• Jaejoong Kim's avatar
    ALSA: usb-audio: Fix out-of-bound error · 251552a2
    Jaejoong Kim authored
    The snd_usb_copy_string_desc() retrieves the usb string corresponding to
    the index number through the usb_string(). The problem is that the
    usb_string() returns the length of the string (>= 0) when successful, but
    it can also return a negative value about the error case or status of
    usb_control_msg().
    
    If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
    This will result in '0' being inserted into buf[-22], and the following
    KASAN out-of-bound error message will be output.
    
    AudioControl Interface Descriptor:
      bLength                 8
      bDescriptorType        36
      bDescriptorSubtype     10 (CLOCK_SOURCE)
      bClockID                1
      bmAttributes         0x07 Internal programmable Clock (synced to SOF)
      bmControls           0x07
      Clock Frequency Control (read/write)
      Clock Validity Control (read-only)
      bAssocTerminal          0
      iClockSource            0
    
    To fix it, check usb_string()'return value and bail out.
    
    ==================================================================
    BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
    Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
    
    CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
    Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
    Call Trace:
    dump_stack+0x63/0x8d
    print_address_description+0x70/0x290
    ? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
    kasan_report+0x265/0x350
    __asan_store1+0x4a/0x50
    parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
    ? save_stack+0xb5/0xd0
    ? save_stack_trace+0x1b/0x20
    ? save_stack+0x46/0xd0
    ? kasan_kmalloc+0xad/0xe0
    ? kmem_cache_alloc_trace+0xff/0x230
    ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
    ? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
    ? usb_probe_interface+0x1f5/0x440
    ? driver_probe_device+0x3ed/0x660
    ? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
    ? save_stack_trace+0x1b/0x20
    ? init_object+0x69/0xa0
    ? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
    snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
    ? build_audio_procunit+0x890/0x890 [snd_usb_audio]
    ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
    ? kmem_cache_alloc_trace+0xff/0x230
    ? usb_ifnum_to_if+0xbd/0xf0
    snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
    ? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
    usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
    ? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
    ? __pm_runtime_idle+0x90/0x90
    ? kernfs_activate+0xa6/0xc0
    ? usb_match_one_id_intf+0xdc/0x130
    ? __pm_runtime_set_status+0x2d4/0x450
    usb_probe_interface+0x1f5/0x440
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    251552a2
mixer.c 71.1 KB