From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hui Peng <benquike@gmail.com>,
Mathias Payer <mathias.payer@nebelwelt.net>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.14 17/57] ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
Date: Wed, 4 Sep 2019 19:53:45 +0200 [thread overview]
Message-ID: <20190904175303.653360419@linuxfoundation.org> (raw)
In-Reply-To: <20190904175301.777414715@linuxfoundation.org>
From: Hui Peng <benquike@gmail.com>
commit 19bce474c45be69a284ecee660aa12d8f1e88f18 upstream.
`check_input_term` recursively calls itself with input from
device side (e.g., uac_input_terminal_descriptor.bCSourceID)
as argument (id). In `check_input_term`, if `check_input_term`
is called with the same `id` argument as the caller, it triggers
endless recursive call, resulting kernel space stack overflow.
This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids and stop the execution if some id
has been checked (similar to how parse_audio_unit handles unitid
argument).
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -82,6 +82,7 @@ struct mixer_build {
unsigned char *buffer;
unsigned int buflen;
DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
+ DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
struct usb_audio_term oterm;
const struct usbmix_name_map *map;
const struct usbmix_selector_map *selector_map;
@@ -716,15 +717,24 @@ static int get_term_name(struct mixer_bu
* parse the source unit recursively until it reaches to a terminal
* or a branched unit.
*/
-static int check_input_term(struct mixer_build *state, int id,
+static int __check_input_term(struct mixer_build *state, int id,
struct usb_audio_term *term)
{
int err;
void *p1;
+ unsigned char *hdr;
memset(term, 0, sizeof(*term));
- while ((p1 = find_audio_control_unit(state, id)) != NULL) {
- unsigned char *hdr = p1;
+ for (;;) {
+ /* a loop in the terminal chain? */
+ if (test_and_set_bit(id, state->termbitmap))
+ return -EINVAL;
+
+ p1 = find_audio_control_unit(state, id);
+ if (!p1)
+ break;
+
+ hdr = p1;
term->id = id;
switch (hdr[2]) {
case UAC_INPUT_TERMINAL:
@@ -739,7 +749,7 @@ static int check_input_term(struct mixer
/* call recursively to verify that the
* referenced clock entity is valid */
- err = check_input_term(state, d->bCSourceID, term);
+ err = __check_input_term(state, d->bCSourceID, term);
if (err < 0)
return err;
@@ -771,7 +781,7 @@ static int check_input_term(struct mixer
case UAC2_CLOCK_SELECTOR: {
struct uac_selector_unit_descriptor *d = p1;
/* call recursively to retrieve the channel info */
- err = check_input_term(state, d->baSourceID[0], term);
+ err = __check_input_term(state, d->baSourceID[0], term);
if (err < 0)
return err;
term->type = d->bDescriptorSubtype << 16; /* virtual type */
@@ -818,6 +828,15 @@ static int check_input_term(struct mixer
return -ENODEV;
}
+
+static int check_input_term(struct mixer_build *state, int id,
+ struct usb_audio_term *term)
+{
+ memset(term, 0, sizeof(*term));
+ memset(state->termbitmap, 0, sizeof(state->termbitmap));
+ return __check_input_term(state, id, term);
+}
+
/*
* Feature Unit
*/
next prev parent reply other threads:[~2019-09-04 18:02 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-04 17:53 [PATCH 4.14 00/57] 4.14.142-stable review Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 01/57] dmaengine: ste_dma40: fix unneeded variable warning Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 02/57] auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 03/57] iommu/dma: Handle SG length overflow better Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 04/57] usb: gadget: composite: Clear "suspended" on reset/disconnect Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 05/57] usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 06/57] xen/blkback: fix memory leaks Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 07/57] i2c: rcar: avoid race when unregistering slave client Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 08/57] i2c: emev2: " Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 09/57] drm/ast: Fixed reboot test may cause system hanged Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 10/57] usb: host: fotg2: restart hcd after port reset Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 11/57] tools: hv: fix KVP and VSS daemons exit code Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 12/57] watchdog: bcm2835_wdt: Fix module autoload Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 13/57] drm/bridge: tfp410: fix memleak in get_modes() Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 14/57] scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 15/57] drm/tilcdc: Register cpufreq notifier after we have initialized crtc Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 16/57] tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue Greg Kroah-Hartman
2019-09-04 17:53 ` Greg Kroah-Hartman [this message]
