From patchwork Fri Aug 30 00:13:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Connor Kuehl X-Patchwork-Id: 1155576 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46KKjL0pQDz9sN6; Fri, 30 Aug 2019 10:14:29 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1i3UYc-0002gx-5I; Fri, 30 Aug 2019 00:14:26 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1i3UYW-0002f9-RX for kernel-team@lists.ubuntu.com; Fri, 30 Aug 2019 00:14:20 +0000 Received: from mail-pg1-f199.google.com ([209.85.215.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1i3UYW-0003pC-C3 for kernel-team@lists.ubuntu.com; Fri, 30 Aug 2019 00:14:20 +0000 Received: by mail-pg1-f199.google.com with SMTP id a9so2897360pga.16 for ; Thu, 29 Aug 2019 17:14:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=i7LITmak2ZS+QOQtP/XrlWq7HAG/+lQSZp6j9vYbxv0=; b=E/Sg/mGkCIdADM2+GPuTJtdZpwvfCFj+F9ZzrcLjCqg8weDp00mi+BxGRHf6s7bhU6 e3I/Rvc262+FUdhDg0SVpGJ6cBKVa9uCidfXJERhnm9WLLd2K0IleOQFpa73Z5S4UBd/ JfJmEN8Km/XHtP+hMOGI0vTFXEPHLC+08qirT/usse1qAAcv/iHt9SMlLoGlUESTD/Ya eJqeUsc4RvIqlgGgHrEjsIELrZmxVjGaPnoSKM1W5rGC95m5oqxuRHAegJGIbHwIZ7oC pEhswoPvR3PZIhQ6D8+XdwZPvTD0gm1nHBQQE/oBHxikiU1cTu5lzToNMVHOp4/Yupcv xq+g== X-Gm-Message-State: APjAAAWht8gdNJghUv4fk/I80WhKPTJ8PqhB7S1FdYr1PUoPvkCPD63Q YbQqwFiXdiVfwK6Jwsojtaip6VtbA+GzRAgKLrel130J70f94PMcC2+QllB81GrYSX7/OJq8VS5 J4sEuZyk4Ew3onwjuUHa48dQzm6AltHXHoIKrSI0bag== X-Received: by 2002:a63:181:: with SMTP id 123mr10981713pgb.63.1567124058690; Thu, 29 Aug 2019 17:14:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqwv2MBnOdbVa2+V3Dnplt/5cZGLJQp4i74QGrQ0ycBVtWEDPR7mpYAjosSpZGKBQGnXeS8ONg== X-Received: by 2002:a63:181:: with SMTP id 123mr10981700pgb.63.1567124058474; Thu, 29 Aug 2019 17:14:18 -0700 (PDT) Received: from localhost.localdomain (c-24-20-45-88.hsd1.or.comcast.net. [24.20.45.88]) by smtp.gmail.com with ESMTPSA id z68sm3354102pgz.88.2019.08.29.17.14.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2019 17:14:17 -0700 (PDT) From: Connor Kuehl To: kernel-team@lists.ubuntu.com Subject: [X/B][SRU][CVE-2019-15117][PATCH 1/2] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit Date: Thu, 29 Aug 2019 17:13:50 -0700 Message-Id: <20190830001351.3686-4-connor.kuehl@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190830001351.3686-1-connor.kuehl@canonical.com> References: <20190830001351.3686-1-connor.kuehl@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Hui Peng CVE-2019-15117 The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. Reported-by: Hui Peng Reported-by: Mathias Payer Cc: Signed-off-by: Hui Peng Signed-off-by: Takashi Iwai (backported from commit daac07156b330b18eb5071aec4b3ddca1c377f2c) [ Connor Kuehl: this patch modifies uac_mixer_unit_get_channels() because that's where the error checking for parse_audio_mixer_unit() was relocated to in mainline commit 6cfd839ae78e "ALSA: usb-audio: UAC3. Add support for mixer unit." Instead of pulling that patch in so this one applies cleanly, I manually placed the new check in parse_audio_mixer_unit(). ] Signed-off-by: Connor Kuehl --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index ee6871ebd936..713020741289 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1700,6 +1700,7 @@ static int parse_audio_mixer_unit(struct mixer_build *state, int unitid, int pin, ich, err; if (desc->bLength < 11 || !(input_pins = desc->bNrInPins) || + desc->bLength < sizeof(*desc) + desc->bNrInPins || !(num_outs = uac_mixer_unit_bNrChannels(desc))) { usb_audio_err(state->chip, "invalid MIXER UNIT descriptor %d\n",