* [bug report] ALSA: usb: initial USB Audio Device Class 3.0 support
@ 2018-10-12 13:48 Dan Carpenter
2018-10-12 13:51 ` Dan Carpenter
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2018-10-12 13:48 UTC (permalink / raw)
To: ruslan.bilovol; +Cc: alsa-devel
Hello Ruslan Bilovol,
The patch 9a2fe9b801f5: "ALSA: usb: initial USB Audio Device Class
3.0 support" from Mar 21, 2018, leads to the following static checker
warning:
sound/usb/stream.c:971 snd_usb_get_audioformat_uac3()
warn: potentially allocating too little. 7 vs 1
sound/usb/stream.c
943 /*
944 * Get number of channels and channel map through
945 * High Capability Cluster Descriptor
946 *
947 * First step: get High Capability header and
948 * read size of Cluster Descriptor
949 */
950 err = snd_usb_ctl_msg(chip->dev,
951 usb_rcvctrlpipe(chip->dev, 0),
952 UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
953 USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
954 cluster_id,
955 snd_usb_ctrl_intf(chip),
956 &hc_header, sizeof(hc_header));
^^^^^^^^^^
It looks like this comes from the USB (untrusted).
957 if (err < 0)
958 return ERR_PTR(err);
959 else if (err != sizeof(hc_header)) {
960 dev_err(&dev->dev,
961 "%u:%d : can't get High Capability descriptor\n",
962 iface_no, altno);
963 return ERR_PTR(-EIO);
964 }
965
966 /*
967 * Second step: allocate needed amount of memory
968 * and request Cluster Descriptor
969 */
970 wLength = le16_to_cpu(hc_header.wLength);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
My private build of Smatch complains that all le16_to_cpu() data
probably comes from untrusted sources.
971 cluster = kzalloc(wLength, GFP_KERNEL);
^^^^^^^
Maybe we're not allocating enough bytes for the cluster struct (8 bytes).
972 if (!cluster)
973 return ERR_PTR(-ENOMEM);
974 err = snd_usb_ctl_msg(chip->dev,
975 usb_rcvctrlpipe(chip->dev, 0),
976 UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
977 USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
978 cluster_id,
979 snd_usb_ctrl_intf(chip),
980 cluster, wLength);
981 if (err < 0) {
982 kfree(cluster);
983 return ERR_PTR(err);
984 } else if (err != wLength) {
985 dev_err(&dev->dev,
986 "%u:%d : can't get Cluster Descriptor\n",
987 iface_no, altno);
988 kfree(cluster);
989 return ERR_PTR(-EIO);
990 }
991
992 num_channels = cluster->bNrChannels;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
993 chmap = convert_chmap_v3(cluster);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This code assumes that cluster is large enough without checking.
994 kfree(cluster);
995
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] ALSA: usb: initial USB Audio Device Class 3.0 support
2018-10-12 13:48 [bug report] ALSA: usb: initial USB Audio Device Class 3.0 support Dan Carpenter
@ 2018-10-12 13:51 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2018-10-12 13:51 UTC (permalink / raw)
To: ruslan.bilovol; +Cc: alsa-devel
On Fri, Oct 12, 2018 at 04:48:23PM +0300, Dan Carpenter wrote:
> 966 /*
> 967 * Second step: allocate needed amount of memory
> 968 * and request Cluster Descriptor
> 969 */
> 970 wLength = le16_to_cpu(hc_header.wLength);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> My private build of Smatch complains that all le16_to_cpu() data
> probably comes from untrusted sources.
>
> 971 cluster = kzalloc(wLength, GFP_KERNEL);
> ^^^^^^^
> Maybe we're not allocating enough bytes for the cluster struct (8 bytes).
>
> 972 if (!cluster)
> 973 return ERR_PTR(-ENOMEM);
> 974 err = snd_usb_ctl_msg(chip->dev,
> 975 usb_rcvctrlpipe(chip->dev, 0),
> 976 UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
> 977 USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
> 978 cluster_id,
> 979 snd_usb_ctrl_intf(chip),
> 980 cluster, wLength);
^^^^^^^
Also I just wanted to note as well that cluser->wLength is set by the
USB device here and we don't have a good reason to assume it's valid.
> 981 if (err < 0) {
> 982 kfree(cluster);
> 983 return ERR_PTR(err);
> 984 } else if (err != wLength) {
> 985 dev_err(&dev->dev,
> 986 "%u:%d : can't get Cluster Descriptor\n",
> 987 iface_no, altno);
> 988 kfree(cluster);
> 989 return ERR_PTR(-EIO);
> 990 }
> 991
> 992 num_channels = cluster->bNrChannels;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 993 chmap = convert_chmap_v3(cluster);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
But we trust it in convert_chmap_v3() so that's a second potential out
of bounds.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-10-12 13:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-12 13:48 [bug report] ALSA: usb: initial USB Audio Device Class 3.0 support Dan Carpenter
2018-10-12 13:51 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.