Unverified Commit b68a556b authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14386 fix CVE-2024-53197 

Merge Pull Request from: @ci-robot 
 
PR sync from: Tengda Wu <wutengda2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/CVBDB7XONAZLLRDIINWUI4474JYMF34V/ 
Fix CVE-2024-53197.

Benoît Sevens (1):
  ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and
    Mbox devices

Dan Carpenter (1):
  ALSA: usb-audio: Fix a DMA to stack memory bug


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IBEAFE 
 
Link:https://gitee.com/openeuler/kernel/pulls/14386

 

Reviewed-by: default avatarYuan Can <yuancan@huawei.com>
Reviewed-by: default avatarXu Kuohai <xukuohai@huawei.com>
Signed-off-by: default avatarYuan Can <yuancan@huawei.com>
parents 147249d8 94fd7487

sound/usb/quirks.c

+25 −4
Original line number Diff line number Diff line
@@ -588,6 +588,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, 
static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor *new_device_descriptor = NULL;

	int err;



	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
@@ -598,11 +599,21 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 
				      0x10, 0x43, 0x0001, 0x000a, NULL, 0);

		if (err < 0)

			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);



		new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

		if (!new_device_descriptor)

			return -ENOMEM;

		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

				&dev->descriptor, sizeof(dev->descriptor));

		config = dev->actconfig;

				new_device_descriptor, sizeof(*new_device_descriptor));

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

		if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

			dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

				new_device_descriptor->bNumConfigurations);

		else

			memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));

		kfree(new_device_descriptor);



		err = usb_reset_configuration(dev);

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
@@ -812,6 +823,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) 
static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor *new_device_descriptor = NULL;

	int err;

	u8 bootresponse[0x12];

	int fwsize;
@@ -846,11 +858,20 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) 


	dev_dbg(&dev->dev, "device initialised!\n");



	new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

	if (!new_device_descriptor)

		return -ENOMEM;



	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		&dev->descriptor, sizeof(dev->descriptor));

	config = dev->actconfig;

		new_device_descriptor, sizeof(*new_device_descriptor));

	if (err < 0)

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

	if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

			new_device_descriptor->bNumConfigurations);

	else

		memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));

	kfree(new_device_descriptor);



	err = usb_reset_configuration(dev);

	if (err < 0)