyVAiHJZorqrPMs61sRIBX1jY/nJemVa3ITI8X9SLUonsAipiqc FFbArxGAKNTR747DghZAyXAtXKyRN8Q1p+UOO3qZBknsRW+bC48RTbgKaTzpNB+eP7Bs vAMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=hV2pKWlMxnhaypGzns6kJSRcp18KAhjsh92Ko5vM2dU=; b=nBkOvoSXKPdzUDfOhYC9JEdPsCOVkDPaNqHeNpq+58w7Mq9xGNkAUSvvP18gXq6Ami ly2D0nBJv5+rmnk9nYazHXb2H9eU2rn7GhvyW70kZ4nbf5dSgSo1/4bE+8pLn7dXw79i TWSwZWtysCljrefXkii61smU1KhYPUHpeTEM+kbImBITmi59t3NTqhxC9IzY5iot7Gar fVPZHnE02hsUQe3xt12csDbyUARYDkJj2wWj26ixbo7dK5lVYGXJ5ZNEU9SV3/pO2jrY 9kO8f7ILHM2OpmSxeUC2nMSYmJRd4dLL4L79QKfzYtNtogoEHfvMwtsBmGYvXTrdpY6D HRvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=s4jfsXx+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u9si51759299pgf.198.2019.08.13.19.37.50; Tue, 13 Aug 2019 19:38:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=s4jfsXx+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728929AbfHNChJ (ORCPT + 99 others); Tue, 13 Aug 2019 22:37:09 -0400 Received: from mail-ot1-f66.google.com ([209.85.210.66]:36343 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728458AbfHNChI (ORCPT ); Tue, 13 Aug 2019 22:37:08 -0400 Received: by mail-ot1-f66.google.com with SMTP id k18so46811218otr.3 for ; Tue, 13 Aug 2019 19:37:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hV2pKWlMxnhaypGzns6kJSRcp18KAhjsh92Ko5vM2dU=; b=s4jfsXx+Cq+klsDPXG+/AvuC0BYDeQjlCJgMXkRlH6uOTDU0uk3KDxxap7JNbXYqZn 5wymoRYTTpTBAFjfHQvCHNtf9pA6e+DA34DFVNR5sVBCPQFulY4qlafhcJ3i0mh3iw4B QsMATqQdvXL/I3B1lqcuI7SeJ4CJL6cnKGVO+o5QfK3rNkM9Zf+gqu6dKGh4UTYoZYKt GacMgdbyQQFh+EqCKftFmQJTn9nhX87zjEC6HuvAsaA3wVebgOlYuggqskABTeS8/W+F 8KWzyETW2o8SuHJQUocXaSek2bkbt8LRpIrGaPk6kJVPttyR+yAaLh39j1WvDavSedYp jT5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hV2pKWlMxnhaypGzns6kJSRcp18KAhjsh92Ko5vM2dU=; b=gWuvZAtODz2b7BkCiRk7acGpcozFk5CefUe3a5UMVOkPkGRS56E7bCOxWwVyn/d+ZB OZAbfFxdXFifjJvIsHCG6AW3eIf5IO9QQNy4Oti7uhf0+BhruvaaNhmHvWbPzrSYms1t R4qGqllfOlSzi2zCEMiQ/w9xcgNO5ffx+LCG321gBUTqqyZpP2wSRsMlLA//tf0sts1i aJDKn6decEPb+YGg3OAwaTjs4vx+kpgX0sv9GHhdfXp3mW14cW8jZN38n/UrZmjhhBZ/ GlGpBrRLZKCzMVvTgZ5FNvR3xjOfQYqG+6UDIGGr/5VB0UsUSmXrscfkg7rsCFL+R4Cq xKJA== X-Gm-Message-State: APjAAAWxFiF0OJZcJAgAEdqgrpK2kr3K7mBAgVI159Pbf7nMRQFE5qBh e1WUdrfHbchmXXDzLjv26QY= X-Received: by 2002:a5e:c911:: with SMTP id z17mr13586768iol.119.1565750227338; Tue, 13 Aug 2019 19:37:07 -0700 (PDT) Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27]) by smtp.googlemail.com with ESMTPSA id y19sm14805008ioj.62.2019.08.13.19.37.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2019 19:37:06 -0700 (PDT) From: Hui Peng To: security@kernel.org Cc: Hui Peng , Mathias Payer , Jaroslav Kysela , Takashi Iwai , Thomas Gleixner , Allison Randal , YueHaibing , Wenwen Wang , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org Subject: [PATCH] Fix an OOB bug in parse_audio_mixer_unit Date: Tue, 13 Aug 2019 22:36:24 -0400 Message-Id: <20190814023625.21683-1-benquike@gmail.com> X-Mailer: git-send-email 2.22.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. Signed-off-by: Hui Peng Reported-by: Hui Peng Reported-by: Mathias Payer --- sound/usb/mixer.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 7498b5191b68..38202ce67237 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -2091,6 +2091,15 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, struct usb_audio_term iterm; int input_pins, num_ins, num_outs; int pin, ich, err; + int desc_len = (int) ((unsigned long) state->buffer + + state->buflen - (unsigned long) raw_desc); + + if (desc_len < sizeof(*desc) + desc->bNrInPins) { + usb_audio_err(state->chip, + "descriptor %d too short\n", + unitid); + return -EINVAL; + } err = uac_mixer_unit_get_channels(state, desc); if (err < 0) { -- 2.22.1