Home Home > GIT Browse > SLE12-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-07-16 15:11:39 +0200
committerTakashi Iwai <tiwai@suse.de>2019-07-16 15:11:42 +0200
commitd819b43002d64420beabc8b1e2826188c73091df (patch)
tree316eb5dbd16dc0f34d96f37df339be8039d3222f
parentfdc7de91685e6dedbfe1c145ecaef4b303961090 (diff)
ALSA: usb-audio: Sanity checks for each pipe and EP types
(bsc#1051510).
-rw-r--r--patches.drivers/ALSA-usb-audio-Sanity-checks-for-each-pipe-and-EP-ty.patch133
-rw-r--r--series.conf1
2 files changed, 134 insertions, 0 deletions
diff --git a/patches.drivers/ALSA-usb-audio-Sanity-checks-for-each-pipe-and-EP-ty.patch b/patches.drivers/ALSA-usb-audio-Sanity-checks-for-each-pipe-and-EP-ty.patch
new file mode 100644
index 0000000000..13f2a88c01
--- /dev/null
+++ b/patches.drivers/ALSA-usb-audio-Sanity-checks-for-each-pipe-and-EP-ty.patch
@@ -0,0 +1,133 @@
+From 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 24 Jun 2019 15:08:28 +0200
+Subject: [PATCH] ALSA: usb-audio: Sanity checks for each pipe and EP types
+Git-commit: 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The recent USB core code performs sanity checks for the given pipe and
+EP types, and it can be hit by manipulated USB descriptors by syzbot.
+For making syzbot happier, this patch introduces a local helper for a
+sanity check in the driver side and calls it at each place before the
+message handling, so that we can avoid the WARNING splats.
+
+Reported-by: syzbot+d952e5e28f5fb7718d23@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/usb/helper.c | 17 +++++++++++++++++
+ sound/usb/helper.h | 1 +
+ sound/usb/quirks.c | 18 +++++++++++++++---
+ 3 files changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/sound/usb/helper.c b/sound/usb/helper.c
+index 7712e2b84183..b1cc9499c57e 100644
+--- a/sound/usb/helper.c
++++ b/sound/usb/helper.c
+@@ -76,6 +76,20 @@ void *snd_usb_find_csint_desc(void *buffer, int buflen, void *after, u8 dsubtype
+ return NULL;
+ }
+
++/* check the validity of pipe and EP types */
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe)
++{
++ static const int pipetypes[4] = {
++ PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
++ };
++ struct usb_host_endpoint *ep;
++
++ ep = usb_pipe_endpoint(dev, pipe);
++ if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
++ return -EINVAL;
++ return 0;
++}
++
+ /*
+ * Wrapper for usb_control_msg().
+ * Allocates a temp buffer to prevent dmaing from/to the stack.
+@@ -88,6 +102,9 @@ int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
+ void *buf = NULL;
+ int timeout;
+
++ if (snd_usb_pipe_sanity_check(dev, pipe))
++ return -EINVAL;
++
+ if (size > 0) {
+ buf = kmemdup(data, size, GFP_KERNEL);
+ if (!buf)
+diff --git a/sound/usb/helper.h b/sound/usb/helper.h
+index d338bd0e0ca6..6afb70156ec4 100644
+--- a/sound/usb/helper.h
++++ b/sound/usb/helper.h
+@@ -7,6 +7,7 @@ unsigned int snd_usb_combine_bytes(unsigned char *bytes, int size);
+ void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype);
+ void *snd_usb_find_csint_desc(void *descstart, int desclen, void *after, u8 dsubtype);
+
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe);
+ int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe,
+ __u8 request, __u8 requesttype, __u16 value, __u16 index,
+ void *data, __u16 size);
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index e6ce1bbe6ca6..057143330a28 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -840,11 +840,13 @@ static int snd_usb_novation_boot_quirk(struct usb_device *dev)
+ static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev)
+ {
+ int err, actual_length;
+-
+ /* "midi send" enable */
+ static const u8 seq[] = { 0x4e, 0x73, 0x52, 0x01 };
++ void *buf;
+
+- void *buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x05)))
++ return -EINVAL;
++ buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+ err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x05), buf,
+@@ -869,7 +871,11 @@ static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev)
+
+ static int snd_usb_nativeinstruments_boot_quirk(struct usb_device *dev)
+ {
+- int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
++ int ret;
++
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ 0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 0, NULL, 0, 1000);
+
+@@ -976,6 +982,8 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev)
+
+ dev_dbg(&dev->dev, "Waiting for Axe-Fx III to boot up...\n");
+
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
+ /* If the Axe-Fx III has not fully booted, it will timeout when trying
+ * to enable the audio streaming interface. A more generous timeout is
+ * used here to detect when the Axe-Fx III has finished booting as the
+@@ -1008,6 +1016,8 @@ static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf,
+ {
+ int err, actual_length;
+
++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x01)))
++ return -EINVAL;
+ err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x01), buf, *length,
+ &actual_length, 1000);
+ if (err < 0)
+@@ -1018,6 +1028,8 @@ static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf,
+
+ memset(buf, 0, buf_size);
+
++ if (snd_usb_pipe_sanity_check(dev, usb_rcvintpipe(dev, 0x82)))
++ return -EINVAL;
+ err = usb_interrupt_msg(dev, usb_rcvintpipe(dev, 0x82), buf, buf_size,
+ &actual_length, 1000);
+ if (err < 0)
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index b71a46bd58..7bbdb0d52d 100644
--- a/series.conf
+++ b/series.conf
@@ -22846,6 +22846,7 @@
patches.drivers/media-s5p-mfc-Make-additional-clocks-optional.patch
patches.drivers/media-v4l2-Test-type-instead-of-cfg-type-in-v4l2_ctr.patch
patches.drivers/ALSA-usb-audio-Enable-.product_name-override-for-Ema.patch
+ patches.drivers/ALSA-usb-audio-Sanity-checks-for-each-pipe-and-EP-ty.patch
patches.drivers/ALSA-hda-realtek-Headphone-Mic-can-t-record-after-S3.patch
patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072