* [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-08-30 21:46 ` Hui Peng 0 siblings, 0 replies; 11+ messages in thread From: Hui Peng @ 2019-08-30 21:46 UTC (permalink / raw) To: stable Cc: Hui Peng, Mathias Payer, Jaroslav Kysela, Takashi Iwai, Greg Kroah-Hartman, Wenwen Wang, alsa-devel, linux-kernel The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. CVE: CVE-2018-15117 Reported-by: Hui Peng <benquike@gmail.com> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: Hui Peng <benquike@gmail.com> --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 1f7eb3816cd7..10ddec76f906 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, int pin, ich, err; if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || + desc->bLength < sizeof(*desc) + desc->bNrInPins || !(num_outs = uac_mixer_unit_bNrChannels(desc))) { usb_audio_err(state->chip, "invalid MIXER UNIT descriptor %d\n", -- 2.17.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-08-30 21:46 ` Hui Peng 0 siblings, 0 replies; 11+ messages in thread From: Hui Peng @ 2019-08-30 21:46 UTC (permalink / raw) To: stable Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang, Takashi Iwai, Hui Peng, linux-kernel The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. CVE: CVE-2018-15117 Reported-by: Hui Peng <benquike@gmail.com> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: Hui Peng <benquike@gmail.com> --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 1f7eb3816cd7..10ddec76f906 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, int pin, ich, err; if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || + desc->bLength < sizeof(*desc) + desc->bNrInPins || !(num_outs = uac_mixer_unit_bNrChannels(desc))) { usb_audio_err(state->chip, "invalid MIXER UNIT descriptor %d\n", -- 2.17.1 _______________________________________________ Alsa-devel mailing list Alsa-devel@alsa-project.org https://mailman.alsa-project.org/mailman/listinfo/alsa-devel ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-08-30 21:49 ` Hui Peng 0 siblings, 0 replies; 11+ messages in thread From: Hui Peng @ 2019-08-30 21:49 UTC (permalink / raw) To: stable Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang, Takashi Iwai, linux-kernel This is the backported patch of the following bug to v4.4.x and v4.14.x: daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit") On Fri, Aug 30, 2019 at 5:47 PM Hui Peng <benquike@gmail.com> wrote: > The `uac_mixer_unit_descriptor` shown as below is read from the > device side. In `parse_audio_mixer_unit`, `baSourceID` field is > accessed from index 0 to `bNrInPins` - 1, the current implementation > assumes that descriptor is always valid (the length of descriptor > is no shorter than 5 + `bNrInPins`). If a descriptor read from > the device side is invalid, it may trigger out-of-bound memory > access. > > ``` > struct uac_mixer_unit_descriptor { > __u8 bLength; > __u8 bDescriptorType; > __u8 bDescriptorSubtype; > __u8 bUnitID; > __u8 bNrInPins; > __u8 baSourceID[]; > } > ``` > > This patch fixes the bug by add a sanity check on the length of > the descriptor. > > CVE: CVE-2018-15117 > > Reported-by: Hui Peng <benquike@gmail.com> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> > Signed-off-by: Hui Peng <benquike@gmail.com> > --- > sound/usb/mixer.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c > index 1f7eb3816cd7..10ddec76f906 100644 > --- a/sound/usb/mixer.c > +++ b/sound/usb/mixer.c > @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build > *state, int unitid, > int pin, ich, err; > > if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || > + desc->bLength < sizeof(*desc) + desc->bNrInPins || > !(num_outs = uac_mixer_unit_bNrChannels(desc))) { > usb_audio_err(state->chip, > "invalid MIXER UNIT descriptor %d\n", > -- > 2.17.1 > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-08-30 21:49 ` Hui Peng 0 siblings, 0 replies; 11+ messages in thread From: Hui Peng @ 2019-08-30 21:49 UTC (permalink / raw) To: stable Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang, Takashi Iwai, linux-kernel This is the backported patch of the following bug to v4.4.x and v4.14.x: daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit") On Fri, Aug 30, 2019 at 5:47 PM Hui Peng <benquike@gmail.com> wrote: > The `uac_mixer_unit_descriptor` shown as below is read from the > device side. In `parse_audio_mixer_unit`, `baSourceID` field is > accessed from index 0 to `bNrInPins` - 1, the current implementation > assumes that descriptor is always valid (the length of descriptor > is no shorter than 5 + `bNrInPins`). If a descriptor read from > the device side is invalid, it may trigger out-of-bound memory > access. > > ``` > struct uac_mixer_unit_descriptor { > __u8 bLength; > __u8 bDescriptorType; > __u8 bDescriptorSubtype; > __u8 bUnitID; > __u8 bNrInPins; > __u8 baSourceID[]; > } > ``` > > This patch fixes the bug by add a sanity check on the length of > the descriptor. > > CVE: CVE-2018-15117 > > Reported-by: Hui Peng <benquike@gmail.com> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> > Signed-off-by: Hui Peng <benquike@gmail.com> > --- > sound/usb/mixer.