Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1258679ybl; Fri, 30 Aug 2019 14:48:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqxfq67RVLKM4WQOHfloCtxJ7RVAXDbpGu6dCi4VFRbaoY5ebY8dMBE+/hNvzDb+ctg25Hu9 X-Received: by 2002:a17:902:1c7:: with SMTP id b65mr17549060plb.313.1567201713151; Fri, 30 Aug 2019 14:48:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567201713; cv=none; d=google.com; s=arc-20160816; b=R7RkCZpMlCr9OqoCCoYnIvn2pBbWNQRTII5akMD0JiXVWC2g62/a55uxjafhYGVeB3 gxgKVRtz1ijMsCKlMo0ITHw7wFZCoRThXKfB8zYvFhQTvb8LNeC/eDfFNUw6t55MUAY8 GHbBmfWb3kztPBCvK/ljeNwtjv14sUm88XA9Hm08Od3D+fFF94C2anIVEXuCZ7ra6q+R jOPFI1iwdhTedXZYT+xCJu8v7OWGFYZoTbMbxQnZaQoUXQwmxP5VssHOT+/mu3NLy+C4 r/Ca+YdRAmYgq6V53da4qw9ADpu+EJhZtDbQ6y8XuYsAhI7tu95NANn9WhxGxrIyVXxo hgEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Zobn1PfaWdiFKh+2AJisvXaXaN9Pv4+pvGnHv+s5H4g=; b=PJCaRmpCsM1TjwhoLRPB55ifF59/wyRY6o6GG8xzU5IYV0TyqZC2VMYPOPednhn4UY zo+sAqT1wiLTl/f9QlZmbuI9i1CngHN/aHcNqPoVhxLNeyeOyMv7ut1FevIQwfSVqijc Z2hp+sqnSUgsb9OoKoX4aGqA/mw3jJJMdZbTYDVH4kOZBJcmXus9tXNctXE/WpRAgAJf X0ZtC90V4MQ2ih995KAIgzRt87kaNX6+3Jmq1g99+cwjZdOkPEcMDG1lruuJ1VTPbI9b HqIufBj1uwpGTKOMg9lfWP5SwhU3f+6FkOuI1ypgy1yYgGKQLNNuk3BQr13Gv/LEzmlp NOqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PqoH0U6M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id br18si5660488pjb.52.2019.08.30.14.48.18; Fri, 30 Aug 2019 14:48:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PqoH0U6M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728194AbfH3VrS (ORCPT + 99 others); Fri, 30 Aug 2019 17:47:18 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:37585 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727304AbfH3VrR (ORCPT ); Fri, 30 Aug 2019 17:47:17 -0400 Received: by mail-io1-f66.google.com with SMTP id r4so1807495iop.4; Fri, 30 Aug 2019 14:47:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Zobn1PfaWdiFKh+2AJisvXaXaN9Pv4+pvGnHv+s5H4g=; b=PqoH0U6MfwrpAsH2I8tyCEQptXVIiBeTnOsXbU8Ar8ranL1XpLus6OwSuKVJ3vvw1t NyOIEgheKhfIOyWmzehIPpcCMBCbnVBmqAVaIYK8uOQz9qbtKYu743+vuP5K3vLLB86u 92/oafOaYMZXZ6I/YRq9y0ful6k7Y4g0CFxQwnrPo4oQFzD45FVBN0X23i9z6JCYEP4v 0AGR2TKK1ckUBolAcqZvVz2e/uzlYquJb61tIlX7sV6wqla4vfB8rVCR9x432k+17SsJ cTIu4QtXSiaGkEKed2pxOdm30n1pukvCPAAew81YizAWchrT7FrirRpuA84mqm1+0Jyw fDRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Zobn1PfaWdiFKh+2AJisvXaXaN9Pv4+pvGnHv+s5H4g=; b=QLRyj++d9O9UP47p/4OFHiKpcUMkPLJcWwKpKHUlg9H/hRw37mdcqVzgxy6v5bcnXG Y4aIwtX76XzT3fePR0Asr8XAmjhe7q7oFFHvjmPmzSoZjN7rD+vScYoUAnDrxF3eACoY ncuvEpjLKBTVzT7gweiBy+qtYc7PvwY1493DTiz8epK0amItFnCMeg2FzJP267d7ZhHt Tc5W0f034aYeDZjq9TAvJVDrxfrWUpsQJ8Hc6ZxfhrcBn2Cuiw9uUDGOqEgspAZmbBv8 pvgqa3MNZctjv/i3pPgxs7LCqGFl5WJASBMLdb9pBjJipD1yT0HsgvyCRGmM13pfvvkf QM+A== X-Gm-Message-State: APjAAAVH0zCaRGdvwaPtQ5OVdoRgA95qXzcxF4JGcxO4C+/5Mh5JRuPb suzo/DQ7u4uHNzdm4sBUkg8cOkeVm/kWeA== X-Received: by 2002:a02:c992:: with SMTP id b18mr18578961jap.128.1567201636655; Fri, 30 Aug 2019 14:47:16 -0700 (PDT) Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27]) by smtp.googlemail.com with ESMTPSA id m10sm5951564ioj.75.2019.08.30.14.47.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Aug 2019 14:47:16 -0700 (PDT) From: Hui Peng To: stable@vger.kernel.org Cc: Hui Peng , Mathias Payer , Jaroslav Kysela , Takashi Iwai , Greg Kroah-Hartman , Wenwen Wang , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit Date: Fri, 30 Aug 2019 17:46:49 -0400 Message-Id: <20190830214649.27761-1-benquike@gmail.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. CVE: CVE-2018-15117 Reported-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 1f7eb3816cd7..10ddec76f906 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, int pin, ich, err; if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || + desc->bLength < sizeof(*desc) + desc->bNrInPins || !(num_outs = uac_mixer_unit_bNrChannels(desc))) { usb_audio_err(state->chip, "invalid MIXER UNIT descriptor %d\n", -- 2.17.1