ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
authorHui Peng <benquike@gmail.com>
Thu, 15 Aug 2019 04:31:34 +0000 (00:31 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 25 Aug 2019 08:47:47 +0000 (10:47 +0200)
commit46f9a1bc60a4c15a14a6504168cee1c2e0bf3ab4
tree71eb238d5ee2d226d3452de27a539fc2ffa949c4
parentd5bb1240280526d644095e98e505e73de753371a
ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term

commit 19bce474c45be69a284ecee660aa12d8f1e88f18 upstream.

`check_input_term` recursively calls itself with input from
device side (e.g., uac_input_terminal_descriptor.bCSourceID)
as argument (id). In `check_input_term`, if `check_input_term`
is called with the same `id` argument as the caller, it triggers
endless recursive call, resulting kernel space stack overflow.

This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids and stop the execution if some id
has been checked (similar to how parse_audio_unit handles unitid
argument).

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sound/usb/mixer.c