From: Hui Peng <benquike@gmail.com>
To: carnil@debian.org
Cc: stable@vger.kernel.org, mathias.payer@nebelwelt.net,
perex@perex.cz, tiwai@suse.com, gregkh@linuxfoundation.org,
wang6495@umn.edu, alsa-devel@alsa-project.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
Date: Sun, 1 Sep 2019 15:43:13 -0400 [thread overview]
Message-ID: <df31a1f9-623a-aff6-fa7c-01eba3fd0f63@gmail.com> (raw)
In-Reply-To: <20190901125809.GA23334@eldamar.local>
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInPins` - 1, the current implementation
>> assumes that descriptor is always valid (the length of descriptor
>> is no shorter than 5 + `bNrInPins`). If a descriptor read from
>> the device side is invalid, it may trigger out-of-bound memory
>> access.
>>
>> ```
>> struct uac_mixer_unit_descriptor {
>> __u8 bLength;
>> __u8 bDescriptorType;
>> __u8 bDescriptorSubtype;
>> __u8 bUnitID;
>> __u8 bNrInPins;
>> __u8 baSourceID[];
>> }
>> ```
>>
>> This patch fixes the bug by add a sanity check on the length of
>> the descriptor.
>>
>> CVE: CVE-2018-15117
> FWIW, the correct CVE id should be probably CVE-2019-15117 here.
Yes, the CVE id was wrong. I have updated it in the attached patch.
> But there was already a patch queued and released in 5.2.10 and
> 4.19.68 for this issue (as far I can see; is this correct?)
Yes, it should have been fixed in those branches.
But google asked me to back port it to v4.4.190 and v4.14.141.
I have mentioned it in one previous email, but it was blocked by vger
because it was sent in html format.
Can you apply it to these 2 versions? (it applies to both versions)
Thanks.
> Regards,
> Salvatore
[-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --]
[-- Type: text/x-patch, Size: 1601 bytes --]
From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Fri, 30 Aug 2019 16:11:00 -0400
Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2019-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Hui Peng <benquike@gmail.com>
To: carnil@debian.org
Cc: stable@vger.kernel.org, mathias.payer@nebelwelt.net,
perex@perex.cz, tiwai@suse.com, gregkh@linuxfoundation.org,
wang6495@umn.edu, alsa-devel@alsa-project.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
Date: Sun, 1 Sep 2019 15:43:13 -0400 [thread overview]
Message-ID: <df31a1f9-623a-aff6-fa7c-01eba3fd0f63@gmail.com> (raw)
In-Reply-To: <20190901125809.GA23334@eldamar.local>
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInPins` - 1, the current implementation
>> assumes that descriptor is always valid (the length of descriptor
>> is no shorter than 5 + `bNrInPins`). If a descriptor read from
>> the device side is invalid, it may trigger out-of-bound memory
>> access.
>>
>> ```
>> struct uac_mixer_unit_descriptor {
>> __u8 bLength;
>> __u8 bDescriptorType;
>> __u8 bDescriptorSubtype;
>> __u8 bUnitID;
>> __u8 bNrInPins;
>> __u8 baSourceID[];
>> }
>> ```
>>
>> This patch fixes the bug by add a sanity check on the length of
>> the descriptor.
>>
>> CVE: CVE-2018-15117
> FWIW, the correct CVE id should be probably CVE-2019-15117 here.
Yes, the CVE id was wrong. I have updated it in the attached patch.
> But there was already a patch queued and released in 5.2.10 and
> 4.19.68 for this issue (as far I can see; is this correct?)
Yes, it should have been fixed in those branches.
But google asked me to back port it to v4.4.190 and v4.14.141.
I have mentioned it in one previous email, but it was blocked by vger
because it was sent in html format.
Can you apply it to these 2 versions? (it applies to both versions)
Thanks.
> Regards,
> Salvatore
[-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --]
[-- Type: text/x-patch, Size: 1602 bytes --]
>From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Fri, 30 Aug 2019 16:11:00 -0400
Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2019-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Hui Peng <benquike@gmail.com>
To: carnil@debian.org
Cc: mathias.payer@nebelwelt.net, alsa-devel@alsa-project.org,
gregkh@linuxfoundation.org, wang6495@umn.edu, tiwai@suse.com,
stable@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [alsa-devel] [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
Date: Sun, 1 Sep 2019 15:43:13 -0400 [thread overview]
Message-ID: <df31a1f9-623a-aff6-fa7c-01eba3fd0f63@gmail.com> (raw)
Message-ID: <20190901194313.HJCvjXjRwGiSqnlrDE9NJ0SNU44UaFF8VOZdgzpVTbs@z> (raw)
In-Reply-To: <20190901125809.GA23334@eldamar.local>
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInPins` - 1, the current implementation
>> assumes that descriptor is always valid (the length of descriptor
>> is no shorter than 5 + `bNrInPins`). If a descriptor read from
>> the device side is invalid, it may trigger out-of-bound memory
>> access.
>>
>> ```
>> struct uac_mixer_unit_descriptor {
>> __u8 bLength;
>> __u8 bDescriptorType;
>> __u8 bDescriptorSubtype;
>> __u8 bUnitID;
>> __u8 bNrInPins;
>> __u8 baSourceID[];
>> }
>> ```
>>
>> This patch fixes the bug by add a sanity check on the length of
>> the descriptor.
>>
>> CVE: CVE-2018-15117
> FWIW, the correct CVE id should be probably CVE-2019-15117 here.
Yes, the CVE id was wrong. I have updated it in the attached patch.
> But there was already a patch queued and released in 5.2.10 and
> 4.19.68 for this issue (as far I can see; is this correct?)
Yes, it should have been fixed in those branches.
But google asked me to back port it to v4.4.190 and v4.14.141.
I have mentioned it in one previous email, but it was blocked by vger
because it was sent in html format.
Can you apply it to these 2 versions? (it applies to both versions)
Thanks.
> Regards,
> Salvatore
[-- Attachment #2: 0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch --]
[-- Type: text/x-patch, Size: 1601 bytes --]
From 09942398a53bbe730264b782673890d4a54068d0 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Fri, 30 Aug 2019 16:11:00 -0400
Subject: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2019-15117
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 1f7eb3816cd7..10ddec76f906 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1628,6 +1628,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid,
int pin, ich, err;
if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) ||
+ desc->bLength < sizeof(*desc) + desc->bNrInPins ||
!(num_outs = uac_mixer_unit_bNrChannels(desc))) {
usb_audio_err(state->chip,
"invalid MIXER UNIT descriptor %d\n",
--
2.17.1
[-- Attachment #3: Type: text/plain, Size: 161 bytes --]
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
next prev parent reply other threads:[~2019-09-01 19:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-30 21:46 [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit Hui Peng
2019-08-30 21:46 ` [alsa-devel] " Hui Peng
2019-08-30 21:49 ` Hui Peng
2019-08-30 21:49 ` [alsa-devel] " Hui Peng
2019-09-02 16:00 ` Greg Kroah-Hartman
2019-09-02 16:00 ` [alsa-devel] " Greg Kroah-Hartman
2019-09-01 12:58 ` Salvatore Bonaccorso
2019-09-01 12:58 ` [alsa-devel] " Salvatore Bonaccorso
2019-09-01 19:43 ` Hui Peng [this message]
2019-09-01 19:43 ` Hui Peng
2019-09-01 19:43 ` Hui Peng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df31a1f9-623a-aff6-fa7c-01eba3fd0f63@gmail.com \
--to=benquike@gmail.com \
--cc=alsa-devel@alsa-project.org \
--cc=carnil@debian.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathias.payer@nebelwelt.net \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=wang6495@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.