Commit 94fd7487 authored by Dan Carpenter's avatar Dan Carpenter Committed by Tengda Wu
Browse files

ALSA: usb-audio: Fix a DMA to stack memory bug 

mainline inclusion
from mainline-v6.13-rc2
commit f7d306b47a24367302bd4fe846854e07752ffcd9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFE
CVE: CVE-2024-53197

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7d306b47a24367302bd4fe846854e07752ffcd9



--------------------------------

The usb_get_descriptor() function does DMA so we're not allowed
to use a stack buffer for that.  Doing DMA to the stack is not portable
all architectures.  Move the "new_device_descriptor" from being stored
on the stack and allocate it with kmalloc() instead.

Fixes: e7afa75245b6 ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
Cc: stable@kernel.org
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>

Conflicts:
	sound/usb/quirks.c
[The conflict is due to the patch b01104fc for mbox3 support was
not merged yet]
Signed-off-by: default avatarTengda Wu <wutengda2@huawei.com>
parent 5c796f4c

sound/usb/quirks.c

+21 −10
Original line number Diff line number Diff line
@@ -588,7 +588,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, 
static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor new_device_descriptor;

	struct usb_device_descriptor *new_device_descriptor = NULL;

	int err;



	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
@@ -599,15 +599,21 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 
				      0x10, 0x43, 0x0001, 0x000a, NULL, 0);

		if (err < 0)

			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);



		new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

		if (!new_device_descriptor)

			return -ENOMEM;

		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

				&new_device_descriptor, sizeof(new_device_descriptor));

				new_device_descriptor, sizeof(*new_device_descriptor));

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

		if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)

		if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

			dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

				new_device_descriptor.bNumConfigurations);

				new_device_descriptor->bNumConfigurations);

		else

			memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));

			memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));

		kfree(new_device_descriptor);



		err = usb_reset_configuration(dev);

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
@@ -817,7 +823,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) 
static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor new_device_descriptor;

	struct usb_device_descriptor *new_device_descriptor = NULL;

	int err;

	u8 bootresponse[0x12];

	int fwsize;
@@ -852,15 +858,20 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) 


	dev_dbg(&dev->dev, "device initialised!\n");



	new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

	if (!new_device_descriptor)

		return -ENOMEM;



	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		&new_device_descriptor, sizeof(new_device_descriptor));

		new_device_descriptor, sizeof(*new_device_descriptor));

	if (err < 0)

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

	if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)

	if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

			new_device_descriptor.bNumConfigurations);

			new_device_descriptor->bNumConfigurations);

	else

		memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));

		memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));

	kfree(new_device_descriptor);



	err = usb_reset_configuration(dev);

	if (err < 0)