Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-08-16 20:39:29 +0200
committerTakashi Iwai <tiwai@suse.de>2019-08-16 20:39:31 +0200
commitedfe3c90b22c1b1f09d77b27707e9c1b6b4dc523 (patch)
tree02431b1540931f78653ef678055df2596f448f2b
parent01346e8cca7c4526ad124b70c0f1bb09f06a88ba (diff)
ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
(CVE-2019-15117,bsc#1145920).
-rw-r--r--patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch52
-rw-r--r--series.conf1
2 files changed, 53 insertions, 0 deletions
diff --git a/patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch b/patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
new file mode 100644
index 0000000000..fb104d5736
--- /dev/null
+++ b/patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
@@ -0,0 +1,52 @@
+From daac07156b330b18eb5071aec4b3ddca1c377f2c Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Tue, 13 Aug 2019 22:34:04 -0400
+Subject: [PATCH] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
+References: CVE-2019-15117,bsc#1145920
+Git-commit: daac07156b330b18eb5071aec4b3ddca1c377f2c
+Patch-mainline: v5.3-rc5
+
+The `uac_mixer_unit_descriptor` shown as below is read from the
+device side. In `parse_audio_mixer_unit`, `baSourceID` field is
+accessed from index 0 to `bNrInPins` - 1, the current implementation
+assumes that descriptor is always valid (the length of descriptor
+is no shorter than 5 + `bNrInPins`). If a descriptor read from
+the device side is invalid, it may trigger out-of-bound memory
+access.
+
+```
+struct uac_mixer_unit_descriptor {
+ __u8 bLength;
+ __u8 bDescriptorType;
+ __u8 bDescriptorSubtype;
+ __u8 bUnitID;
+ __u8 bNrInPins;
+ __u8 baSourceID[];
+}
+```
+
+This patch fixes the bug by add a sanity check on the length of
+the descriptor.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/usb/mixer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1701,6 +1701,9 @@ static int parse_audio_mixer_unit(struct
+ return -EINVAL;
+ }
+
++ if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
++ return -EINVAL;
++
+ num_ins = 0;
+ ich = 0;
+ for (pin = 0; pin < input_pins; pin++) {
diff --git a/series.conf b/series.conf
index 7a66c98ad6..bfbeb040a3 100644
--- a/series.conf
+++ b/series.conf
@@ -23387,6 +23387,7 @@
patches.drivers/usb-yurex-Fix-use-after-free-in-yurex_delete.patch
patches.drivers/usb-iowarrior-fix-deadlock-on-disconnect.patch
patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
+ patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch