Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp416520ybl; Tue, 13 Aug 2019 23:38:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqwGETzHXaMKIxZ7zxWK49KOhHdQd+HtClZ3jK4oM7ewJzHZ32pF3q2ZT7K6UJncfKJYMzGi X-Received: by 2002:a17:902:8b88:: with SMTP id ay8mr39826076plb.139.1565764708932; Tue, 13 Aug 2019 23:38:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565764708; cv=none; d=google.com; s=arc-20160816; b=lFSsbjA3UyapRRs2L0uiaZUSS/Kn6/PEbTmrAgCFbkxt2Vip6uA9DLpizPprDpjc8T Zi9k9Lx0tXEgY74UG5LJc5omkcwbHpXgngY6WBewT0L+36BHQBZ3Di9Lo2DwL9qIWCyw MTmWJyIoyV7ZvbJ/tJaM0X+BsRTXpeIzkdjpRNeMyWOo2UvcWDyShx9erTXXcSuFQeuG b4zyMdCFCPzzZLPeCtAggYVsxPqOJO8XC9pdu2z+E4D3U1V2WZ7D4Jp8An8ySADObvpo H/TeaHD7qhOYepNtqIjK5xMRi29P+CDX2AEE5Zrx0BRi5fiTfUZ1RkLWMvHKqsojPJub CdiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:subject:cc:to:from:message-id:date; bh=zvl5JNQDyfhA+UcrtFwgxdPe0G+kvz4HuaYBW+Li9GY=; b=jHYt7BJ9vYNaeTDfNszndsQJnygQSuYOiUe/2nb3toaf6gJl0z9v6RxZm23FESH4gK 3L6BTpBGBbuLUwPXoocwv5GlQO7QuNGHLe07O7p+XI8B30wERIkmx5QgRk/aOZeNIKlO GvW9PWCgrcPU/L8lBRqxV9luUZ81KbVZ0NAMNrFa5yduO1taNsA+kaOn1no95PA0WUHE p4xgPQbGW9HWE3RSIKRT8PaLg8OmHqY8qfTzF33U7slSqV0UFZ6v/xDwkjB9MSqIJniA q86HQaKNt9FeUETf+tyk4u7H3Tr3Un/JkVyUyijyx9TJ9AF99OUzogHVpJPNodE9WVRY gezg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q3si71370823pgs.576.2019.08.13.23.38.12; Tue, 13 Aug 2019 23:38:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727531AbfHNGgo (ORCPT + 99 others); Wed, 14 Aug 2019 02:36:44 -0400 Received: from mx2.suse.de ([195.135.220.15]:60394 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726940AbfHNGgo (ORCPT ); Wed, 14 Aug 2019 02:36:44 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id EAF1FAD2A; Wed, 14 Aug 2019 06:36:42 +0000 (UTC) Date: Wed, 14 Aug 2019 08:36:42 +0200 Message-ID: From: Takashi Iwai To: "Hui Peng" Cc: , , "YueHaibing" , "Thomas Gleixner" , "Allison Randal" , "Mathias Payer" , "Jaroslav Kysela" , "Takashi Iwai" , "Wenwen Wang" , Subject: Re: [PATCH] Fix an OOB bug in parse_audio_mixer_unit In-Reply-To: <20190814023625.21683-1-benquike@gmail.com> References: <20190814023625.21683-1-benquike@gmail.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 14 Aug 2019 04:36:24 +0200, Hui Peng wrote: > > The `uac_mixer_unit_descriptor` shown as below is read from the > device side. In `parse_audio_mixer_unit`, `baSourceID` field is > accessed from index 0 to `bNrInPins` - 1, the current implementation > assumes that descriptor is always valid (the length of descriptor > is no shorter than 5 + `bNrInPins`). If a descriptor read from > the device side is invalid, it may trigger out-of-bound memory > access. > > ``` > struct uac_mixer_unit_descriptor { > __u8 bLength; > __u8 bDescriptorType; > __u8 bDescriptorSubtype; > __u8 bUnitID; > __u8 bNrInPins; > __u8 baSourceID[]; > } > ``` > > This patch fixes the bug by add a sanity check on the length of > the descriptor. > > Signed-off-by: Hui Peng > Reported-by: Hui Peng > Reported-by: Mathias Payer > --- > sound/usb/mixer.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c > index 7498b5191b68..38202ce67237 100644 > --- a/sound/usb/mixer.c > +++ b/sound/usb/mixer.c > @@ -2091,6 +2091,15 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, > struct usb_audio_term iterm; > int input_pins, num_ins, num_outs; > int pin, ich, err; > + int desc_len = (int) ((unsigned long) state->buffer + > + state->buflen - (unsigned long) raw_desc); > + > + if (desc_len < sizeof(*desc) + desc->bNrInPins) { > + usb_audio_err(state->chip, > + "descriptor %d too short\n", > + unitid); > + return -EINVAL; > + } > > err = uac_mixer_unit_get_channels(state, desc); > if (err < 0) { Hm, what is the desc->bLength value in the error case? Basically the buffer boundary is already checked against bLength in snd_usb_find_desc() which is called from obtaining the raw_desc in the caller of this function (parse_audio_unit()). So, if any, we need to check bLength for the possible overflow like below. thanks, Takashi --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -744,6 +744,8 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state, return -EINVAL; if (!desc->bNrInPins) return -EINVAL; + if (desc->bLength < sizeof(*desc) + desc->bNrInPins) + return -EINVAL; switch (state->mixer->protocol) { case UAC_VERSION_1: