CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
This commit is contained in:
parent
da240bb5b6
commit
9e2cd6f7b7
|
@ -0,0 +1,80 @@
|
|||
From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 15 Mar 2016 15:20:58 +0100
|
||||
Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses
|
||||
|
||||
Add some sanity check codes before actually accessing the endpoint via
|
||||
get_endpoint() in order to avoid the invalid access through a
|
||||
malformed USB descriptor. Mostly just checking bNumEndpoints, but in
|
||||
one place (snd_microii_spdif_default_get()), the validity of iface and
|
||||
altsetting index is checked as well.
|
||||
|
||||
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/clock.c | 2 ++
|
||||
sound/usb/endpoint.c | 3 +++
|
||||
sound/usb/mixer_quirks.c | 4 ++++
|
||||
sound/usb/pcm.c | 2 ++
|
||||
4 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
|
||||
index 2ed260b10f6d..7ccbcaf6a147 100644
|
||||
--- a/sound/usb/clock.c
|
||||
+++ b/sound/usb/clock.c
|
||||
@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
|
||||
unsigned char data[3];
|
||||
int err, crate;
|
||||
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
/* if endpoint doesn't have sampling rate control, bail out */
|
||||
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
|
||||
index e6f71894ecdc..c2131b851602 100644
|
||||
--- a/sound/usb/endpoint.c
|
||||
+++ b/sound/usb/endpoint.c
|
||||
@@ -415,6 +415,9 @@ exit_clear:
|
||||
*
|
||||
* New endpoints will be added to chip->ep_list and must be freed by
|
||||
* calling snd_usb_endpoint_free().
|
||||
+ *
|
||||
+ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
|
||||
+ * bNumEndpoints > 1 beforehand.
|
||||
*/
|
||||
struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
|
||||
struct usb_host_interface *alts,
|
||||
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
|
||||
index d3608c0a29f3..2d724e3c4cc0 100644
|
||||
--- a/sound/usb/mixer_quirks.c
|
||||
+++ b/sound/usb/mixer_quirks.c
|
||||
@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,
|
||||
|
||||
/* use known values for that card: interface#1 altsetting#1 */
|
||||
iface = usb_ifnum_to_if(chip->dev, 1);
|
||||
+ if (!iface || iface->num_altsetting < 2)
|
||||
+ return -EINVAL;
|
||||
alts = &iface->altsetting[1];
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
err = snd_usb_ctl_msg(chip->dev,
|
||||
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
|
||||
index cdac5179db3f..4da64896df6d 100644
|
||||
--- a/sound/usb/pcm.c
|
||||
+++ b/sound/usb/pcm.c
|
||||
@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
|
||||
unsigned char data[1];
|
||||
int err;
|
||||
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
data[0] = 1;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 15 Mar 2016 12:09:10 +0100
|
||||
Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in
|
||||
create_fixed_stream_quirk()
|
||||
|
||||
create_fixed_stream_quirk() may cause a NULL-pointer dereference by
|
||||
accessing the non-existing endpoint when a USB device with a malformed
|
||||
USB descriptor is used.
|
||||
|
||||
This patch avoids it simply by adding a sanity check of bNumEndpoints
|
||||
before the accesses.
|
||||
|
||||
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/quirks.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
|
||||
index eef9b8e4b949..e128ca62eb44 100644
|
||||
--- a/sound/usb/quirks.c
|
||||
+++ b/sound/usb/quirks.c
|
||||
@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
}
|
||||
alts = &iface->altsetting[fp->altset_idx];
|
||||
altsd = get_iface_desc(alts);
|
||||
+ if (altsd->bNumEndpoints < 1) {
|
||||
+ kfree(fp);
|
||||
+ kfree(rate_table);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
fp->protocol = altsd->bInterfaceProtocol;
|
||||
|
||||
if (fp->datainterval == 0)
|
||||
--
|
||||
2.5.0
|
||||
|
11
kernel.spec
11
kernel.spec
|
@ -636,6 +636,10 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
|||
#CVE-2016-3135 rhbz 1318172 1318270
|
||||
Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
|
||||
|
||||
#CVE-2016-2184 rhbz 1317012 1317470
|
||||
Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
|
||||
Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
%endif
|
||||
|
||||
|
@ -1335,6 +1339,10 @@ ApplyPatch netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
|||
#CVE-2016-3135 rhbz 1318172 1318270
|
||||
ApplyPatch ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
|
||||
|
||||
#CVE-2016-2184 rhbz 1317012 1317470
|
||||
ApplyPatch ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
|
||||
ApplyPatch ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2184,6 +2192,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
|
||||
|
||||
* Wed Mar 16 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-200
|
||||
- Linux v4.4.6
|
||||
|
||||
|
|
Loading…
Reference in New Issue