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c > index 1f7eb3816cd7..10ddec76f906 100644 > --- a/sound/usb/mixer.c > +++ b/sound/usb/mixer.c > @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build > *state, int unitid, > int pin, ich, err; > > if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || > + desc->bLength < sizeof(*desc) + desc->bNrInPins || > !(num_outs = uac_mixer_unit_bNrChannels(desc))) { > usb_audio_err(state->chip, > "invalid MIXER UNIT descriptor %d\n", > -- > 2.17.1 > > _______________________________________________ Alsa-devel mailing list Alsa-devel@alsa-project.org https://mailman.alsa-project.org/mailman/listinfo/alsa-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit 2019-08-30 21:49 ` [alsa-devel] " Hui Peng @ 2019-09-02 16:00 ` Greg Kroah-Hartman -1 siblings, 0 replies; 11+ messages in thread From: Greg Kroah-Hartman @ 2019-09-02 16:00 UTC (permalink / raw) To: Hui Peng Cc: stable, Mathias Payer, Jaroslav Kysela, Takashi Iwai, Wenwen Wang, alsa-devel, linux-kernel On Fri, Aug 30, 2019 at 05:49:59PM -0400, Hui Peng wrote: > This is the backported patch of the following bug to v4.4.x and v4.14.x: > daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit") Thanks, also now queued up to 4.9.y, you forgot that one :) greg k-h ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-09-02 16:00 ` Greg Kroah-Hartman 0 siblings, 0 replies; 11+ messages in thread From: Greg Kroah-Hartman @ 2019-09-02 16:00 UTC (permalink / raw) To: Hui Peng Cc: alsa-devel, linux-kernel, Wenwen Wang, Mathias Payer, stable, Takashi Iwai On Fri, Aug 30, 2019 at 05:49:59PM -0400, Hui Peng wrote: > This is the backported patch of the following bug to v4.4.x and v4.14.x: > daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit") Thanks, also now queued up to 4.9.y, you forgot that one :) greg k-h _______________________________________________ Alsa-devel mailing list Alsa-devel@alsa-project.org https://mailman.alsa-project.org/mailman/listinfo/alsa-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-09-01 12:58 ` Salvatore Bonaccorso 0 siblings, 0 replies; 11+ messages in thread From: Salvatore Bonaccorso @ 2019-09-01 12:58 UTC (permalink / raw) To: Hui Peng Cc: stable, Mathias Payer, Jaroslav Kysela, Takashi Iwai, Greg Kroah-Hartman, Wenwen Wang, alsa-devel, linux-kernel On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote: > The `uac_mixer_unit_descriptor` shown as below is read from the > device side. In `parse_audio_mixer_unit`, `baSourceID` field is > accessed from index 0 to `bNrInPins` - 1, the current implementation > assumes that descriptor is always valid (the length of descriptor > is no shorter than 5 + `bNrInPins`). If a descriptor read from > the device side is invalid, it may trigger out-of-bound memory > access. > > ``` > struct uac_mixer_unit_descriptor { > __u8 bLength; > __u8 bDescriptorType; > __u8 bDescriptorSubtype; > __u8 bUnitID; > __u8 bNrInPins; > __u8 baSourceID[]; > } > ``` > > This patch fixes the bug by add a sanity check on the length of > the descriptor. > > CVE: CVE-2018-15117 FWIW, the correct CVE id should be probably CVE-2019-15117 here. But there was already a patch queued and released in 5.2.10 and 4.19.68 for this issue (as far I can see; is this correct?) Regards, Salvatore ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-09-01 12:58 ` Salvatore Bonaccorso 0 siblings, 0 replies; 11+ messages in thread From: Salvatore Bonaccorso @ 2019-09-01 12:58 UTC (permalink / raw) To: Hui Peng Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang, Takashi Iwai, stable, linux-kernel On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote: > The `uac_mixer_unit_descriptor` shown as below is read from the > device side. In `parse_audio_mixer_unit`, `baSourceID` field is > accessed from index 0 to `bNrInPins` - 1, the current implementation > assumes that descriptor is always valid (the length of descriptor > is no shorter than 5 + `bNrInPins`). If a descriptor read from > the device side is invalid, it may trigger out-of-bound memory > access. > > ``` > struct uac_mixer_unit_descriptor { > __u8 bLength; > __u8 