[D/E,SRU,CVE-2019-15117,1/2] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
diff mbox series

Message ID 20190830001351.3686-2-connor.kuehl@canonical.com
State New
Headers show
Series
  • Fixes for CVE-2019-15117 & CVE-2019-15118
Related show

Commit Message

Connor Kuehl Aug. 30, 2019, 12:13 a.m. UTC
From: Hui Peng <benquike@gmail.com>

CVE-2019-15117

The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length  of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.

```
struct uac_mixer_unit_descriptor {
	__u8 bLength;
	__u8 bDescriptorType;
	__u8 bDescriptorSubtype;
	__u8 bUnitID;
	__u8 bNrInPins;
	__u8 baSourceID[];
}
```

This patch fixes the bug by add a sanity check on the length of
the descriptor.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit daac07156b330b18eb5071aec4b3ddca1c377f2c)
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
---
 sound/usb/mixer.c | 2 ++
 1 file changed, 2 insertions(+)

Patch
diff mbox series

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 5a10b1b7f6b9..b55add92f040 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -759,6 +759,8 @@  static int uac_mixer_unit_get_channels(struct mixer_build *state,
 		return -EINVAL;
 	if (!desc->bNrInPins)
 		return -EINVAL;
+	if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
+		return -EINVAL;
 
 	switch (state->mixer->protocol) {
 	case UAC_VERSION_1: