Re: [PATCH] Fix an OOB bug in parse_audio_mixer_unit

彭辉 <benquike@xxxxxxxxx> · Wed, 14 Aug 2019 12:52:07 -0400

Hi, Takashi:

Thanks for the guide.
The new patch is confirmed and attached.

On Wed, Aug 14, 2019 at 12:33 PM Takashi Iwai <tiwai@xxxxxxx> wrote:

> On Wed, 14 Aug 2019 18:28:39 +0200,
> 彭辉 wrote:
> >
> > Hi, Takashi:
> > Here the problem is that `desc->bLength` is controlled by the device
> side,
> > so  `desc->bLength` may not represent the real length of the descriptor.
> > That is why I use pointer arithmetic operations to derive the real size
> of the
> > buffer
> > in my patch.
>
> But bLength is checked before calling this, i.e. it's already assured
> that bLength fits within the buffer limit.  So, the result calls don't
> have to care about the buffer limit itself, and they can just
> concentrate on overflow over bLength.
>
>
> thanks,
>
> Takashi
>
> >
> > On Wed, Aug 14, 2019 at 2:36 AM Takashi Iwai <tiwai@xxxxxxx> wrote:
> >
> >     On Wed, 14 Aug 2019 04:36:24 +0200,
> >     Hui Peng wrote:
> >     >
> >     > The `uac_mixer_unit_descriptor` shown as below is read from the
> >     > device side. In `parse_audio_mixer_unit`, `baSourceID` field is
> >     > accessed from index 0 to `bNrInPins` - 1, the current
> implementation
> >     > assumes that descriptor is always valid (the length  of descriptor
> >     > is no shorter than 5 + `bNrInPins`). If a descriptor read from
> >     > the device side is invalid, it may trigger out-of-bound memory
> >     > access.
> >     >
> >     > ```
> >     > struct uac_mixer_unit_descriptor {
> >     >       __u8 bLength;
> >     >       __u8 bDescriptorType;
> >     >       __u8 bDescriptorSubtype;
> >     >       __u8 bUnitID;
> >     >       __u8 bNrInPins;
> >     >       __u8 baSourceID[];
> >     > }
> >     > ```
> >     >
> >     > This patch fixes the bug by add a sanity check on the length of
> >     > the descriptor.
> >     >
> >     > Signed-off-by: Hui Peng <benquike@xxxxxxxxx>
> >     > Reported-by: Hui Peng <benquike@xxxxxxxxx>
> >     > Reported-by: Mathias Payer <mathias.payer@xxxxxxxxxxxxx>
> >     > ---
> >     >  sound/usb/mixer.c | 9 +++++++++
> >     >  1 file changed, 9 insertions(+)
> >     >
> >     > diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
> >     > index 7498b5191b68..38202ce67237 100644
> >     > --- a/sound/usb/mixer.c
> >     > +++ b/sound/usb/mixer.c
> >     > @@ -2091,6 +2091,15 @@ static int parse_audio_mixer_unit(struct
> >     mixer_build *state, int unitid,
> >     >       struct usb_audio_term iterm;
> >     >       int input_pins, num_ins, num_outs;
> >     >       int pin, ich, err;
> >     > +     int desc_len = (int) ((unsigned long) state->buffer +
> >     > +                     state->buflen - (unsigned long) raw_desc);
> >     > +
> >     > +     if (desc_len < sizeof(*desc) + desc->bNrInPins) {
> >     > +             usb_audio_err(state->chip,
> >     > +                           "descriptor %d too short\n",
> >     > +                           unitid);
> >     > +             return -EINVAL;
> >     > +     }
> >     >
> >     >       err = uac_mixer_unit_get_channels(state, desc);
> >     >       if (err < 0) {
> >
> >     Hm, what is the desc->bLength value in the error case?
> >
> >     Basically the buffer boundary is already checked against bLength in
> >     snd_usb_find_desc() which is called from obtaining the raw_desc in
> the
> >     caller of this function (parse_audio_unit()).
> >
> >     So, if any, we need to check bLength for the possible overflow like
> >     below.
> >
> >     thanks,
> >
> >     Takashi
> >
> >     --- a/sound/usb/mixer.c
> >     +++ b/sound/usb/mixer.c
> >     @@ -744,6 +744,8 @@ static int uac_mixer_unit_get_channels(struct
> >     mixer_build *state,
> >                     return -EINVAL;
> >             if (!desc->bNrInPins)
> >                     return -EINVAL;
> >     +       if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
> >     +               return -EINVAL;
> >
> >             switch (state->mixer->protocol) {
> >             case UAC_VERSION_1:
> >
> > --
> > May the Lord Richly Bless you and yours !
> >
> >
>


-- 
May the *Lord* Richly Bless you and yours !
From da17e2db04d29d39f3298738badd036cf3f256d2 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@xxxxxxxxx>
Date: Tue, 13 Aug 2019 22:34:04 -0400
Subject: [PATCH] Fix an OOB bug in parse_audio_mixer_unit

The `uac_mixer_unit_descriptor` shown as below is read from the
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
accessed from index 0 to `bNrInPins` - 1, the current implementation
assumes that descriptor is always valid (the length  of descriptor
is no shorter than 5 + `bNrInPins`). If a descriptor read from
the device side is invalid, it may trigger out-of-bound memory
access.

```
struct uac_mixer_unit_descriptor {
	__u8 bLength;
	__u8 bDescriptorType;
	__u8 bDescriptorSubtype;
	__u8 bUnitID;
	__u8 bNrInPins;
	__u8 baSourceID[];
}
```

This patch fixes the bug by add a sanity check on the length of
the descriptor.

Signed-off-by: Hui Peng <benquike@xxxxxxxxx>
Reported-by: Hui Peng <benquike@xxxxxxxxx>
Reported-by: Mathias Payer <mathias.payer@xxxxxxxxxxxxx>
---
 sound/usb/mixer.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 7498b5191b68..ea487378be17 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -744,6 +744,8 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state,
 		return -EINVAL;
 	if (!desc->bNrInPins)
 		return -EINVAL;
+	if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
+		return -EINVAL;
 
 	switch (state->mixer->protocol) {
 	case UAC_VERSION_1:
-- 
2.22.1

_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel




