Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1021782ybe; Wed, 4 Sep 2019 11:16:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqw+gAgHhOOa9dWQ5zweMbyhyGyaUKXCMgqI99dIV7uwlSlIID0i/s3XYalbGLwHSWbFPby2 X-Received: by 2002:a63:7a01:: with SMTP id v1mr20512018pgc.310.1567620970733; Wed, 04 Sep 2019 11:16:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567620970; cv=none; d=google.com; s=arc-20160816; b=pK5gd7ZA4RGGqi878BRgDoZYcvsnR/9QPwqsMhgFBjIVBNOoS5p0rB09yhZeCchK7j 3U5i0ZeyNTKKF0l6poozgzgwUD0UguwuZ+Ba3O0VpAV8KsvJklJnTGUDDObFKntrWCDZ 6fWzF2bSwPMkB4fkbCnvWvB/uEWFdSfXQf3ycjE3iVZpnlS7y8/wjLZzlfdc4lcr0otM pwzRbfmaw/AFXuRIfZh5nz940bYfYZxyTKo+6Y8V9sGJDBkLKj1jQLyiW0kjwl618RhY VKYKHE2W0KB4tGfhk26OvsOFq/+dYrCl544/6mF3k7kPYj3Dbcgp+lr1ezRGyu9m9jQl dezQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=nHf/8JD0GiyKm101easZYpmaqy4jsYKLRf7uxLiwsKQ=; b=i/EqbjvwR3Yzr8sgJKZlY75I+73vANkr7QbVK+NYmsa5lqPONgqAhSdzOGpyZArRnJ 3yvYs9GJeqbol1Z7YsX3N0hq1mMH0fLODn/JbBfxT9xKMmxT6PsO4XB0UOf61q9/6y2d 8pdmtCsnKTmhzoZR9ZFfnR5M2q2NAJqMPt7MB/M2KDuWZHud+KkEEKjVmWPGYPMBPWOa o7nefkYBtBMRKvJxoFcJFaq9vuEnN5994Ay1vRf+JHBRnOwOK1M5jYHz7G6GrYGg/JFf 7OsiUZjjT8nyl+ogpote41Q0pq9stnTJZw3uhv8Ckck1EVd4llMZ6XSq9xu82Op3lLG0 PLpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=C4e2PVWZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 90si18762031ple.168.2019.09.04.11.15.55; Wed, 04 Sep 2019 11:16:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=C4e2PVWZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390679AbfIDSN0 (ORCPT + 99 others); Wed, 4 Sep 2019 14:13:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:58254 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390669AbfIDSNY (ORCPT ); Wed, 4 Sep 2019 14:13:24 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1E40E22CEA; Wed, 4 Sep 2019 18:13:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1567620803; bh=T6X5eR2XhJprV6XznDa1AjWyiWhDWpBUUCRPWS0OZuc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C4e2PVWZVujLx4kOzCzz7FpEcJpX2JWoUsE2S/E/DRZyGmkYffRmU5eyQ+u1V4eyv 1b8OKXFAYeZudyR37vcJN9CtJW5U3V/PwhKaMVyW915bVztwP83xLmzxg0nxUM/d24 metUte/chnmJy3GWqoR2k5Jikk+RArsC6yjXRRmg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai Subject: [PATCH 5.2 060/143] ALSA: usb-audio: Check mixer unit bitmap yet more strictly Date: Wed, 4 Sep 2019 19:53:23 +0200 Message-Id: <20190904175316.421126487@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190904175314.206239922@linuxfoundation.org> References: <20190904175314.206239922@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit f9f0e9ed350e15d51ad07364b4cf910de50c472a upstream. The bmControls (for UAC1) or bmMixerControls (for UAC2/3) bitmap has a variable size depending on both input and output pins. Its size is to fit with input * output bits. The problem is that the input size can't be determined simply from the unit descriptor itself but it needs to parse the whole connected sources. Although the uac_mixer_unit_get_channels() tries to check some possible overflow of this bitmap, it's incomplete due to the lack of the evaluation of input pins. For covering possible overflows, this patch adds the bitmap overflow check in the loop of input pins in parse_audio_mixer_unit(). Fixes: 0bfe5e434e66 ("ALSA: usb-audio: Check mixer unit descriptors more strictly") Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/mixer.c | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -739,7 +739,6 @@ static int uac_mixer_unit_get_channels(s struct uac_mixer_unit_descriptor *desc) { int mu_channels; - void *c; if (desc->bLength < sizeof(*desc)) return -EINVAL; @@ -762,13 +761,6 @@ static int uac_mixer_unit_get_channels(s break; } - if (!mu_channels) - return 0; - - c = uac_mixer_unit_bmControls(desc, state->mixer->protocol); - if (c - (void *)desc + (mu_channels - 1) / 8 >= desc->bLength) - return 0; /* no bmControls -> skip */ - return mu_channels; } @@ -2009,6 +2001,31 @@ static int parse_audio_feature_unit(stru * Mixer Unit */ +/* check whether the given in/out overflows bmMixerControls matrix */ +static bool mixer_bitmap_overflow(struct uac_mixer_unit_descriptor *desc, + int protocol, int num_ins, int num_outs) +{ + u8 *hdr = (u8 *)desc; + u8 *c = uac_mixer_unit_bmControls(desc, protocol); + size_t rest; /* remaining bytes after bmMixerControls */ + + switch (protocol) { + case UAC_VERSION_1: + default: + rest = 1; /* iMixer */ + break; + case UAC_VERSION_2: + rest = 2; /* bmControls + iMixer */ + break; + case UAC_VERSION_3: + rest = 6; /* bmControls + wMixerDescrStr */ + break; + } + + /* overflow? */ + return c + (num_ins * num_outs + 7) / 8 + rest > hdr + hdr[0]; +} + /* * build a mixer unit control * @@ -2137,6 +2154,9 @@ static int parse_audio_mixer_unit(struct if (err < 0) return err; num_ins += iterm.channels; + if (mixer_bitmap_overflow(desc, state->mixer->protocol, + num_ins, num_outs)) + break; for (; ich < num_ins; ich++) { int och, ich_has_controls = 0;