korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-16 00:34:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
bfc81a8bc1
linux/sound
History
Takashi Iwai bfc81a8bc1 ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor 
When a USB-audio device receives a maliciously adjusted or corrupted
buffer descriptor, the USB-audio driver may access an out-of-bounce
value at its parser.  This was detected by syzkaller, something like:

  BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
  Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x22f/0x340 mm/kasan/report.c:409
   __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
   snd_usb_create_streams sound/usb/card.c:248
   usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
   generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
   usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
   hub_port_connect drivers/usb/core/hub.c:4903
   hub_port_connect_change drivers/usb/core/hub.c:5009
   port_event drivers/usb/core/hub.c:5115
   hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
   process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
   worker_thread+0x221/0x1850 kernel/workqueue.c:2253
   kthread+0x3a1/0x470 kernel/kthread.c:231
   ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

This patch adds the checks of out-of-bounce accesses at appropriate
places and bails out when it goes out of the given buffer.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-22 16:21:31 +02:00
..
aoa ALSA: aoa: Convert to using %pOF instead of full_name 2017-08-29 14:52:17 +02:00
arm ALSA: aaci: constify ac97_pcm structures 2017-08-23 15:53:37 +02:00
atmel ASoC: Updates for v4.14 2017-09-04 14:50:49 +02:00
core ALSA: pcm: Fix structure definition for X32 ABI 2017-09-22 11:23:48 +02:00
drivers ALSA: vx: Put missing KERN_CONT prefix 2017-08-31 11:01:17 +02:00
firewire ALSA: firewire: Use common error handling code in snd_motu_stream_start_duplex() 2017-09-12 09:23:26 +02:00
hda ALSA: hda: constify pci_device_id. 2017-07-18 20:01:21 +02:00
i2c ALSA: ak411x: Use array instead of offsetof() 2017-05-17 07:13:03 +02:00
isa ALSA: isa: make snd_pcm_hardware const 2017-08-17 12:44:11 +02:00
mips ALSA: mips: constify snd_pcm_ops structures 2017-08-19 11:02:18 +02:00
oss Annotate hardware config module parameters in sound/oss/ 2017-04-20 12:02:32 +01:00
parisc ALSA: parisc: constify snd_pcm_ops structures 2017-08-19 11:02:19 +02:00
pci ALSA: hda - program ICT bits to support HBR audio 2017-09-20 12:01:01 +02:00
pcmcia ALSA: pcmcia: constify snd_pcm_ops structures 2017-08-19 11:02:21 +02:00
ppc ALSA: ppc: constify snd_pcm_ops structures 2017-08-19 11:02:22 +02:00
sh ALSA: sh: Put missing KERN_* prefix 2017-08-31 11:02:15 +02:00
soc ASoC: Fixes for the CS43130 driver 2017-09-04 18:13:29 +02:00
sparc ALSA: sparc: constify snd_pcm_ops structures 2017-08-19 11:02:24 +02:00
spi ALSA: spi: constify snd_pcm_ops structures 2017-08-19 11:02:26 +02:00
synth ALSA: emux: Delete two error messages for a failed memory allocation in snd_emux_create_port() 2017-08-10 17:55:13 +02:00
usb ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor 2017-09-22 16:21:31 +02:00
x86 main drm pull for v4.13 2017-07-09 18:48:37 -07:00
ac97_bus.c
Kconfig ALSA: synth: Select snd-emux-synth explicitly 2017-06-09 22:10:06 +02:00
last.c
Makefile ALSA: add Intel HDMI LPE audio driver for BYT/CHT-T 2017-01-25 14:23:46 +01:00
sound_core.c