ALSA: usb-audio: Always check descriptor sizes in parser code

commit 3e96d7280f16e2f787307f695a31296b9e4a1cd7 upstream.

There are a few places where we access the data without checking the
actual object size from the USB audio descriptor.  This may result in
OOB access, as recently reported.

This patch addresses these missing checks.  Most of added codes are
simple bLength checks in the caller side.  For the input and output
terminal parsers, we put the length check in the parser functions.
For the input terminal, a new argument is added to distinguish between
UAC1 and the rest, as they treat different objects.

Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reported-by: Hui Peng <benquike@163.com>
Tested-by: Hui Peng <benquike@163.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/sound/usb/card.c b/sound/usb/card.c
index a105947..746a72e 100644 (file)
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -246,7 +246,7 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
                h1 = snd_usb_find_csint_desc(host_iface->extra,
                                                         host_iface->extralen,
                                                         NULL, UAC_HEADER);
-               if (!h1) {
+               if (!h1 || h1->bLength < sizeof(*h1)) {
                        dev_err(&dev->dev, "cannot find UAC_HEADER\n");
                        return -EINVAL;
                }

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index dfd9188..e7d441d 100644 (file)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2075,11 +2075,15 @@ static int parse_audio_input_terminal(struct mixer_build *state, int unitid,
 
        if (state->mixer->protocol == UAC_VERSION_2) {
                struct uac2_input_terminal_descriptor *d_v2 = raw_desc;
+               if (d_v2->bLength < sizeof(*d_v2))
+                       return -EINVAL;
                control = UAC2_TE_CONNECTOR;
                term_id = d_v2->bTerminalID;
                bmctls = le16_to_cpu(d_v2->bmControls);
        } else if (state->mixer->protocol == UAC_VERSION_3) {
                struct uac3_input_terminal_descriptor *d_v3 = raw_desc;
+               if (d_v3->bLength < sizeof(*d_v3))
+                       return -EINVAL;
                control = UAC3_TE_INSERTION;
                term_id = d_v3->bTerminalID;
                bmctls = le32_to_cpu(d_v3->bmControls);

diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 67cf849..d9e3de4 100644 (file)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -596,12 +596,8 @@ static int parse_uac_endpoint_attributes(struct snd_usb_audio *chip,
                csep = snd_usb_find_desc(alts->extra, alts->extralen, NULL, USB_DT_CS_ENDPOINT);
 
        if (!csep || csep->bLength < 7 ||
-           csep->bDescriptorSubtype != UAC_EP_GENERAL) {
-               usb_audio_warn(chip,
-                              "%u:%d : no or invalid class specific endpoint descriptor\n",
-                              iface_no, altsd->bAlternateSetting);
-               return 0;
-       }
+           csep->bDescriptorSubtype != UAC_EP_GENERAL)
+               goto error;
 
        if (protocol == UAC_VERSION_1) {
                attributes = csep->bmAttributes;
@@ -609,6 +605,8 @@ static int parse_uac_endpoint_attributes(struct snd_usb_audio *chip,
                struct uac2_iso_endpoint_descriptor *csep2 =
                        (struct uac2_iso_endpoint_descriptor *) csep;
 
+               if (csep2->bLength < sizeof(*csep2))
+                       goto error;
                attributes = csep->bmAttributes & UAC_EP_CS_ATTR_FILL_MAX;
 
                /* emulate the endpoint attributes of a v1 device */
@@ -618,12 +616,20 @@ static int parse_uac_endpoint_attributes(struct snd_usb_audio *chip,
                struct uac3_iso_endpoint_descriptor *csep3 =
                        (struct uac3_iso_endpoint_descriptor *) csep;
 
+               if (csep3->bLength < sizeof(*csep3))
+                       goto error;
                /* emulate the endpoint attributes of a v1 device */
                if (le32_to_cpu(csep3->bmControls) & UAC2_CONTROL_PITCH)
                        attributes |= UAC_EP_CS_ATTR_PITCH_CONTROL;
        }
 
        return attributes;
+
+ error:
+       usb_audio_warn(chip,
+                      "%u:%d : no or invalid class specific endpoint descriptor\n",
+                      iface_no, altsd->bAlternateSetting);
+       return 0;
 }
 
 /* find an input terminal descriptor (either UAC1 or UAC2) with the given
@@ -631,13 +637,17 @@ static int parse_uac_endpoint_attributes(struct snd_usb_audio *chip,
  */
 static void *
 snd_usb_find_input_terminal_descriptor(struct usb_host_interface *ctrl_iface,
-                                              int terminal_id)
+                                      int terminal_id, bool uac23)
 {
        struct uac2_input_terminal_descriptor *term = NULL;
+       size_t minlen = uac23 ? sizeof(struct uac2_input_terminal_descriptor) :
+               sizeof(struct uac_input_terminal_descriptor);
 
        while ((term = snd_usb_find_csint_desc(ctrl_iface->extra,
                                               ctrl_iface->extralen,
                                               term, UAC_INPUT_TERMINAL))) {
+               if (term->bLength < minlen)
+                       continue;
                if (term->bTerminalID == terminal_id)
                        return term;
        }
@@ -655,7 +665,8 @@ snd_usb_find_output_terminal_descriptor(struct usb_host_interface *ctrl_iface,
        while ((term = snd_usb_find_csint_desc(ctrl_iface->extra,
                                               ctrl_iface->extralen,
                                               term, UAC_OUTPUT_TERMINAL))) {
-               if (term->bTerminalID == terminal_id)
+               if (term->bLength >= sizeof(*term) &&
+                   term->bTerminalID == terminal_id)
                        return term;
        }
 
@@ -729,7 +740,8 @@ snd_usb_get_audioformat_uac12(struct snd_usb_audio *chip,
                format = le16_to_cpu(as->wFormatTag); /* remember the format value */
 
                iterm = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
-                                                            as->bTerminalLink);
+                                                              as->bTerminalLink,
+                                                              false);
                if (iterm) {
                        num_channels = iterm->bNrChannels;
                        chconfig = le16_to_cpu(iterm->wChannelConfig);
@@ -764,7 +776,8 @@ snd_usb_get_audioformat_uac12(struct snd_usb_audio *chip,
                 * to extract the clock
                 */
                input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
-                                                                   as->bTerminalLink);
+                                                                   as->bTerminalLink,
+                                                                   true);
                if (input_term) {
                        clock = input_term->bCSourceID;
                        if (!chconfig && (num_channels == input_term->bNrChannels))
@@ -998,7 +1011,8 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
         * to extract the clock
         */
        input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
-                                                           as->bTerminalLink);
+                                                           as->bTerminalLink,
+                                                           true);
        if (input_term) {
                clock = input_term->bCSourceID;
                goto found_clock;