releases/3.18.85/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch

   1 From d937cd6790a2bef2d07b500487646bd794c039bb Mon Sep 17 00:00:00 2001
   2 From: Takashi Iwai <tiwai@suse.de>
   3 Date: Tue, 21 Nov 2017 16:55:51 +0100
   4 Subject: ALSA: usb-audio: Add sanity checks to FE parser
   5
   6 From: Takashi Iwai <tiwai@suse.de>
   7
   8 commit d937cd6790a2bef2d07b500487646bd794c039bb upstream.
   9
  10 When the usb-audio descriptor contains the malformed feature unit
  11 description with a too short length, the driver may access
  12 out-of-bounds.  Add a sanity check of the header size at the beginning
  13 of parse_audio_feature_unit().
  14
  15 Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
  16 Reported-by: Andrey Konovalov <andreyknvl@google.com>
  17 Signed-off-by: Takashi Iwai <tiwai@suse.de>
  18 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19
  20 ---
  21  sound/usb/mixer.c |   12 ++++++++++++
  22  1 file changed, 12 insertions(+)
  23
  24 --- a/sound/usb/mixer.c
  25 +++ b/sound/usb/mixer.c
  26 @@ -1373,6 +1373,12 @@ static int parse_audio_feature_unit(stru
  27         __u8 *bmaControls;
  28
  29         if (state->mixer->protocol == UAC_VERSION_1) {
  30 +               if (hdr->bLength < 7) {
  31 +                       usb_audio_err(state->chip,
  32 +                                     "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
  33 +                                     unitid);
  34 +                       return -EINVAL;
  35 +               }
  36                 csize = hdr->bControlSize;
  37                 if (!csize) {
  38                         usb_audio_dbg(state->chip,
  39 @@ -1390,6 +1396,12 @@ static int parse_audio_feature_unit(stru
  40                 }
  41         } else {
  42                 struct uac2_feature_unit_descriptor *ftr = _ftr;
  43 +               if (hdr->bLength < 6) {
  44 +                       usb_audio_err(state->chip,
  45 +                                     "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
  46 +                                     unitid);
  47 +                       return -EINVAL;
  48 +               }
  49                 csize = 4;
  50                 channels = (hdr->bLength - 6) / 4 - 1;
  51                 bmaControls = ftr->bmaControls;