ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

A bogus device can provide a bNumConfigurations value that exceeds the
initial value used in usb_get_configuration for allocating dev->config.

This can lead to out-of-bounds accesses later, e.g. in
usb_destroy_configuration.

Signed-off-by: Benoît Sevens <bsevens@google.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Benoît Sevens and committed by

Takashi Iwai 2 years ago b909df18 cc3d0b5d

+21 -6

1 changed file

expand all

sound

usb

quirks.c

+21 -6

sound/usb/quirks.c

··· 555 555 static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) 556 556 { 557 557 struct usb_host_config *config = dev->actconfig; 558 + struct usb_device_descriptor new_device_descriptor; 558 559 int err; 559 560 560 561 if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || ··· 567 566 if (err < 0) 568 567 dev_dbg(&dev->dev, "error sending boot message: %d\n", err); 569 568 err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, 570 - &dev->descriptor, sizeof(dev->descriptor)); 571 - config = dev->actconfig; 569 + &new_device_descriptor, sizeof(new_device_descriptor)); 572 570 if (err < 0) 573 571 dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); 572 + if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) 573 + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", 574 + new_device_descriptor.bNumConfigurations); 575 + else 576 + memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); 574 577 err = usb_reset_configuration(dev); 575 578 if (err < 0) 576 579 dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); ··· 906 901 static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) 907 902 { 908 903 struct usb_host_config *config = dev->actconfig; 904 + struct usb_device_descriptor new_device_descriptor; 909 905 int err; 910 906 u8 bootresponse[0x12]; 911 907 int fwsize; ··· 942 936 dev_dbg(&dev->dev, "device initialised!\n"); 943 937 944 938 err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, 945 - &dev->descriptor, sizeof(dev->descriptor)); 946 - config = dev->actconfig; 939 + &new_device_descriptor, sizeof(new_device_descriptor)); 947 940 if (err < 0) 948 941 dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); 942 + if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) 943 + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", 944 + new_device_descriptor.bNumConfigurations); 945 + else 946 + memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); 949 947 950 948 err = usb_reset_configuration(dev); 951 949 if (err < 0) ··· 1259 1249 static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) 1260 1250 { 1261 1251 struct usb_host_config *config = dev->actconfig; 1252 + struct usb_device_descriptor new_device_descriptor; 1262 1253 int err; 1263 1254 int descriptor_size; 1264 1255 ··· 1273 1262 dev_dbg(&dev->dev, "MBOX3: device initialised!\n"); 1274 1263 1275 1264 err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, 1276 - &dev->descriptor, sizeof(dev->descriptor)); 1277 - config = dev->actconfig; 1265 + &new_device_descriptor, sizeof(new_device_descriptor)); 1278 1266 if (err < 0) 1279 1267 dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); 1268 + if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) 1269 + dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", 1270 + new_device_descriptor.bNumConfigurations); 1271 + else 1272 + memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); 1280 1273 1281 1274 err = usb_reset_configuration(dev); 1282 1275 if (err < 0)

Configure Feed

Configure Feed