bDescriptorType; > __u8 bDescriptorSubtype; > __u8 bUnitID; > __u8 bNrInPins; > __u8 baSourceID[]; > } > ``` > > This patch fixes the bug by add a sanity check on the length of > the descriptor. > > CVE: CVE-2018-15117 FWIW, the correct CVE id should be probably CVE-2019-15117 here. But there was already a patch queued and released in 5.2.10 and 4.19.68 for this issue (as far I can see; is this correct?) Regards, Salvatore _______________________________________________ Alsa-devel mailing list Alsa-devel@alsa-project.org https://mailman.alsa-project.org/mailman/listinfo/alsa-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit 2019-09-01 12:58 ` [alsa-devel] " Salvatore Bonaccorso (?) @ 2019-09-01 19:43 ` Hui Peng -1 siblings, 0 replies; 11+ messages in thread From: Hui Peng @ 2019-09-01 19:43 UTC (permalink / raw) To: carnil Cc: stable, mathias.payer, perex, tiwai, gregkh, wang6495, alsa-devel, linux-kernel [-- Attachment #1: Type: text/plain, Size: 1425 bytes --] On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote: > On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote: >> The `uac_mixer_unit_descriptor` shown as below is read from the >> device side. In `parse_audio_mixer_unit`, `baSourceID` field is >> accessed from index 0 to `bNrInPins` - 1, the current implementation >> assumes that descriptor is always valid (the length of descriptor >> is no shorter than 5 + `bNrInPins`). If a descriptor read from >> the device side is invalid, it may trigger out-of-bound memory >> access. >> >> ``` >> struct uac_mixer_unit_descriptor { >> __u8 bLength; >> __u8 bDescriptorType; >> __u8 bDescriptorSubtype; >> __u8 bUnitID; >> __u8 bNrInPins; >> __u8 baSourceID[]; >> } >> ``` >> >> This patch fixes the bug by add a sanity check on the length of >> the descriptor. >> >> CVE: CVE-2018-15117 > FWIW, the correct CVE id should be probably CVE-2019-15117 here. Yes, the CVE id was wrong. I have updated it in the attached patch. > But there was already a patch queued and released in 5.2.10 and > 4.19.68 for this issue (as far I can see; is this correct?) Yes, it should have been fixed in those branches. But google asked me to back port it to v4.4.190 and v4.14.141. I have mentioned it in one previous email, but it was blocked by vger because it was sent in html format. Can you apply it to these 2 versions? (it applies to both versions) Thanks. > Regards, > Salvatore [-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --] [-- Type: text/x-patch, Size: 1601 bytes --] From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001 From: Hui Peng <benquike@gmail.com> Date: Fri, 30 Aug 2019 16:11:00 -0400 Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. CVE: CVE-2019-15117 Reported-by: Hui Peng <benquike@gmail.com> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: Hui Peng <benquike@gmail.com> --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 1f7eb3816cd7..10ddec76f906 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, int pin, ich, err; if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || + desc->bLength < sizeof(*desc) + desc->bNrInPins || !(num_outs = uac_mixer_unit_bNrChannels(desc))) { usb_audio_err(state->chip, "invalid MIXER UNIT descriptor %d\n", -- 2.17.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-09-01 19:43 ` Hui Peng 0 siblings, 0 replies; 11+ messages in thread From: Hui Peng @ 2019-09-01 19:43 UTC (permalink / raw) To: carnil Cc: mathias.payer, alsa-devel, gregkh, wang6495, tiwai, stable, linux-kernel [-- Attachment #1: Type: text/plain, Size: 1425 bytes --] On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote: > On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote: >> The `uac_mixer_unit_descriptor` shown as below is read from the >> device side. In `parse_audio_mixer_unit`, `baSourceID` field is >> accessed from index 0 to `bNrInPins` - 1, the current implementation >> assumes that descriptor is always valid (the length of descriptor >> is no shorter than 5 + `bNrInPins`). If a descriptor read from >> the device side is invalid, it may trigger out-of-bound memory >> access. >> >> ``` >> struct uac_mixer_unit_descriptor { >> __u8 bLength; >> __u8 bDescriptorType; >> __u8 bDescriptorSubtype; >> __u8 bUnitID; >> __u8 bNrInPins; >> __u8 baSourceID[]; >> } >> ``` >> >> This patch fixes the bug by add a sanity check on the length of >> the descriptor. >> >> CVE: CVE-2018-15117 > FWIW, the correct CVE id should be probably CVE-2019-15117 here. Yes, the CVE id was wrong. I have updated it in the attached patch. > But there was already a patch queued and released in 5.2.10 and > 4.19.68 for this issue (as far I