Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp265372ybl; Fri, 16 Aug 2019 23:57:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqyVr0HfCvHMUgVEn6C8GOzZYaoiKDfdzkda+BW3FMgt+6N0W4wxqVY6f2LNlAlbsAyBg+Iz X-Received: by 2002:a17:902:4ac2:: with SMTP id q2mr10743904plh.30.1566025020371; Fri, 16 Aug 2019 23:57:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566025020; cv=none; d=google.com; s=arc-20160816; b=0azfGQsX5LqChYol871LzHrFe+3ekt17Vr4EOKridVlMa2pn1YS/irkIb83BDIOQZk vhNVF01rxwXRNHSqN+Svu7kU9ee5+U7W8gpN7+PdqnmIq5OSm7fwj6NRyW5Az3oVTAkt 4XA3/wgnlIJSVbPnL5UjFvYwCXjqSqFqYy7vkIoyj3zjZ/CvJ3mMCBWvU7w3iXCAuwS6 AtWdoj1zJwBqcM3apxZaK8gCxtZlJ5iq4XcL+w+HoLejGIh7LKlhzPV7rfQPFx9XenT4 rr8GTH4DrsG1iDgwGLaae5iKhPtDO8MpR00Z060RophbvLPZBvqVCLwW2JOZWWAyBCTJ VQDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:subject:cc:to:from:message-id:date; bh=aTp1u5VXxQCj9LMaAbR99t8wlAEx9iXDWiy85/kNTc4=; b=HZjV7Y4JrwsK0lmkTnTm7lbV0F7zRxwutNcRf+jGUb8CShgGNNyDUdPXgjnY5q/osc E/eYsdfUreYJVvv2BqYj3VEY75LFySWbttfY34Q+58YOOfnO6NltQYi0w/cbzecvF5OQ I2rqPiB/ah/TEfZpaUWNw7XjrFm7DgQIiwtguMmhauvp+pD87Qd47KoiXy4KiRVgyv8d /nx1kyA+SgD4eVXp6sGXj7D5t6Uynt7ol1mws6GeZhBx5jo8Rw0flmK1MJNgdhvAezrm kCsA8+UiMTUuGU4HppUleLN7elAtDR7K5OGl7ftzM41mBxc9XWdGsbRbTPLRhAYlXqGE LPDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 65si5992932pfg.241.2019.08.16.23.56.45; Fri, 16 Aug 2019 23:57:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726183AbfHQGze (ORCPT + 99 others); Sat, 17 Aug 2019 02:55:34 -0400 Received: from mx2.suse.de ([195.135.220.15]:46282 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725832AbfHQGze (ORCPT ); Sat, 17 Aug 2019 02:55:34 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id EAA70B03B; Sat, 17 Aug 2019 06:55:32 +0000 (UTC) Date: Sat, 17 Aug 2019 08:55:32 +0200 Message-ID: From: Takashi Iwai To: "Hui Peng" Cc: , , "YueHaibing" , "Thomas Gleixner" , "Mathias Payer" , "Jaroslav Kysela" , "Takashi Iwai" , "Wenwen Wang" , Subject: Re: [PATCH] Fix an OOB bug in uac_mixer_unit_bmControls In-Reply-To: <20190817043208.12433-1-benquike@gmail.com> References: <20190817043208.12433-1-benquike@gmail.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 17 Aug 2019 06:32:07 +0200, Hui Peng wrote: > > `uac_mixer_unit_get_channels` calls `uac_mixer_unit_bmControls` > to get pointer to bmControls field. The current implementation of > `uac_mixer_unit_get_channels` does properly check the size of > uac_mixer_unit_descriptor descriptor and may allow OOB access > in `uac_mixer_unit_bmControls`. > > Reported-by: Hui Peng > Reported-by: Mathias Payer > Signed-off-by: Hui Peng Ah a good catch. One easier fix in this case would be to get the offset from uac_mixer_unit_bmControls(), e.g. /* calculate the offset of bmControls field */ size_t bmc_offset = uac_mixer_unit_bmControls(NULL, protocol) - NULL; .... if (desc->bLength < bmc_offset) return 0; thanks, Takashi > --- > sound/usb/mixer.c | 25 ++++++++++++++++++------- > 1 file changed, 18 insertions(+), 7 deletions(-) > > diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c > index b5927c3d5bc0..00e6274a63c3 100644 > --- a/sound/usb/mixer.c > +++ b/sound/usb/mixer.c > @@ -738,28 +738,39 @@ static int get_cluster_channels_v3(struct mixer_build *state, unsigned int clust > static int uac_mixer_unit_get_channels(struct mixer_build *state, > struct uac_mixer_unit_descriptor *desc) > { > - int mu_channels; > + int mu_channels = 0; > void *c; > > - if (desc->bLength < sizeof(*desc)) > - return -EINVAL; > if (!desc->bNrInPins) > return -EINVAL; > - if (desc->bLength < sizeof(*desc) + desc->bNrInPins) > - return -EINVAL; > > switch (state->mixer->protocol) { > case UAC_VERSION_1: > + // limit derived from uac_mixer_unit_bmControls > + if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 4) > + return 0; > + > + mu_channels = uac_mixer_unit_bNrChannels(desc); > + break; > + > case UAC_VERSION_2: > - default: > - if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 1) > + // limit derived from uac_mixer_unit_bmControls > + if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 6) > return 0; /* no bmControls -> skip */ > + > mu_channels = uac_mixer_unit_bNrChannels(desc); > break; > case UAC_VERSION_3: > + // limit derived from uac_mixer_unit_bmControls > + if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 2) > + return 0; /* no bmControls -> skip */ > + > mu_channels = get_cluster_channels_v3(state, > uac3_mixer_unit_wClusterDescrID(desc)); > break; > + > + default: > + break; > } > > if (!mu_channels) > -- > 2.22.1 > >