Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3127968ybl; Sun, 1 Sep 2019 07:01:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqw/ICZGyFfX2uznrzG1hqdHZQbjN/j4YiSOP/4ZccRaCx3wu2cZjxk6rrTT2m+SafP0uiAx X-Received: by 2002:a62:524a:: with SMTP id g71mr709784pfb.154.1567346467702; Sun, 01 Sep 2019 07:01:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567346467; cv=none; d=google.com; s=arc-20160816; b=v/WNOWsu2GC7ITVDH8L087OQyYDjd77H7nodHt2qNjIwHN2gW+j5pRsRPKlxY21eX5 sC4QyXqIPb3F4dkPXrw2RgFK3bM+L1b8AkEjh+9auBeHoLjzKarv0BcM8mqtjO7Tdf4C kKA6DvCpqa+5Np+VVzgmnvEin36obfcSA3FXO8YG9OVnm6kskWwkFKdaM22QX00+i4PC mDYN/zYOocAHLY9VBwKjPAw35hfxLBFLxbRIfG/R6I+Hj1Rx2yTQkacrdqWsVAJlGcb0 hzlZYRLG2OBENkxnN4jTX3as7DkaEIK4ZVKr3SZGKMumNG6asAXE9TvkpfMwOnjM3Gw9 cs3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=UxrLHy0xZer5ID4RHyuCqHzVGteGB4HlcmZdUjqBSL4=; b=xQTVaR1T/BQ4/9xHFhSwHPyItnP3dsuIKjeqwQvLC/5YLdllFCz499VLTk7isYJt9F kz2FxBD8StKQnL09Y8PNxCsJ4Ju9RHoR2f2ywWc7KbggdD9Eh0nkwnHX17lPkMAfds2K bFW7r9CsKKjZ1iy2U+NBHiGVYpsbMsUm8WwlkqdQOD1kLDixuZziB0oGSS80DZ3iQDMw qeNI/pMvvMSzKQkmUAZ9/pA2Vu41ol7FOEHbcuWBAApdstFODevbJAm7RhBeSbqPSlNX GzApaDtxIJW5743NdLsqvMdMg0e53qHuhvtyYxLxDhDmtCDaf4Vn8q39aeh/YbIV1hzR 2fEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=mFFi1AKP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x14si8638402plm.44.2019.09.01.07.00.51; Sun, 01 Sep 2019 07:01:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=mFFi1AKP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728873AbfIAM6O (ORCPT + 99 others); Sun, 1 Sep 2019 08:58:14 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:36324 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728756AbfIAM6N (ORCPT ); Sun, 1 Sep 2019 08:58:13 -0400 Received: by mail-wm1-f65.google.com with SMTP id p13so11968095wmh.1; Sun, 01 Sep 2019 05:58:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=UxrLHy0xZer5ID4RHyuCqHzVGteGB4HlcmZdUjqBSL4=; b=mFFi1AKPSaWngSR9jtj9CgHSiMvJGrF/gJcubSZhAcKoIP8k1Tn8h0Xb2H4MMpoY98 ATkbzsIdx1azRsSUQ70wuqo1zjiARoeps830lySXrbXba0w/4YFfdVhXcwZWkp0fwtZ6 4WglBbXxLbyMehj5WsfIYCts15phqU9Ikqg/BP4/TfHTzcM2JNPQJypm7uNUOziVH0sZ fXFLOcK+r3mR7aLL1ySTmKoDMh11++IJL8l6Zqo6fsPJK95dJqStyWxcu8GDibJGBIRl JWlw3CgAMpfVSNAYHeq22BCm/95o+gxuBq72xJamkbYhxobYL6BUwc31VcC7CDbf30pO kV1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=UxrLHy0xZer5ID4RHyuCqHzVGteGB4HlcmZdUjqBSL4=; b=t4TwZcwUgeqOariipRNDuQNkUzdmZCWcaS6cDkh05G+dz+iSgX0r4KVXde1li3yh1j nME+s169KuKcNYYioJj4stPVQYkqjbI6x4sBOwvFPKSK6eALCQ9PMbXjm7WNoJ+MiSIV 9H4NGrK/j0Zhb3Gr5Y97ELAfW1aGChyMqnJf+aI3PZ7R4/Rk1ypc3MLLsw0RzTw3QtwG 0myFIIguKRmi5tAPTGhNs3MYNOa/zVewX8lpT2xaSXD1ToHbF2yYS0YfepkBnKeb8j9D mUVhDSDfXia5YXlcrNlPKnNuQ38BSpiAV2mlHQAUnZHeZRy/sMluz4xCS/GZcWNVrU+I TMVw== X-Gm-Message-State: APjAAAXnTwWVRJsq+stAV2uEYYSHi8vqmwX4GrGo82yJA+VjQsdGiNg4 Zn4VbICbhwIEyBr+13A0liSBcx+lAts= X-Received: by 2002:a7b:cb8e:: with SMTP id m14mr30808692wmi.10.1567342691150; Sun, 01 Sep 2019 05:58:11 -0700 (PDT) Received: from eldamar (host85-134-dynamic.30-79-r.retail.telecomitalia.it. [79.30.134.85]) by smtp.gmail.com with ESMTPSA id r190sm15294524wmf.0.2019.09.01.05.58.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Sep 2019 05:58:09 -0700 (PDT) Date: Sun, 1 Sep 2019 14:58:09 +0200 From: Salvatore Bonaccorso To: Hui Peng Cc: stable@vger.kernel.org, Mathias Payer , Jaroslav Kysela , Takashi Iwai , Greg Kroah-Hartman , Wenwen Wang , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit Message-ID: <20190901125809.GA23334@eldamar.local> References: <20190830214649.27761-1-benquike@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190830214649.27761-1-benquike@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote: > The `uac_mixer_unit_descriptor` shown as below is read from the > device side. In `parse_audio_mixer_unit`, `baSourceID` field is > accessed from index 0 to `bNrInPins` - 1, the current implementation > assumes that descriptor is always valid (the length of descriptor > is no shorter than 5 + `bNrInPins`). If a descriptor read from > the device side is invalid, it may trigger out-of-bound memory > access. > > ``` > struct uac_mixer_unit_descriptor { > __u8 bLength; > __u8 bDescriptorType; > __u8 bDescriptorSubtype; > __u8 bUnitID; > __u8 bNrInPins; > __u8 baSourceID[]; > } > ``` > > This patch fixes the bug by add a sanity check on the length of > the descriptor. > > CVE: CVE-2018-15117 FWIW, the correct CVE id should be probably CVE-2019-15117 here. But there was already a patch queued and released in 5.2.10 and 4.19.68 for this issue (as far I can see; is this correct?) Regards, Salvatore