Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp174009ybl;
        Fri, 16 Aug 2019 21:39:46 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyAsaVdz8xtEQtmlG/RbErVd/3OmZKaCh/sw5BFPzZ1GhYJPO5dgVYv2pKeIHDdPPsYiYis
X-Received: by 2002:a65:60d3:: with SMTP id r19mr10626644pgv.91.1566016786153;
        Fri, 16 Aug 2019 21:39:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566016786; cv=none;
        d=google.com; s=arc-20160816;
        b=SpBwW3bimxoX/3daiC5uxg5yFBTpFDCOFPEz+d1Ud1PMRJoV/GdMiPrRpxX9IhyjPz
         Xf+DWrBH1IJwTRDgQslfOWAO7hztZnB+b1uLudQedJj15binrf4I8zI6NkU9Tgp0kKMA
         1xbdcakCSyLOMq0vx/PvZDodk210zBUteZFxZuCpt2Hd3iJVc6F5xRPzSe5GeTHlEpUe
         Ue/106rohh7zQf++22EF1CrKMSeOfRNse+44a9xNlefGUGYOVVtHGHY0+NMY8x/2I/+z
         s7//HpXqjwSnDvCpkBkUm4xybIqCs6UnBkWehEliNcEEN51DXtLeQ7KtiCT/0PGZcWal
         KMWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=3ZgzZCpDIRuYNI4rsUcoYKrHpCVfBSnxQC5KIpwxRrk=;
        b=kxpiHYjSmcUc1rBxzrnpZDCNgP3qVij+QgTtIU0c8XRwqxQ+WcvnJomUdosaexJiXa
         UDr7HsUSc2qTMPMnlWTuN4hv4Gsvvm7T66fby9YmJW0dZ8IFlqKzTQZPjkTccICKr30N
         oIrOWOkDImV4W0KdBlGDq1xZ3n533O0Fqri4QHsLG2z/mkdRRs1XU/tN0VI04v9jA+2P
         Pv+uyk9TkfFJMCDI9BK/tgBkO9clmgGb7qqYcwI1EGMd/bL8/reJE87+uKQY3RA1Yq0n
         y877QXn3vgnSgS2ZZ1VbKQvaoQsXJ6oS1h+r/UNPznVRYTBLGA4nwYLAz6g+FKUvbeLF
         2Nqg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=mqntU7Qd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v12si5122879pgl.102.2019.08.16.21.39.29;
        Fri, 16 Aug 2019 21:39:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=mqntU7Qd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726012AbfHQEcU (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Sat, 17 Aug 2019 00:32:20 -0400
Received: from mail-io1-f65.google.com ([209.85.166.65]:41782 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725791AbfHQEcT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 17 Aug 2019 00:32:19 -0400
Received: by mail-io1-f65.google.com with SMTP id j5so10379550ioj.8
        for <linux-kernel@vger.kernel.org>; Fri, 16 Aug 2019 21:32:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=3ZgzZCpDIRuYNI4rsUcoYKrHpCVfBSnxQC5KIpwxRrk=;
        b=mqntU7QdosCf34NpRFUhRvfJTPenC0urzJszWL8hgX+lez+r/0/VnstICJ1lHhOFB3
         36bXJUhUmAB0nApDJFFEqJ6GL73czg3U34yhSv6gjK6vH+N4uXYSDapt1+poh4oBG0Na
         geW2TddD+7AlnuJQlIGN4MPMI4VrCr8m3l8JGRJvz8ZmfCk7xoIkZLq6zT4Y7xJe/7md
         vjAyZ4+/kjpXz6xx04FhRQ7N0E51SZibeANTQcu8BQ7XZcBJSvxilCc+jRGhDvo0u+iG
         Ykpn7Lw4O72tWVc1itxClv7iDmn8NjDmw2RiVDGi11xKUia5xRuotzyl3BewiQstqykJ
         XhQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=3ZgzZCpDIRuYNI4rsUcoYKrHpCVfBSnxQC5KIpwxRrk=;
        b=hi757yfwLvw+j9omBZkbf5Nrl/VMrCRhSyF+dPWKJVo8aU9dcANKlxWZptvfjGls/7
         wB0QasEfMKPJd+iWzW8nacKq9PLOfNKfHs7RxJEaW9tGeKgwAGWKTpkONsRDW3JyTg0w
         U0bnH9tAnC6YV+nu4JVEtZUgGSIaJHx0GbHdcoOtuOxn9lQufKtavOQn5R1F2tEjrAJt
         wEmyu2FhgmOaFSpSK9QzyE76/dTl2HSPBiG3EkjmToR+6I8DteK/M04ZPuYWw54Xlzit
         PMev2khVPfTldbIXVVsYbw3nS0w8XQSCH81TUl6Z+icug93+aQg34o4fB7u0zKc0QtvC
         Vt5w==
X-Gm-Message-State: APjAAAUyPu3yFzLTymyjHKRLT7yrh7bvamKAiZhXW+OaN1hTTlssEKir
        Hi+hG0jSeX9cOV9ikh+lG8I=
X-Received: by 2002:a02:a492:: with SMTP id d18mr15323165jam.27.1566016338760;
        Fri, 16 Aug 2019 21:32:18 -0700 (PDT)
Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27])
        by smtp.googlemail.com with ESMTPSA id q12sm4294754ioh.8.2019.08.16.21.32.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 16 Aug 2019 21:32:17 -0700 (PDT)
From:   Hui Peng <benquike@gmail.com>
To:     security@kernel.org
Cc:     Hui Peng <benquike@gmail.com>,
        Mathias Payer <mathias.payer@nebelwelt.net>,
        Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.com>, Wenwen Wang <wang6495@umn.edu>,
        Thomas Gleixner <tglx@linutronix.de>,
        YueHaibing <yuehaibing@huawei.com>, alsa-devel@alsa-project.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] Fix an OOB bug in uac_mixer_unit_bmControls
Date:   Sat, 17 Aug 2019 00:32:07 -0400
Message-Id: <20190817043208.12433-1-benquike@gmail.com>
X-Mailer: git-send-email 2.22.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

`uac_mixer_unit_get_channels` calls `uac_mixer_unit_bmControls`
to get pointer to bmControls field. The current implementation of
`uac_mixer_unit_get_channels` does properly check the size of
uac_mixer_unit_descriptor descriptor and may allow OOB access
in `uac_mixer_unit_bmControls`.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
 sound/usb/mixer.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index b5927c3d5bc0..00e6274a63c3 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -738,28 +738,39 @@ static int get_cluster_channels_v3(struct mixer_build *state, unsigned int clust
 static int uac_mixer_unit_get_channels(struct mixer_build *state,
 				       struct uac_mixer_unit_descriptor *desc)
 {
-	int mu_channels;
+	int mu_channels = 0;
 	void *c;
 
-	if (desc->bLength < sizeof(*desc))
-		return -EINVAL;
 	if (!desc->bNrInPins)
 		return -EINVAL;
-	if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
-		return -EINVAL;
 
 	switch (state->mixer->protocol) {
 	case UAC_VERSION_1:
+		// limit derived from uac_mixer_unit_bmControls
+		if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 4)
+			return 0;
+
+		mu_channels = uac_mixer_unit_bNrChannels(desc);
+		break;
+
 	case UAC_VERSION_2:
-	default:
-		if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 1)
+		// limit derived from uac_mixer_unit_bmControls
+		if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 6)
 			return 0; /* no bmControls -> skip */
+
 		mu_channels = uac_mixer_unit_bNrChannels(desc);
 		break;
 	case UAC_VERSION_3:
+		// limit derived from uac_mixer_unit_bmControls
+		if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 2)
+			return 0; /* no bmControls -> skip */
+
 		mu_channels = get_cluster_channels_v3(state,
 				uac3_mixer_unit_wClusterDescrID(desc));
 		break;
+
+	default:
+		break;
 	}
 
 	if (!mu_channels)
-- 
2.22.1