From d6943d1d0b206faef770aaba381438e7d9ef6d2d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 18 Mar 2016 10:08:28 -0400 Subject: [PATCH] CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) --- ...dd-sanity-checks-for-endpoint-access.patch | 80 +++++++++++++++++++ ...ix-NULL-dereference-in-create_fixed_.patch | 40 ++++++++++ kernel.spec | 7 ++ 3 files changed, 127 insertions(+) create mode 100644 ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch create mode 100644 ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch diff --git a/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch b/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch new file mode 100644 index 000000000..801434a26 --- /dev/null +++ b/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch @@ -0,0 +1,80 @@ +From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2016 15:20:58 +0100 +Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses + +Add some sanity check codes before actually accessing the endpoint via +get_endpoint() in order to avoid the invalid access through a +malformed USB descriptor. Mostly just checking bNumEndpoints, but in +one place (snd_microii_spdif_default_get()), the validity of iface and +altsetting index is checked as well. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Cc: +Signed-off-by: Takashi Iwai +--- + sound/usb/clock.c | 2 ++ + sound/usb/endpoint.c | 3 +++ + sound/usb/mixer_quirks.c | 4 ++++ + sound/usb/pcm.c | 2 ++ + 4 files changed, 11 insertions(+) + +diff --git a/sound/usb/clock.c b/sound/usb/clock.c +index 2ed260b10f6d..7ccbcaf6a147 100644 +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[3]; + int err, crate; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + /* if endpoint doesn't have sampling rate control, bail out */ +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index e6f71894ecdc..c2131b851602 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -415,6 +415,9 @@ exit_clear: + * + * New endpoints will be added to chip->ep_list and must be freed by + * calling snd_usb_endpoint_free(). ++ * ++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that ++ * bNumEndpoints > 1 beforehand. + */ + struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip, + struct usb_host_interface *alts, +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index d3608c0a29f3..2d724e3c4cc0 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol, + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(chip->dev, 1); ++ if (!iface || iface->num_altsetting < 2) ++ return -EINVAL; + alts = &iface->altsetting[1]; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(chip->dev, +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index cdac5179db3f..4da64896df6d 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[1]; + int err; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + data[0] = 1; +-- +2.5.0 + diff --git a/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch b/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch new file mode 100644 index 000000000..37cdb213a --- /dev/null +++ b/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch @@ -0,0 +1,40 @@ +From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2016 12:09:10 +0100 +Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in + create_fixed_stream_quirk() + +create_fixed_stream_quirk() may cause a NULL-pointer dereference by +accessing the non-existing endpoint when a USB device with a malformed +USB descriptor is used. + +This patch avoids it simply by adding a sanity check of bNumEndpoints +before the accesses. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Cc: +Signed-off-by: Takashi Iwai +--- + sound/usb/quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index eef9b8e4b949..e128ca62eb44 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); ++ if (altsd->bNumEndpoints < 1) { ++ kfree(fp); ++ kfree(rate_table); ++ return -EINVAL; ++ } ++ + fp->protocol = altsd->bInterfaceProtocol; + + if (fp->datainterval == 0) +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 5f2d992f6..98773d3c2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -627,6 +627,10 @@ Patch667: 0001-Temp-fix-for-intel_pstate-oopses-and-lockdep-report-.patch #rhbz 1318596 Patch668: x86-tsc-Prevent-NULL-pointer-deref-in-calibrate_dela.patch +#CVE-2016-2184 rhbz 1317012 1317470 +Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch +Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch + # END OF PATCH DEFINITIONS %endif @@ -2148,6 +2152,9 @@ fi # # %changelog +* Fri Mar 18 2016 Josh Boyer +- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) + * Fri Mar 18 2016 Josh Boyer - 4.6.0-0.rc0.git8.1 - Linux v4.5-3654-g5cd0911a9e0e - Fix oops from tsc subsystem (rhbz 1318596)