Unverified Commit 877ccefa authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14376 fix CVE-2024-53197 

Merge Pull Request from: @ci-robot 
 
PR sync from: Tengda Wu <wutengda2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/AP6VZHYAEY5AIG6RLT2LPZXJBGVNNOHX/ 
Fix CVE-2024-53197.

Benoît Sevens (1):
  ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and
    Mbox devices

Dan Carpenter (1):
  ALSA: usb-audio: Fix a DMA to stack memory bug


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IBEAFE 
 
Link:https://gitee.com/openeuler/kernel/pulls/14376

 

Reviewed-by: default avatarXu Kuohai <xukuohai@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 2b0bbaa8 fbfd8d78

sound/usb/quirks.c

+33 −6
Original line number Original line Diff line number Diff line
@@ -555,6 +555,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, 
static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)

static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)

{

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL;

	int err;

	int err;





	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||

	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
@@ -565,11 +566,19 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 
				      0x10, 0x43, 0x0001, 0x000a, NULL, 0);

				      0x10, 0x43, 0x0001, 0x000a, NULL, 0);

		if (err < 0)

		if (err < 0)

			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);

			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);



		new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

		if (!new_device_descriptor)

			return -ENOMEM;

		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

				&dev->descriptor, sizeof(dev->descriptor));

				new_device_descriptor, sizeof(*new_device_descriptor));

		config = dev->actconfig;

		if (err < 0)

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

		if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

			dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

				new_device_descriptor->bNumConfigurations);

		else

			memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));

		err = usb_reset_configuration(dev);

		err = usb_reset_configuration(dev);

		if (err < 0)

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);

			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
@@ -901,6 +910,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) 
static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)

static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)

{

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL;

	int err;

	int err;

	u8 bootresponse[0x12];

	u8 bootresponse[0x12];

	int fwsize;

	int fwsize;
@@ -935,11 +945,19 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) 




	dev_dbg(&dev->dev, "device initialised!\n");

	dev_dbg(&dev->dev, "device initialised!\n");





	new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

	if (!new_device_descriptor)

		return -ENOMEM;



	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		&dev->descriptor, sizeof(dev->descriptor));

		new_device_descriptor, sizeof(*new_device_descriptor));

	config = dev->actconfig;

	if (err < 0)

	if (err < 0)

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

	if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

			new_device_descriptor->bNumConfigurations);

	else

		memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));





	err = usb_reset_configuration(dev);

	err = usb_reset_configuration(dev);

	if (err < 0)

	if (err < 0)
@@ -1253,6 +1271,7 @@ static void mbox3_setup_48_24_magic(struct usb_device *dev) 
static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)

static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)

{

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL;

	int err;

	int err;

	int descriptor_size;

	int descriptor_size;
@@ -1265,11 +1284,19 @@ static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) 




	dev_dbg(&dev->dev, "device initialised!\n");

	dev_dbg(&dev->dev, "device initialised!\n");





	new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

	if (!new_device_descriptor)

		return -ENOMEM;



	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		&dev->descriptor, sizeof(dev->descriptor));

		new_device_descriptor, sizeof(*new_device_descriptor));

	config = dev->actconfig;

	if (err < 0)

	if (err < 0)

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

	if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

			new_device_descriptor->bNumConfigurations);

	else

		memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));





	err = usb_reset_configuration(dev);

	err = usb_reset_configuration(dev);

	if (err < 0)

	if (err < 0)