Commit bd075964 authored by Benoît Sevens's avatar Benoît Sevens Committed by Tengda Wu
Browse files

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices 

stable inclusion
from stable-v6.6.64
commit b8f8b81dabe52b413fe9e062e8a852c48dd0680d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFE
CVE: CVE-2024-53197

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b8f8b81dabe52b413fe9e062e8a852c48dd0680d



--------------------------------

commit b909df18ce2a998afef81d58bbd1a05dc0788c40 upstream.

A bogus device can provide a bNumConfigurations value that exceeds the
initial value used in usb_get_configuration for allocating dev->config.

This can lead to out-of-bounds accesses later, e.g. in
usb_destroy_configuration.

Signed-off-by: default avatarBenoît Sevens <bsevens@google.com>
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarTengda Wu <wutengda2@huawei.com>
parent 19045783

sound/usb/quirks.c

+21 −6
Original line number Diff line number Diff line
@@ -555,6 +555,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, 
static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor new_device_descriptor;

	int err;



	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
@@ -566,10 +567,14 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 
		if (err < 0)

			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);

		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

				&dev->descriptor, sizeof(dev->descriptor));

		config = dev->actconfig;

				&new_device_descriptor, sizeof(new_device_descriptor));

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

		if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)

			dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

				new_device_descriptor.bNumConfigurations);

		else

			memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));

		err = usb_reset_configuration(dev);

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
@@ -901,6 +906,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) 
static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor new_device_descriptor;

	int err;

	u8 bootresponse[0x12];

	int fwsize;
@@ -936,10 +942,14 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) 
	dev_dbg(&dev->dev, "device initialised!\n");



	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		&dev->descriptor, sizeof(dev->descriptor));

	config = dev->actconfig;

		&new_device_descriptor, sizeof(new_device_descriptor));

	if (err < 0)

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

	if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)

		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

			new_device_descriptor.bNumConfigurations);

	else

		memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));



	err = usb_reset_configuration(dev);

	if (err < 0)
@@ -1253,6 +1263,7 @@ static void mbox3_setup_48_24_magic(struct usb_device *dev) 
static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor new_device_descriptor;

	int err;

	int descriptor_size;
@@ -1266,10 +1277,14 @@ static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) 
	dev_dbg(&dev->dev, "device initialised!\n");



	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		&dev->descriptor, sizeof(dev->descriptor));

	config = dev->actconfig;

		&new_device_descriptor, sizeof(new_device_descriptor));

	if (err < 0)

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

	if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)

		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

			new_device_descriptor.bNumConfigurations);

	else

		memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));



	err = usb_reset_configuration(dev);

	if (err < 0)