2019-09-04 17:53 ` [PATCH 4.14 18/57] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 19/57] net/smc: make sure EPOLLOUT is raised Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 20/57] tcp: make sure EPOLLOUT wont be missed Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 21/57] mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 22/57] ALSA: line6: Fix memory leak at line6_init_pcm() error path Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 23/57] ALSA: seq: Fix potential concurrent access to the deleted pool Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 24/57] kvm: x86: skip populating logical dest map if apic is not sw enabled Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 25/57] KVM: x86: Dont update RIP or do single-step on faulting emulation Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 26/57] x86/apic: Do not initialize LDR and DFR for bigsmp Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 27/57] x86/apic: Include the LDR when clearing out APIC registers Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 28/57] ftrace: Fix NULL pointer dereference in t_probe_next() Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 29/57] ftrace: Check for successful allocation of hash Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 30/57] ftrace: Check for empty hash and comment the race with registering probes Greg Kroah-Hartman
2019-09-04 17:53 ` [PATCH 4.14 31/57] usb-storage: Add new JMS567 revision to unusual_devs Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 32/57] USB: cdc-wdm: fix race between write and disconnect due to flag abuse Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 33/57] usb: chipidea: udc: dont do hardware access if gadget has stopped Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 34/57] usb: host: ohci: fix a race condition between shutdown and irq Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 35/57] usb: host: xhci: rcar: Fix typo in compatible string matching Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 36/57] USB: storage: ums-realtek: Update module parameter description for auto_delink_en Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 37/57] USB: storage: ums-realtek: Whitelist auto-delink support Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 38/57] uprobes/x86: Fix detection of 32-bit user mode Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 39/57] mmc: sdhci-of-at91: add quirk for broken HS200 Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 40/57] mmc: core: Fix init of SD cards reporting an invalid VDD range Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 41/57] stm class: Fix a double free of stm_source_device Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 42/57] intel_th: pci: Add support for another Lewisburg PCH Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 43/57] intel_th: pci: Add Tiger Lake support Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 44/57] drm/i915: Dont deballoon unused ggtt drm_mm_node in linux guest Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 45/57] VMCI: Release resource if the work is already queued Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 46/57] crypto: ccp - Ignore unconfigured CCP device on suspend/resume Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 47/57] Revert "cfg80211: fix processing world regdomain when non modular" Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 48/57] mac80211: fix possible sta leak Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 49/57] KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 50/57] KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 51/57] KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 52/57] NFS: Clean up list moves of struct nfs_page Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 53/57] NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend() Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 54/57] NFS: Pass error information to the pgio error cleanup routine Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 55/57] NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0 Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 56/57] i2c: piix4: Fix port selection for AMD Family 16h Model 30h Greg Kroah-Hartman
2019-09-04 17:54 ` [PATCH 4.14 57/57] x86/ptrace: fix up botched merge of spectrev1 fix Greg Kroah-Hartman
2019-09-05 0:18 ` [PATCH 4.14 00/57] 4.14.142-stable review kernelci.org bot
2019-09-05 0:38 ` Kevin Hilman
2019-09-05 3:48 ` Guenter Roeck
2019-09-05 14:42 ` shuah
2019-09-05 16:55 ` Guenter Roeck
2019-09-05 17:27 ` Daniel Díaz
2019-09-05 19:52 ` Kelsey Skunberg
2019-09-06 7:36 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190904175303.653360419@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=benquike@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathias.payer@nebelwelt.net \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).