Unverified Commit 4848f81e authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14333 ALSA: usb-audio: Fix out of bounds reads when finding clock sources 

Merge Pull Request from: @ci-robot 
 
PR sync from: Luo Gengkun <luogengkun2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/PBQCO6WMCSWQFLOQHPNWHAHYBBYFZMI5/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBDHGG 
 
Link:https://gitee.com/openeuler/kernel/pulls/14333

 

Reviewed-by: default avatarYe Weihua <yeweihua4@huawei.com>
Reviewed-by: default avatarLi Nan <linan122@huawei.com>
Signed-off-by: default avatarLi Nan <linan122@huawei.com>
parents 053a6b6f 9aaee6d9

sound/usb/clock.c

+30 −2
Original line number Diff line number Diff line
@@ -21,6 +21,10 @@ 
#include "clock.h"

#include "quirks.h"



/* check whether the descriptor bLength has the minimal length */

#define DESC_LENGTH_CHECK(p) \

	 (p->bLength >= sizeof(*p))



static void *find_uac_clock_desc(struct usb_host_interface *iface, int id,

				 bool (*validator)(void *, int), u8 type)

{
@@ -38,36 +42,60 @@ static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, 
static bool validate_clock_source_v2(void *p, int id)

{

	struct uac_clock_source_descriptor *cs = p;

	if (!DESC_LENGTH_CHECK(cs))

		return false;

	return cs->bClockID == id;

}



static bool validate_clock_source_v3(void *p, int id)

{

	struct uac3_clock_source_descriptor *cs = p;

	if (!DESC_LENGTH_CHECK(cs))

		return false;

	return cs->bClockID == id;

}



static bool validate_clock_selector_v2(void *p, int id)

{

	struct uac_clock_selector_descriptor *cs = p;

	return cs->bClockID == id;

	if (!DESC_LENGTH_CHECK(cs))

		return false;

	if (cs->bClockID != id)

		return false;

	/* additional length check for baCSourceID array (in bNrInPins size)

	 * and two more fields (which sizes depend on the protocol)

	 */

	return cs->bLength >= sizeof(*cs) + cs->bNrInPins +

		1 /* bmControls */ + 1 /* iClockSelector */;

}



static bool validate_clock_selector_v3(void *p, int id)

{

	struct uac3_clock_selector_descriptor *cs = p;

	return cs->bClockID == id;

	if (!DESC_LENGTH_CHECK(cs))

		return false;

	if (cs->bClockID != id)

		return false;

	/* additional length check for baCSourceID array (in bNrInPins size)

	 * and two more fields (which sizes depend on the protocol)

	 */

	return cs->bLength >= sizeof(*cs) + cs->bNrInPins +

		4 /* bmControls */ + 2 /* wCSelectorDescrStr */;

}



static bool validate_clock_multiplier_v2(void *p, int id)

{

	struct uac_clock_multiplier_descriptor *cs = p;

	if (!DESC_LENGTH_CHECK(cs))

		return false;

	return cs->bClockID == id;

}



static bool validate_clock_multiplier_v3(void *p, int id)

{

	struct uac3_clock_multiplier_descriptor *cs = p;

	if (!DESC_LENGTH_CHECK(cs))

		return false;

	return cs->bClockID == id;

}