On Fri, 15 Nov 2024 14:08:33 +0100,
Benoit Sevens wrote:
>
> A bogus devices can provide a bNumConfigurations value that exceeds the
> initial value used in usb_get_configuration for allocating dev->config.
>
> This can lead to out-of-bounds accesses later, e.g. in
> usb_destroy_configuration.
It'd be more helpful if you can elaborate how it can happen; the code
you touched doesn't call much stuff, just send a boot sequence and
reset the configuration. Yet your patch tries to overwrite a
usb_device field, which isn't really a task for the driver side.
thanks,
Takashi
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@xxxxxxxxxx
> Signed-off-by: Benoit Sevens <bsevens@xxxxxxxxxx>
> ---
> sound/usb/quirks.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
> index c5fd180357d1..970d36d13ad8 100644
> --- a/sound/usb/quirks.c
> +++ b/sound/usb/quirks.c
> @@ -555,6 +555,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip,
> static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)
> {
> struct usb_host_config *config = dev->actconfig;
> + int num_configs;
> int err;
>
> if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
> @@ -565,8 +566,11 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac
> 0x10, 0x43, 0x0001, 0x000a, NULL, 0);
> if (err < 0)
> dev_dbg(&dev->dev, "error sending boot message: %d\n", err);
> + num_configs = dev->descriptor.bNumConfigurations;
> err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
> &dev->descriptor, sizeof(dev->descriptor));
> + if (dev->descriptor.bNumConfigurations > num_configs)
> + dev->descriptor.bNumConfigurations = num_configs;
> config = dev->actconfig;
> if (err < 0)
> dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
> --
> 2.47.0.338.g60cca15819-goog
>
[Index of Archives]
[Pulseaudio]
[Linux Audio Users]
[ALSA Devel]
[Fedora Desktop]
[Fedora SELinux]
[Big List of Linux Books]
[Yosemite News]
[KDE Users]
