renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-22 04:03:58 +08:00
Code
bfc81a8bc1
linux-next/sound/usb
History
Takashi Iwai bfc81a8bc1 ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor 
When a USB-audio device receives a maliciously adjusted or corrupted
buffer descriptor, the USB-audio driver may access an out-of-bounce
value at its parser.  This was detected by syzkaller, something like:

  BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
  Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x22f/0x340 mm/kasan/report.c:409
   __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
   snd_usb_create_streams sound/usb/card.c:248
   usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
   generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
   usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
   hub_port_connect drivers/usb/core/hub.c:4903
   hub_port_connect_change drivers/usb/core/hub.c:5009
   port_event drivers/usb/core/hub.c:5115
   hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
   process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
   worker_thread+0x221/0x1850 kernel/workqueue.c:2253
   kthread+0x3a1/0x470 kernel/kthread.c:231
   ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

This patch adds the checks of out-of-bounce accesses at appropriate
places and bails out when it goes out of the given buffer.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-22 16:21:31 +02:00
..
6fire ALSA: 6fire: Use common error handling code in usb6fire_chip_probe() 2017-09-07 10:29:35 +02:00
bcd2000 ALSA: bcd2000: constify usb_device_id. 2017-08-06 22:20:08 +02:00
caiaq ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
hiface ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
line6 ALSA: line6: remove unnecessary initialization to PODHD500X 2017-06-20 07:51:22 +02:00
misc ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
usx2y ALSA: usx2y: Use common error handling code in submit_urbs() 2017-09-07 10:28:30 +02:00
card.c ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor 2017-09-22 16:21:31 +02:00
card.h ALSA: usb: use TEAC UD-H01 quirk for more devices 2016-08-22 11:39:56 +02:00
clock.c ALSA: usb-audio: Limit retrying sample rate reads 2016-04-29 11:49:04 +02:00
clock.h ALSA: usb-audio: UAC2: do clock validity check earlier 2013-04-04 08:30:59 +02:00
debug.h ALSA: usb-audio: make hwc_debug a noop in case HW_CONST_DEBUG is not set 2011-05-18 11:44:35 +02:00
endpoint.c ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion 2017-01-05 07:35:17 +01:00
endpoint.h ALSA: usb-audio: Fix irq/process data synchronization 2017-01-05 07:35:00 +01:00
format.c ALSA: usb-audio: rmove print for failure of kmalloc 2016-08-22 11:41:02 +02:00
format.h ALSA: usb-audio: store protocol version in struct audioformat 2013-06-27 21:59:47 +02:00
helper.c ALSA: usb-audio: correct speed checking 2016-05-08 11:42:04 +02:00
helper.h ALSA: usb-audio: increase control transfer timeout 2011-09-27 09:21:48 +02:00
Kconfig ALSA: us122l: enable compile testing 2017-05-15 11:02:14 +02:00
Makefile ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk 2017-02-20 10:59:54 +01:00
midi.c ALSA: usb-audio: Put missing KERN_CONT prefix 2017-08-31 11:02:13 +02:00
midi.h ALSA: usb-audio: Refer to chip->usb_id for quirks and MIDI creation 2016-01-29 07:36:10 +01:00
mixer_maps.c ALSA: usb-audio: Change structure initialisation to C99 style 2016-06-17 16:58:41 +02:00
mixer_quirks.c ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices 2017-08-17 17:52:16 +02:00
mixer_quirks.h ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly 2015-12-14 10:13:17 +01:00
mixer_scarlett.c ALSA: usb-audio: constify snd_kcontrol_new structures 2017-02-21 22:02:03 +01:00
mixer_scarlett.h ALSA: usb-audio: Scarlett mixer interface for 6i6, 18i6, 18i8 and 18i20 2014-11-13 07:32:39 +01:00
mixer_us16x08.c ALSA: usb: Avoid VLA in mixer_us16x08.c 2017-05-31 08:46:19 +02:00
mixer_us16x08.h ALSA: usb-audio: Fix memory leak and corruption in mixer_us16x08.c 2017-02-22 14:24:09 +01:00
mixer.c Merge branch 'for-linus' into for-next 2017-08-22 15:44:45 +02:00
mixer.h ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices 2017-08-17 17:52:16 +02:00
pcm.c ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
pcm.h ALSA: usb: refine delay information with USB frame counter 2011-09-12 10:30:20 +02:00
power.h ALSA: usbaudio: implement USB autosuspend 2011-03-11 14:59:29 +01:00
proc.c ALSA: usb-audio: Avoid nested autoresume calls 2015-08-26 15:38:25 +02:00
proc.h ALSA: usb-audio: refactor code 2010-03-05 08:17:14 +01:00
quirks-table.h ALSA: usb-audio: Add quirk for Syntek STK1160 2016-10-27 12:07:19 +02:00
quirks.c ALSA: usb-audio: Add sample rate quirk for Plantronics C310/C520-M 2017-09-20 22:14:40 +02:00
quirks.h ALSA: usb-audio: Refer to chip->usb_id for quirks and MIDI creation 2016-01-29 07:36:10 +01:00
stream.c ALSA: usb: Delete an error message for a failed memory allocation in two functions 2017-08-12 23:20:55 +02:00
stream.h ALSA: snd-usb: re-order code 2011-09-14 17:07:02 +02:00
usbaudio.h Merge branch 'for-linus' into for-next 2016-05-10 16:06:04 +02:00