From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752227Ab2AHJJU (ORCPT <rfc822;w@1wt.eu>);
	Sun, 8 Jan 2012 04:09:20 -0500
Received: from cantor2.suse.de ([195.135.220.15]:38232 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751727Ab2AHJJQ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sun, 8 Jan 2012 04:09:16 -0500
Date: Sun, 08 Jan 2012 10:09:11 +0100
Message-ID: <s5hehvamuh4.wl%tiwai@suse.de>
From: Takashi Iwai <tiwai@suse.de>
To: Xi Wang <xi.wang@gmail.com>
Cc: Jaroslav Kysela <perex@perex.cz>, Clemens Ladisch <clemens@ladisch.de>,
        Daniel Mack <zonque@gmail.com>, Wolfgang Breyha <wbreyha@gmx.net>,
        alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()
In-Reply-To: <1325698749-5353-1-git-send-email-xi.wang@gmail.com>
References: <1325698749-5353-1-git-send-email-xi.wang@gmail.com>
User-Agent: Wanderlust/2.15.6 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.7 Emacs/23.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

At Wed,  4 Jan 2012 12:39:09 -0500,
Xi Wang wrote:
> 
> A malicious USB device may feed in carefully crafted min/max/res values,
> so that the inner loop in parse_uac2_sample_rate_range() could run for
> a long time or even never terminate, e.g., given max = INT_MAX.
> 
> Also nr_rates could be a large integer, which causes an integer overflow
> in the subsequent call to kmalloc() in parse_audio_format_rates_v2().
> Thus, kmalloc() would allocate a smaller buffer than expected, leading
> to a memory corruption.
> 
> To exploit the two vulnerabilities, an attacker needs physical access
> to the machine to plug in a malicious USB device.
> 
> This patch makes two changes.
> 
> 1) The type of "rate" is changed to unsigned int, so that the loop could
>    stop once "rate" is larger than INT_MAX.
> 
> 2) Limit nr_rates to avoid overflow.
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>

Thanks for the patch.
As of now, I have little time to evaluate, so I might have missed
something, but I wonder whether 

		/* avoid overflow */
		if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int))
			break;

is the best way to check.  This looks ugly to me.
If we need to limit the number of rates, better to define some proper
numbers as the upper limit.  And then, it should warn, not only
breaking loop.

Anyway I'll check this tomorrow in more details.


thanks,

Takashi

> ---
>  sound/usb/format.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/sound/usb/format.c b/sound/usb/format.c
> index 89421d1..a99de67 100644
> --- a/sound/usb/format.c
> +++ b/sound/usb/format.c
> @@ -226,7 +226,7 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
>  		int min = combine_quad(&data[2 + 12 * i]);
>  		int max = combine_quad(&data[6 + 12 * i]);
>  		int res = combine_quad(&data[10 + 12 * i]);
> -		int rate;
> +		unsigned int rate;
>  
>  		if ((max < 0) || (min < 0) || (res < 0) || (max < min))
>  			continue;
> @@ -253,6 +253,9 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
>  			fp->rates |= snd_pcm_rate_to_rate_bit(rate);
>  
>  			nr_rates++;
> +			/* avoid overflow */
> +			if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int))
> +				break;
>  
>  			/* avoid endless loop */
>  			if (res == 0)
> -- 
> 1.7.5.4
> 

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Takashi Iwai <tiwai@suse.de>
Subject: Re: [PATCH] ALSA: usb-audio: fix possible hang and
	overflow in parse_uac2_sample_rate_range()
Date: Sun, 08 Jan 2012 10:09:11 +0100
Message-ID: <s5hehvamuh4.wl%tiwai@suse.de>
References: <1325698749-5353-1-git-send-email-xi.wang@gmail.com>
Mime-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <alsa-devel-bounces@alsa-project.org>
Received: from mx2.suse.de (cantor2.suse.de [195.135.220.15])
	by alsa0.perex.cz (Postfix) with ESMTP id B8C1F1038B4
	for <alsa-devel@alsa-project.org>; Sun,  8 Jan 2012 10:09:14 +0100 (CET)
In-Reply-To: <1325698749-5353-1-git-send-email-xi.wang@gmail.com>
List-Unsubscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Sender: alsa-devel-bounces@alsa-project.org
Errors-To: alsa-devel-bounces@alsa-project.org
To: Xi Wang <xi.wang@gmail.com>
Cc: alsa-devel@alsa-project.org, Clemens Ladisch <clemens@ladisch.de>, linux-kernel@vger.kernel.org, Daniel Mack <zonque@gmail.com>, Wolfgang Breyha <wbreyha@gmx.net>
List-Id: alsa-devel@alsa-project.org

At Wed,  4 Jan 2012 12:39:09 -0500,
Xi Wang wrote:
> 
> A malicious USB device may feed in carefully crafted min/max/res values,
> so that the inner loop in parse_uac2_sample_rate_range() could run for
> a long time or even never terminate, e.g., given max = INT_MAX.
> 
> Also nr_rates could be a large integer, which causes an integer overflow
> in the subsequent call to kmalloc() in parse_audio_format_rates_v2().
> Thus, kmalloc() would allocate a smaller buffer than expected, leading
> to a memory corruption.
> 
> To exploit the two vulnerabilities, an attacker needs physical access
> to the machine to plug in a malicious USB device.
> 
> This patch makes two changes.
> 
> 1) The type of "rate" is changed to unsigned int, so that the loop could
>    stop once "rate" is larger than INT_MAX.
> 
> 2) Limit nr_rates to avoid overflow.
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>

Thanks for the patch.
As of now, I have little time to evaluate, so I might have missed
something, but I wonder whether 

		/* avoid overflow */
		if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int))
			break;

is the best way to check.  This looks ugly to me.
If we need to limit the number of rates, better to define some proper
numbers as the upper limit.  And then, it should warn, not only
breaking loop.

Anyway I'll check this tomorrow in more details.


thanks,

Takashi

> ---
>  sound/usb/format.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/sound/usb/format.c b/sound/usb/format.c
> index 89421d1..a99de67 100644
> --- a/sound/usb/format.c
> +++ b/sound/usb/format.c
> @@ -226,7 +226,7 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
>  		int min = combine_quad(&data[2 + 12 * i]);
>  		int max = combine_quad(&data[6 + 12 * i]);
>  		int res = combine_quad(&data[10 + 12 * i]);
> -		int rate;
> +		unsigned int rate;
>  
>  		if ((max < 0) || (min < 0) || (res < 0) || (max < min))
>  			continue;
> @@ -253,6 +253,9 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
>  			fp->rates |= snd_pcm_rate_to_rate_bit(rate);
>  
>  			nr_rates++;
> +			/* avoid overflow */
> +			if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int))
> +				break;
>  
>  			/* avoid endless loop */
>  			if (res == 0)
> -- 
> 1.7.5.4
>