From 8d9ce2c287c555277bac9b2cec29cdc5add9616c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 Sep 2022 20:38:49 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch --- ...apture-data-when-using-jiffies-timer.patch | 49 ++++++++++++++ ...ess-in-snd_emu10k1_pcm_channel_alloc.patch | 66 +++++++++++++++++++ ...g-in-__snd_usb_parse_audio_interface.patch | 34 ++++++++++ queue-4.9/series | 3 + 4 files changed, 152 insertions(+) create mode 100644 queue-4.9/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch create mode 100644 queue-4.9/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch create mode 100644 queue-4.9/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch diff --git a/queue-4.9/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch b/queue-4.9/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch new file mode 100644 index 00000000000..e86577e90ed --- /dev/null +++ b/queue-4.9/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch @@ -0,0 +1,49 @@ +From 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 Mon Sep 17 00:00:00 2001 +From: Pattara Teerapong +Date: Thu, 1 Sep 2022 14:40:36 +0000 +Subject: ALSA: aloop: Fix random zeros in capture data when using jiffies timer + +From: Pattara Teerapong + +commit 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 upstream. + +In loopback_jiffies_timer_pos_update(), we are getting jiffies twice. +First time for playback, second time for capture. Jiffies can be updated +between these two calls and if the capture jiffies is larger, extra zeros +will be filled in the capture buffer. + +Change to get jiffies once and use it for both playback and capture. + +Signed-off-by: Pattara Teerapong +Cc: +Link: https://lore.kernel.org/r/20220901144036.4049060-1-pteerapong@chromium.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/drivers/aloop.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -477,17 +477,18 @@ static unsigned int loopback_pos_update( + cable->streams[SNDRV_PCM_STREAM_PLAYBACK]; + struct loopback_pcm *dpcm_capt = + cable->streams[SNDRV_PCM_STREAM_CAPTURE]; +- unsigned long delta_play = 0, delta_capt = 0; ++ unsigned long delta_play = 0, delta_capt = 0, cur_jiffies; + unsigned int running, count1, count2; + ++ cur_jiffies = jiffies; + running = cable->running ^ cable->pause; + if (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) { +- delta_play = jiffies - dpcm_play->last_jiffies; ++ delta_play = cur_jiffies - dpcm_play->last_jiffies; + dpcm_play->last_jiffies += delta_play; + } + + if (running & (1 << SNDRV_PCM_STREAM_CAPTURE)) { +- delta_capt = jiffies - dpcm_capt->last_jiffies; ++ delta_capt = cur_jiffies - dpcm_capt->last_jiffies; + dpcm_capt->last_jiffies += delta_capt; + } + diff --git a/queue-4.9/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch b/queue-4.9/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch new file mode 100644 index 00000000000..1c95a97fce3 --- /dev/null +++ b/queue-4.9/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch @@ -0,0 +1,66 @@ +From d29f59051d3a07b81281b2df2b8c9dfe4716067f Mon Sep 17 00:00:00 2001 +From: Tasos Sahanidis +Date: Wed, 7 Sep 2022 04:18:00 +0300 +Subject: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() + +From: Tasos Sahanidis + +commit d29f59051d3a07b81281b2df2b8c9dfe4716067f upstream. + +The voice allocator sometimes begins allocating from near the end of the +array and then wraps around, however snd_emu10k1_pcm_channel_alloc() +accesses the newly allocated voices as if it never wrapped around. + +This results in out of bounds access if the first voice has a high enough +index so that first_voice + requested_voice_count > NUM_G (64). +The more voices are requested, the more likely it is for this to occur. + +This was initially discovered using PipeWire, however it can be reproduced +by calling aplay multiple times with 16 channels: +aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero + +UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 +index 65 is out of range for type 'snd_emu10k1_voice [64]' +CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 +Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 +Call Trace: + +dump_stack_lvl+0x49/0x63 +dump_stack+0x10/0x16 +ubsan_epilogue+0x9/0x3f +__ubsan_handle_out_of_bounds.cold+0x44/0x49 +snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] +snd_pcm_hw_params+0x29f/0x600 [snd_pcm] +snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] +? exit_to_user_mode_prepare+0x35/0x170 +? do_syscall_64+0x69/0x90 +? syscall_exit_to_user_mode+0x26/0x50 +? do_syscall_64+0x69/0x90 +? exit_to_user_mode_prepare+0x35/0x170 +snd_pcm_ioctl+0x27/0x40 [snd_pcm] +__x64_sys_ioctl+0x95/0xd0 +do_syscall_64+0x5c/0x90 +? do_syscall_64+0x69/0x90 +? do_syscall_64+0x69/0x90 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Signed-off-by: Tasos Sahanidis +Cc: +Link: https://lore.kernel.org/r/3707dcab-320a-62ff-63c0-73fc201ef756@tasossah.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/emupcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/emu10k1/emupcm.c ++++ b/sound/pci/emu10k1/emupcm.c +@@ -137,7 +137,7 @@ static int snd_emu10k1_pcm_channel_alloc + epcm->voices[0]->epcm = epcm; + if (voices > 1) { + for (i = 1; i < voices; i++) { +- epcm->voices[i] = &epcm->emu->voices[epcm->voices[0]->number + i]; ++ epcm->voices[i] = &epcm->emu->voices[(epcm->voices[0]->number + i) % NUM_G]; + epcm->voices[i]->epcm = epcm; + } + } diff --git a/queue-4.9/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch b/queue-4.9/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch new file mode 100644 index 00000000000..49769e0b32f --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch @@ -0,0 +1,34 @@ +From e53f47f6c1a56d2af728909f1cb894da6b43d9bf Mon Sep 17 00:00:00 2001 +From: Dongxiang Ke +Date: Tue, 6 Sep 2022 10:49:28 +0800 +Subject: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() + +From: Dongxiang Ke + +commit e53f47f6c1a56d2af728909f1cb894da6b43d9bf upstream. + +There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and +the number of it's interfaces less than 4, an out-of-bounds read bug occurs +when parsing the interface descriptor for this device. + +Fix this by checking the number of interfaces. + +Signed-off-by: Dongxiang Ke +Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -502,7 +502,7 @@ int snd_usb_parse_audio_interface(struct + * Dallas DS4201 workaround: It presents 5 altsettings, but the last + * one misses syncpipe, and does not produce any sound. + */ +- if (chip->usb_id == USB_ID(0x04fa, 0x4201)) ++ if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4) + num = 4; + + for (i = 0; i < num; i++) { diff --git a/queue-4.9/series b/queue-4.9/series index 59a735e67de..409eb038a7f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -26,3 +26,6 @@ drm-radeon-add-a-force-flush-to-delay-work-when-rade.patch parisc-ccio-dma-handle-kmalloc-failure-in-ccio_init_.patch parisc-add-runtime-check-to-prevent-pa2.0-kernels-on.patch fbdev-chipsfb-add-missing-pci_disable_device-in-chip.patch +alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch +alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch +alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch -- 2.47.3