* [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-08-30 21:46 ` Hui Peng
0 siblings, 0 replies; 11+ messages in thread
From: Hui Peng @ 2019-08-30 21:46 UTC (permalink / raw)
To: stable
Cc: Hui Peng, Mathias Payer, Jaroslav Kysela, Takashi Iwai,
Greg Kroah-Hartman, Wenwen Wang, alsa-devel, linux-kernel
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2018-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-08-30 21:46 ` Hui Peng
0 siblings, 0 replies; 11+ messages in thread
From: Hui Peng @ 2019-08-30 21:46 UTC (permalink / raw)
To: stable
Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang,
Takashi Iwai, Hui Peng, linux-kernel
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2018-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-08-30 21:49 ` Hui Peng
0 siblings, 0 replies; 11+ messages in thread
From: Hui Peng @ 2019-08-30 21:49 UTC (permalink / raw)
To: stable
Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang,
Takashi Iwai, linux-kernel
This is the backported patch of the following bug to v4.4.x and v4.14.x:
daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit")
On Fri, Aug 30, 2019 at 5:47 PM Hui Peng <benquike@gmail.com> wrote:
> The `uac_mixer_unit_descriptor` shown as below is read from the
> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
> accessed from index 0 to `bNrInPins` - 1, the current implementation
> assumes that descriptor is always valid (the length of descriptor
> is no shorter than 5 + `bNrInPins`). If a descriptor read from
> the device side is invalid, it may trigger out-of-bound memory
> access.
>
> ```
> struct uac_mixer_unit_descriptor {
> __u8 bLength;
> __u8 bDescriptorType;
> __u8 bDescriptorSubtype;
> __u8 bUnitID;
> __u8 bNrInPins;
> __u8 baSourceID[];
> }
> ```
>
> This patch fixes the bug by add a sanity check on the length of
> the descriptor.
>
> CVE: CVE-2018-15117
>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Hui Peng <benquike@gmail.com>
> ---
> sound/usb/mixer.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
> index 1f7eb3816cd7..10ddec76f906 100644
> --- a/sound/usb/mixer.c
> +++ b/sound/usb/mixer.c
> @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build
> *state, int unitid,
> int pin, ich, err;
>
> if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
> + desc->bLength < sizeof(*desc) + desc->bNrInPins ||
> !(num_outs = uac_mixer_unit_bNrChannels(desc))) {
> usb_audio_err(state->chip,
> "invalid MIXER UNIT descriptor %d\n",
> --
> 2.17.1
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-08-30 21:49 ` Hui Peng
0 siblings, 0 replies; 11+ messages in thread
From: Hui Peng @ 2019-08-30 21:49 UTC (permalink / raw)
To: stable
Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang,
Takashi Iwai, linux-kernel
This is the backported patch of the following bug to v4.4.x and v4.14.x:
daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit")
On Fri, Aug 30, 2019 at 5:47 PM Hui Peng <benquike@gmail.com> wrote:
> The `uac_mixer_unit_descriptor` shown as below is read from the
> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
> accessed from index 0 to `bNrInPins` - 1, the current implementation
> assumes that descriptor is always valid (the length of descriptor
> is no shorter than 5 + `bNrInPins`). If a descriptor read from
> the device side is invalid, it may trigger out-of-bound memory
> access.
>
> ```
> struct uac_mixer_unit_descriptor {
> __u8 bLength;
> __u8 bDescriptorType;
> __u8 bDescriptorSubtype;
> __u8 bUnitID;
> __u8 bNrInPins;
> __u8 baSourceID[];
> }
> ```
>
> This patch fixes the bug by add a sanity check on the length of
> the descriptor.
>
> CVE: CVE-2018-15117
>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Hui Peng <benquike@gmail.com>
> ---
> sound/usb/mixer.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
> index 1f7eb3816cd7..10ddec76f906 100644
> --- a/sound/usb/mixer.c
> +++ b/sound/usb/mixer.c
> @@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build
> *state, int unitid,
> int pin, ich, err;
>
> if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
> + desc->bLength < sizeof(*desc) + desc->bNrInPins ||
> !(num_outs = uac_mixer_unit_bNrChannels(desc))) {
> usb_audio_err(state->chip,
> "invalid MIXER UNIT descriptor %d\n",
> --
> 2.17.1
>
>
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-09-01 12:58 ` Salvatore Bonaccorso
0 siblings, 0 replies; 11+ messages in thread
From: Salvatore Bonaccorso @ 2019-09-01 12:58 UTC (permalink / raw)
To: Hui Peng
Cc: stable, Mathias Payer, Jaroslav Kysela, Takashi Iwai,
Greg Kroah-Hartman, Wenwen Wang, alsa-devel, linux-kernel
On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
> The `uac_mixer_unit_descriptor` shown as below is read from the
> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
> accessed from index 0 to `bNrInPins` - 1, the current implementation
> assumes that descriptor is always valid (the length of descriptor
> is no shorter than 5 + `bNrInPins`). If a descriptor read from
> the device side is invalid, it may trigger out-of-bound memory
> access.
>
> ```
> struct uac_mixer_unit_descriptor {
> __u8 bLength;
> __u8 bDescriptorType;
> __u8 bDescriptorSubtype;
> __u8 bUnitID;
> __u8 bNrInPins;
> __u8 baSourceID[];
> }
> ```
>
> This patch fixes the bug by add a sanity check on the length of
> the descriptor.
>
> CVE: CVE-2018-15117
FWIW, the correct CVE id should be probably CVE-2019-15117 here.
But there was already a patch queued and released in 5.2.10 and
4.19.68 for this issue (as far I can see; is this correct?)
Regards,
Salvatore
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-09-01 12:58 ` Salvatore Bonaccorso
0 siblings, 0 replies; 11+ messages in thread
From: Salvatore Bonaccorso @ 2019-09-01 12:58 UTC (permalink / raw)
To: Hui Peng
Cc: Mathias Payer, alsa-devel, Greg Kroah-Hartman, Wenwen Wang,
Takashi Iwai, stable, linux-kernel
On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
> The `uac_mixer_unit_descriptor` shown as below is read from the
> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
> accessed from index 0 to `bNrInPins` - 1, the current implementation
> assumes that descriptor is always valid (the length of descriptor
> is no shorter than 5 + `bNrInPins`). If a descriptor read from
> the device side is invalid, it may trigger out-of-bound memory
> access.
>
> ```
> struct uac_mixer_unit_descriptor {
> __u8 bLength;
> __u8 bDescriptorType;
> __u8 bDescriptorSubtype;
> __u8 bUnitID;
> __u8 bNrInPins;
> __u8 baSourceID[];
> }
> ```
>
> This patch fixes the bug by add a sanity check on the length of
> the descriptor.
>
> CVE: CVE-2018-15117
FWIW, the correct CVE id should be probably CVE-2019-15117 here.
But there was already a patch queued and released in 5.2.10 and
4.19.68 for this issue (as far I can see; is this correct?)
Regards,
Salvatore
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
2019-09-01 12:58 ` [alsa-devel] " Salvatore Bonaccorso
(?)
@ 2019-09-01 19:43 ` Hui Peng
-1 siblings, 0 replies; 11+ messages in thread
From: Hui Peng @ 2019-09-01 19:43 UTC (permalink / raw)
To: carnil
Cc: stable, mathias.payer, perex, tiwai, gregkh, wang6495,
alsa-devel, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInPins` - 1, the current implementation
>> assumes that descriptor is always valid (the length of descriptor
>> is no shorter than 5 + `bNrInPins`). If a descriptor read from
>> the device side is invalid, it may trigger out-of-bound memory
>> access.
>>
>> ```
>> struct uac_mixer_unit_descriptor {
>> __u8 bLength;
>> __u8 bDescriptorType;
>> __u8 bDescriptorSubtype;
>> __u8 bUnitID;
>> __u8 bNrInPins;
>> __u8 baSourceID[];
>> }
>> ```
>>
>> This patch fixes the bug by add a sanity check on the length of
>> the descriptor.
>>
>> CVE: CVE-2018-15117
> FWIW, the correct CVE id should be probably CVE-2019-15117 here.
Yes, the CVE id was wrong. I have updated it in the attached patch.
> But there was already a patch queued and released in 5.2.10 and
> 4.19.68 for this issue (as far I can see; is this correct?)
Yes, it should have been fixed in those branches.
But google asked me to back port it to v4.4.190 and v4.14.141.
I have mentioned it in one previous email, but it was blocked by vger
because it was sent in html format.
Can you apply it to these 2 versions? (it applies to both versions)
Thanks.
> Regards,
> Salvatore
[-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --]
[-- Type: text/x-patch, Size: 1601 bytes --]
From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Fri, 30 Aug 2019 16:11:00 -0400
Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2019-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-09-01 19:43 ` Hui Peng
0 siblings, 0 replies; 11+ messages in thread
From: Hui Peng @ 2019-09-01 19:43 UTC (permalink / raw)
To: carnil
Cc: stable, mathias.payer, perex, tiwai, gregkh, wang6495,
alsa-devel, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInPins` - 1, the current implementation
>> assumes that descriptor is always valid (the length of descriptor
>> is no shorter than 5 + `bNrInPins`). If a descriptor read from
>> the device side is invalid, it may trigger out-of-bound memory
>> access.
>>
>> ```
>> struct uac_mixer_unit_descriptor {
>> __u8 bLength;
>> __u8 bDescriptorType;
>> __u8 bDescriptorSubtype;
>> __u8 bUnitID;
>> __u8 bNrInPins;
>> __u8 baSourceID[];
>> }
>> ```
>>
>> This patch fixes the bug by add a sanity check on the length of
>> the descriptor.
>>
>> CVE: CVE-2018-15117
> FWIW, the correct CVE id should be probably CVE-2019-15117 here.
Yes, the CVE id was wrong. I have updated it in the attached patch.
> But there was already a patch queued and released in 5.2.10 and
> 4.19.68 for this issue (as far I can see; is this correct?)
Yes, it should have been fixed in those branches.
But google asked me to back port it to v4.4.190 and v4.14.141.
I have mentioned it in one previous email, but it was blocked by vger
because it was sent in html format.
Can you apply it to these 2 versions? (it applies to both versions)
Thanks.
> Regards,
> Salvatore
[-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --]
[-- Type: text/x-patch, Size: 1602 bytes --]
>From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Fri, 30 Aug 2019 16:11:00 -0400
Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2019-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-09-01 19:43 ` Hui Peng
0 siblings, 0 replies; 11+ messages in thread
From: Hui Peng @ 2019-09-01 19:43 UTC (permalink / raw)
To: carnil
Cc: mathias.payer, alsa-devel, gregkh, wang6495, tiwai, stable, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInPins` - 1, the current implementation
>> assumes that descriptor is always valid (the length of descriptor
>> is no shorter than 5 + `bNrInPins`). If a descriptor read from
>> the device side is invalid, it may trigger out-of-bound memory
>> access.
>>
>> ```
>> struct uac_mixer_unit_descriptor {
>> __u8 bLength;
>> __u8 bDescriptorType;
>> __u8 bDescriptorSubtype;
>> __u8 bUnitID;
>> __u8 bNrInPins;
>> __u8 baSourceID[];
>> }
>> ```
>>
>> This patch fixes the bug by add a sanity check on the length of
>> the descriptor.
>>
>> CVE: CVE-2018-15117
> FWIW, the correct CVE id should be probably CVE-2019-15117 here.
Yes, the CVE id was wrong. I have updated it in the attached patch.
> But there was already a patch queued and released in 5.2.10 and
> 4.19.68 for this issue (as far I can see; is this correct?)
Yes, it should have been fixed in those branches.
But google asked me to back port it to v4.4.190 and v4.14.141.
I have mentioned it in one previous email, but it was blocked by vger
because it was sent in html format.
Can you apply it to these 2 versions? (it applies to both versions)
Thanks.
> Regards,
> Salvatore
[-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --]
[-- Type: text/x-patch, Size: 1601 bytes --]
From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Fri, 30 Aug 2019 16:11:00 -0400
Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2019-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
[-- Attachment #3: Type: text/plain, Size: 161 bytes --]
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
2019-08-30 21:49 ` [alsa-devel] " Hui Peng
@ 2019-09-02 16:00 ` Greg Kroah-Hartman
-1 siblings, 0 replies; 11+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-02 16:00 UTC (permalink / raw)
To: Hui Peng
Cc: stable, Mathias Payer, Jaroslav Kysela, Takashi Iwai,
Wenwen Wang, alsa-devel, linux-kernel
On Fri, Aug 30, 2019 at 05:49:59PM -0400, Hui Peng wrote:
> This is the backported patch of the following bug to v4.4.x and v4.14.x:
> daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit")
Thanks, also now queued up to 4.9.y, you forgot that one :)
greg k-h
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
@ 2019-09-02 16:00 ` Greg Kroah-Hartman
0 siblings, 0 replies; 11+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-02 16:00 UTC (permalink / raw)
To: Hui Peng
Cc: alsa-devel, linux-kernel, Wenwen Wang, Mathias Payer, stable,
Takashi Iwai
On Fri, Aug 30, 2019 at 05:49:59PM -0400, Hui Peng wrote:
> This is the backported patch of the following bug to v4.4.x and v4.14.x:
> daac07156b33 ("ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit")
Thanks, also now queued up to 4.9.y, you forgot that one :)
greg k-h
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-09-02 16:01 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-30 21:46 [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit Hui Peng
2019-08-30 21:46 ` [alsa-devel] " Hui Peng
2019-08-30 21:49 ` Hui Peng
2019-08-30 21:49 ` [alsa-devel] " Hui Peng
2019-09-02 16:00 ` Greg Kroah-Hartman
2019-09-02 16:00 ` [alsa-devel] " Greg Kroah-Hartman
2019-09-01 12:58 ` Salvatore Bonaccorso
2019-09-01 12:58 ` [alsa-devel] " Salvatore Bonaccorso
2019-09-01 19:43 ` Hui Peng
2019-09-01 19:43 ` [alsa-devel] " Hui Peng
2019-09-01 19:43 ` Hui Peng
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.