-
由 Hui Peng 提交于
mainline inclusion from mainline-v5.3-rc5 commit daac07156b330b18eb5071aec4b3ddca1c377f2c category: bugfix bugzilla: 13690 CVE: CVE-2019-15117 ------------------------------------------------- The `uac_mixer_unit_descriptor` shown as below is read from the device side. In `parse_audio_mixer_unit`, `baSourceID` field is accessed from index 0 to `bNrInPins` - 1, the current implementation assumes that descriptor is always valid (the length of descriptor is no shorter than 5 + `bNrInPins`). If a descriptor read from the device side is invalid, it may trigger out-of-bound memory access. ``` struct uac_mixer_unit_descriptor { __u8 bLength; __u8 bDescriptorType; __u8 bDescriptorSubtype; __u8 bUnitID; __u8 bNrInPins; __u8 baSourceID[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. Reported-by: NHui Peng <benquike@gmail.com> Reported-by: NMathias Payer <mathias.payer@nebelwelt.net> Cc: <stable@vger.kernel.org> Signed-off-by: NHui Peng <benquike@gmail.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>bc6ab391