From: Greg Kroah-Hartman Date: Tue, 17 Dec 2024 15:32:01 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.4.288~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e86266cec087338500dc7d8b28097ea35cc17fc7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch --- diff --git a/queue-5.15/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch b/queue-5.15/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch new file mode 100644 index 00000000000..bf64d2bf4ea --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch @@ -0,0 +1,96 @@ +From f7d306b47a24367302bd4fe846854e07752ffcd9 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 2 Dec 2024 15:57:54 +0300 +Subject: ALSA: usb-audio: Fix a DMA to stack memory bug + +From: Dan Carpenter + +commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream. + +The usb_get_descriptor() function does DMA so we're not allowed +to use a stack buffer for that. Doing DMA to the stack is not portable +all architectures. Move the "new_device_descriptor" from being stored +on the stack and allocate it with kmalloc() instead. + +Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") +Cc: stable@kernel.org +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Benoît Sevens +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -591,7 +591,7 @@ int snd_usb_create_quirk(struct snd_usb_ + static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor = NULL; + int err; + + if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || +@@ -602,15 +602,20 @@ static int snd_usb_extigy_boot_quirk(str + 0x10, 0x43, 0x0001, 0x000a, NULL, 0); + if (err < 0) + dev_dbg(&dev->dev, "error sending boot message: %d\n", err); ++ ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); ++ kfree(new_device_descriptor); + err = usb_reset_configuration(dev); + if (err < 0) + dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); +@@ -942,7 +947,7 @@ static void mbox2_setup_48_24_magic(stru + static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor = NULL; + int err; + u8 bootresponse[0x12]; + int fwsize; +@@ -977,15 +982,21 @@ static int snd_usb_mbox2_boot_quirk(stru + + dev_dbg(&dev->dev, "device initialised!\n"); + ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; ++ + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); ++ ++ kfree(new_device_descriptor); + + err = usb_reset_configuration(dev); + if (err < 0) diff --git a/queue-5.15/series b/queue-5.15/series index 45f080cc979..fb148a49065 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -48,3 +48,4 @@ x86-xen-don-t-do-pv-iret-hypercall-through-hypercall-page.patch x86-xen-add-central-hypercall-functions.patch x86-xen-use-new-hypercall-functions-instead-of-hypercall-page.patch x86-xen-remove-hypercall-page.patch +alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch