• Takashi Iwai's avatar
    ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor · bfc81a8b
    Takashi Iwai authored
    When a USB-audio device receives a maliciously adjusted or corrupted
    buffer descriptor, the USB-audio driver may access an out-of-bounce
    value at its parser.  This was detected by syzkaller, something like:
    
      BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
      Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
      CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c243 #224
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       __dump_stack lib/dump_stack.c:16
       dump_stack+0x292/0x395 lib/dump_stack.c:52
       print_address_description+0x78/0x280 mm/kasan/report.c:252
       kasan_report_error mm/kasan/report.c:351
       kasan_report+0x22f/0x340 mm/kasan/report.c:409
       __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
       snd_usb_create_streams sound/usb/card.c:248
       usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
       usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
       really_probe drivers/base/dd.c:413
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
       bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
       __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
       bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
       device_add+0xd0b/0x1660 drivers/base/core.c:1835
       usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
       generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
       usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
       really_probe drivers/base/dd.c:413
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
       bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
       __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
       bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
       device_add+0xd0b/0x1660 drivers/base/core.c:1835
       usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
       hub_port_connect drivers/usb/core/hub.c:4903
       hub_port_connect_change drivers/usb/core/hub.c:5009
       port_event drivers/usb/core/hub.c:5115
       hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
       process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
       worker_thread+0x221/0x1850 kernel/workqueue.c:2253
       kthread+0x3a1/0x470 kernel/kthread.c:231
       ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
    
    This patch adds the checks of out-of-bounce accesses at appropriate
    places and bails out when it goes out of the given buffer.
    Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
    Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    bfc81a8b
card.c 22.9 KB