From daac07156b330b18eb5071aec4b3ddca1c377f2c Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Tue, 13 Aug 2019 22:34:04 -0400
Subject: [PATCH] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
References: CVE-2019-15117,bsc#1145920
Git-commit: daac07156b330b18eb5071aec4b3ddca1c377f2c
Patch-mainline: v5.3-rc5
The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.
```
struct uac_mixer_unit_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__u8 bDescriptorSubtype;
__u8 bUnitID;
__u8 bNrInPins;
__u8 baSourceID[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/usb/mixer.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1701,6 +1701,9 @@ static int parse_audio_mixer_unit(struct
return -EINVAL;
}
+ if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
+ return -EINVAL;
+
num_ins = 0;
ich = 0;
for (pin = 0; pin < input_pins; pin++) {