CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)

2016-03-18 10:08:28 -04:00 · 2016-03-18 10:08:28 -04:00 · d6943d1d0b
commit d6943d1d0b
parent 1e6dda8d92
3 changed files with 127 additions and 0 deletions
--- a/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
+++ b/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
@ -0,0 +1,80 @@
+From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 15:20:58 +0100
+Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses
+
+Add some sanity check codes before actually accessing the endpoint via
+get_endpoint() in order to avoid the invalid access through a
+malformed USB descriptor.  Mostly just checking bNumEndpoints, but in
+one place (snd_microii_spdif_default_get()), the validity of iface and
+altsetting index is checked as well.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/clock.c        | 2 ++
+ sound/usb/endpoint.c     | 3 +++
+ sound/usb/mixer_quirks.c | 4 ++++
+ sound/usb/pcm.c          | 2 ++
+ 4 files changed, 11 insertions(+)
+
+diff --git a/sound/usb/clock.c b/sound/usb/clock.c
+index 2ed260b10f6d..7ccbcaf6a147 100644
+--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
+@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
+ 	unsigned char data[3];
+ 	int err, crate;
+ 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
+ 	ep = get_endpoint(alts, 0)->bEndpointAddress;
+ 
+ 	/* if endpoint doesn't have sampling rate control, bail out */
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index e6f71894ecdc..c2131b851602 100644
+--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
+@@ -415,6 +415,9 @@ exit_clear:
+  *
+  * New endpoints will be added to chip->ep_list and must be freed by
+  * calling snd_usb_endpoint_free().
+ *
+ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
+ * bNumEndpoints > 1 beforehand.
+  */
+ struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
+ 					      struct usb_host_interface *alts,
+diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
+index d3608c0a29f3..2d724e3c4cc0 100644
+--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
+@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,
+ 
+ 	/* use known values for that card: interface#1 altsetting#1 */
+ 	iface = usb_ifnum_to_if(chip->dev, 1);
+	if (!iface || iface->num_altsetting < 2)
+		return -EINVAL;
+ 	alts = &iface->altsetting[1];
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
+ 	ep = get_endpoint(alts, 0)->bEndpointAddress;
+ 
+ 	err = snd_usb_ctl_msg(chip->dev,
+diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
+index cdac5179db3f..4da64896df6d 100644
+--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
+@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
+ 	unsigned char data[1];
+ 	int err;
+ 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
+ 	ep = get_endpoint(alts, 0)->bEndpointAddress;
+ 
+ 	data[0] = 1;
+-- 
+2.5.0
+
--- a/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
+++ b/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
@ -0,0 +1,40 @@
+From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 12:09:10 +0100
+Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in
+ create_fixed_stream_quirk()
+
+create_fixed_stream_quirk() may cause a NULL-pointer dereference by
+accessing the non-existing endpoint when a USB device with a malformed
+USB descriptor is used.
+
+This patch avoids it simply by adding a sanity check of bNumEndpoints
+before the accesses.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index eef9b8e4b949..e128ca62eb44 100644
+--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
+@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	}
+ 	alts = &iface->altsetting[fp->altset_idx];
+ 	altsd = get_iface_desc(alts);
+	if (altsd->bNumEndpoints < 1) {
+		kfree(fp);
+		kfree(rate_table);
+		return -EINVAL;
+	}
+
+ 	fp->protocol = altsd->bInterfaceProtocol;
+ 
+ 	if (fp->datainterval == 0)
+-- 
+2.5.0
+
--- a/kernel.spec
+++ b/kernel.spec
@ -627,6 +627,10 @@ Patch667: 0001-Temp-fix-for-intel_pstate-oopses-and-lockdep-report-.patch
 #rhbz 1318596
 Patch668: x86-tsc-Prevent-NULL-pointer-deref-in-calibrate_dela.patch

+#CVE-2016-2184 rhbz 1317012 1317470
+Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
+Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -2148,6 +2152,9 @@ fi
 #
 # 
 %changelog
+* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
+
 * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git8.1
 - Linux v4.5-3654-g5cd0911a9e0e
 - Fix oops from tsc subsystem (rhbz 1318596)