ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term

mainline inclusion from mainline-v5.3-rc5 commit 19bce474c45be69a284ecee660aa12d8f1e88f18 category: bugfix bugzilla: 13690 CVE: CVE-2019-15118 ------------------------------------------------- `check_input_term` recursively calls itself with input from device side (e.g., uac_input_terminal_descriptor.bCSourceID) as argument (id). In `check_input_term`, if `check_input_term` is called with the same `id` argument as the caller, it triggers endless recursive call, resulting kernel space stack overflow. This patch fixes the bug by adding a bitmap to `struct mixer_build` to keep track of the checked ids and stop the execution if some id has been checked (similar to how parse_audio_unit handles unitid argument). Reported-by: N Hui Peng <benquike@gmail.com> Reported-by: N Mathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: N Hui Peng <benquike@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: N Takashi Iwai <tiwai@suse.de> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
mainline inclusion from mainline-v5.3-rc5 commit 19bce474c45be69a284ecee660aa12d8f1e88f18 category: bugfix bugzilla: 13690 CVE: CVE-2019-15118 ------------------------------------------------- `check_input_term` recursively calls itself with input from device side (e.g., uac_input_terminal_descriptor.bCSourceID) as argument (id). In `check_input_term`, if `check_input_term` is called with the same `id` argument as the caller, it triggers endless recursive call, resulting kernel space stack overflow. This patch fixes the bug by adding a bitmap to `struct mixer_build` to keep track of the checked ids and stop the execution if some id has been checked (similar to how parse_audio_unit handles unitid argument). Reported-by: N Hui Peng <benquike@gmail.com> Reported-by: N Mathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: N Hui Peng <benquike@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: N Takashi Iwai <tiwai@suse.de> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
1fbd141f · Hui Peng · Xie XiuQi · bc6ab391 · 1fbd141f
显示空白变更内容
内联并排

Showing with 27 addition and 8 deletion

sound/usb/mixer.c sound/usb/mixer.c +27 -8

未找到文件。
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -83,6 +83,7 @@ struct mixer_build {
 	unsigned char *buffer;
 	unsigned int buflen;
 	DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
+	DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
 	struct usb_audio_term oterm;
 	const struct usbmix_name_map *map;
 	const struct usbmix_selector_map *selector_map;
@@ -790,16 +791,25 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state,
 * parse the source unit recursively until it reaches to a terminal
 * or a branched unit.
 */
-static int check_input_term(struct mixer_build *state, int id,
+static int __check_input_term(struct mixer_build *state, int id,
 			    struct usb_audio_term *term)
 {
 	int protocol = state->mixer->protocol;
 	int err;
 	void *p1;
+	unsigned char *hdr;
 	memset(term, 0, sizeof(*term));
-	while ((p1 = find_audio_control_unit(state, id)) != NULL) {
+	for (;;) {
-		unsigned char *hdr = p1;
+		/* a loop in the terminal chain? */
+		if (test_and_set_bit(id, state->termbitmap))
+			return -EINVAL;
+		p1 = find_audio_control_unit(state, id);
+		if (!p1)
+			break;
+		hdr = p1;
 		term->id = id;
 		if (protocol == UAC_VERSION_1 || protocol == UAC_VERSION_2) {
@@ -817,7 +827,7 @@ static int check_input_term(struct mixer_build *state, int id,
 					/* call recursively to verify that the
 					 * referenced clock entity is valid */
-					err = check_input_term(state, d->bCSourceID, term);
+					err = __check_input_term(state, d->bCSourceID, term);
 					if (err < 0)
 						return err;
@@ -851,7 +861,7 @@ static int check_input_term(struct mixer_build *state, int id,
 			case UAC2_CLOCK_SELECTOR: {
 				struct uac_selector_unit_descriptor *d = p1;
 				/* call recursively to retrieve the channel info */
-				err = check_input_term(state, d->baSourceID[0], term);
+				err = __check_input_term(state, d->baSourceID[0], term);
 				if (err < 0)
 					return err;
 				term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */
@@ -914,7 +924,7 @@ static int check_input_term(struct mixer_build *state, int id,
 				/* call recursively to verify that the
 				 * referenced clock entity is valid */
-				err = check_input_term(state, d->bCSourceID, term);
+				err = __check_input_term(state, d->bCSourceID, term);
 				if (err < 0)
 					return err;
@@ -965,7 +975,7 @@ static int check_input_term(struct mixer_build *state, int id,
 			case UAC3_CLOCK_SELECTOR: {
 				struct uac_selector_unit_descriptor *d = p1;
 				/* call recursively to retrieve the channel info */
-				err = check_input_term(state, d->baSourceID[0], term);
+				err = __check_input_term(state, d->baSourceID[0], term);
 				if (err < 0)
 					return err;
 				term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */
@@ -981,7 +991,7 @@ static int check_input_term(struct mixer_build *state, int id,
 					return -EINVAL;
 				/* call recursively to retrieve the channel info */
-				err = check_input_term(state, d->baSourceID[0], term);
+				err = __check_input_term(state, d->baSourceID[0], term);
 				if (err < 0)
 					return err;
@@ -999,6 +1009,15 @@ static int check_input_term(struct mixer_build *state, int id,
 	return -ENODEV;
 }
+static int check_input_term(struct mixer_build *state, int id,
+			    struct usb_audio_term *term)
+{
+	memset(term, 0, sizeof(*term));
+	memset(state->termbitmap, 0, sizeof(state->termbitmap));
+	return __check_input_term(state, id, term);
+}
 /*
 * Feature Unit
 */