linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] Fix a stack buffer overflow bug check_input_term
@ 2019-08-15  4:35 Hui Peng
  2019-08-15  4:47 ` Hui Peng
  2019-08-15  6:13 ` Takashi Iwai
  0 siblings, 2 replies; 6+ messages in thread
From: Hui Peng @ 2019-08-15  4:35 UTC (permalink / raw)
  To: security
  Cc: Hui Peng, Mathias Payer, Jaroslav Kysela, Takashi Iwai,
	Thomas Gleixner, Wenwen Wang, Allison Randal, YueHaibing,
	alsa-devel, linux-kernel

`check_input_term` recursively calls itself with input
from device side (e.g., uac_input_terminal_descriptor.bCSourceID)
as argument (id). In `check_input_term`, if `check_input_term`
is called with the same `id` argument as the caller, it triggers
endless recursive call, resulting kernel space stack overflow.

This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids by `check_input_term` and stop
the execution if some id has been checked (similar to how
parse_audio_unit handles unitid argument).

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
---
 sound/usb/mixer.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index ea487378be17..1f6c8213df82 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -68,6 +68,7 @@ struct mixer_build {
 	unsigned char *buffer;
 	unsigned int buflen;
 	DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
+	DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
 	struct usb_audio_term oterm;
 	const struct usbmix_name_map *map;
 	const struct usbmix_selector_map *selector_map;
@@ -782,6 +783,8 @@ static int check_input_term(struct mixer_build *state, int id,
 	int err;
 	void *p1;
 
+	if (test_and_set_bit(id, state->termbitmap))
+		return 0;
 	memset(term, 0, sizeof(*term));
 	while ((p1 = find_audio_control_unit(state, id)) != NULL) {
 		unsigned char *hdr = p1;
-- 
2.22.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-08-15 20:16 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-15  4:35 [PATCH] Fix a stack buffer overflow bug check_input_term Hui Peng
2019-08-15  4:47 ` Hui Peng
2019-08-15  6:13 ` Takashi Iwai
2019-08-15  6:58   ` Takashi Iwai
     [not found]     ` <CAKpmkkWCaLOctG44fD=arD-=oogRVCSxe5rz2UNUAms5q=2pYw@mail.gmail.com>
2019-08-15 17:38       ` Takashi Iwai
     [not found]         ` <c6b11a34-3bd9-f1d7-cd27-4ddcd210a7cc@gmail.com>
2019-08-15 20:16           ` Takashi Iwai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).