can see; is this correct?) Yes, it should have been fixed in those branches. But google asked me to back port it to v4.4.190 and v4.14.141. I have mentioned it in one previous email, but it was blocked by vger because it was sent in html format. Can you apply it to these 2 versions? (it applies to both versions) Thanks. > Regards, > Salvatore [-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --] [-- Type: text/x-patch, Size: 1601 bytes --] From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001 From: Hui Peng <benquike@gmail.com> Date: Fri, 30 Aug 2019 16:11:00 -0400 Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. CVE: CVE-2019-15117 Reported-by: Hui Peng <benquike@gmail.com> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: Hui Peng <benquike@gmail.com> --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 1f7eb3816cd7..10ddec76f906 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, int pin, ich, err; if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || + desc->bLength < sizeof(*desc) + desc->bNrInPins || !(num_outs = uac_mixer_unit_bNrChannels(desc))) { usb_audio_err(state->chip, "invalid MIXER UNIT descriptor %d\n", -- 2.17.1 [-- Attachment #3: Type: text/plain, Size: 161 bytes --] _______________________________________________ Alsa-devel mailing list Alsa-devel@alsa-project.org https://mailman.alsa-project.org/mailman/listinfo/alsa-devel ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit @ 2019-09-01 19:43 ` Hui Peng 0 siblings, 0 replies; 11+ messages in thread From: Hui Peng @ 2019-09-01 19:43 UTC (permalink / raw) To: carnil Cc: stable, mathias.payer, perex, tiwai, gregkh, wang6495, alsa-devel, linux-kernel [-- Attachment #1: Type: text/plain, Size: 1425 bytes --] On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote: > On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote: >> The `uac_mixer_unit_descriptor` shown as below is read from the >> device side. In `parse_audio_mixer_unit`, `baSourceID` field is >> accessed from index 0 to `bNrInPins` - 1, the current implementation >> assumes that descriptor is always valid (the length of descriptor >> is no shorter than 5 + `bNrInPins`). If a descriptor read from >> the device side is invalid, it may trigger out-of-bound memory >> access. >> >> ``` >> struct uac_mixer_unit_descriptor { >> __u8 bLength; >> __u8 bDescriptorType; >> __u8 bDescriptorSubtype; >> __u8 bUnitID; >> __u8 bNrInPins; >> __u8 baSourceID[]; >> } >> ``` >> >> This patch fixes the bug by add a sanity check on the length of >> the descriptor. >> >> CVE: CVE-2018-15117 > FWIW, the correct CVE id should be probably CVE-2019-15117 here. Yes, the CVE id was wrong. I have updated it in the attached patch. > But there was already a patch queued and released in 5.2.10 and > 4.19.68 for this issue (as far I can see; is this correct?) Yes, it should have been fixed in those branches. But google asked me to back port it to v4.4.190 and v4.14.141. I have mentioned it in one previous email, but it was blocked by vger because it was sent in html format. Can you apply it to these 2 versions? (it applies to both versions) Thanks. > Regards, > Salvatore [-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --] [-- Type: text/x-patch, Size: 1602 bytes --] >From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001 From: Hui Peng <benquike@gmail.com> Date: Fri, 30 Aug 2019 16:11:00 -0400 Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. CVE: CVE-2019-15117 Reported-by: Hui Peng <benquike@gmail.com> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: Hui Peng <benquike@gmail.com> --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 1f7eb3816cd7..10ddec76f906 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, int pin, ich, err; if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || + desc->bLength < sizeof(*desc) + desc->bNrInPins || !(num_outs = uac_mixer_unit_bNrChannels(desc))) { usb_audio_err(state->chip, "invalid MIXER UNIT descriptor %d\n", -- 2.17.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-09-02 16:01 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-08-30 21:46 [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit Hui Peng 2019-08-30 21:46 ` [alsa-devel] " Hui Peng 2019-08-30 21:49 ` Hui Peng 2019-08-30 21:49 ` [alsa-devel] " Hui Peng 2019-09-02 16:00 ` Greg Kroah-Hartman 2019-09-02 16:00 ` [alsa-devel] " Greg Kroah-Hartman 2019-09-01 12:58 ` Salvatore Bonaccorso 2019-09-01 12:58 ` [alsa-devel] " Salvatore Bonaccorso 2019-09-01 19:43 ` Hui Peng 2019-09-01 19:43 ` [alsa-devel] " Hui Peng 2019-09-01 19:43 ` Hui Peng
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.