Unverified Commit bd49829e authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14337 ALSA: usb-audio: Fix out of bounds reads when finding clock sources 

Merge Pull Request from: @ci-robot 
 
PR sync from: Luo Gengkun <luogengkun2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/47BKDJQSNRRU4S2IURT5KQ2USWBHUOPJ/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBDHGG 
 
Link:https://gitee.com/openeuler/kernel/pulls/14337

 

Reviewed-by: default avatarYe Weihua <yeweihua4@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents b7dacff6 25793988

sound/usb/clock.c

+23 −1
Original line number Original line Diff line number Diff line
@@ -36,6 +36,12 @@ union uac23_clock_multiplier_desc { 
	struct uac_clock_multiplier_descriptor v3;

	struct uac_clock_multiplier_descriptor v3;

};

};





/* check whether the descriptor bLength has the minimal length */

#define DESC_LENGTH_CHECK(p, proto) \

	((proto) == UAC_VERSION_3 ? \

	 ((p)->v3.bLength >= sizeof((p)->v3)) :	\

	 ((p)->v2.bLength >= sizeof((p)->v2)))



#define GET_VAL(p, proto, field) \

#define GET_VAL(p, proto, field) \

	((proto) == UAC_VERSION_3 ? (p)->v3.field : (p)->v2.field)

	((proto) == UAC_VERSION_3 ? (p)->v3.field : (p)->v2.field)
@@ -58,6 +64,8 @@ static bool validate_clock_source(void *p, int id, int proto) 
{

{

	union uac23_clock_source_desc *cs = p;

	union uac23_clock_source_desc *cs = p;





	if (!DESC_LENGTH_CHECK(cs, proto))

		return false;

	return GET_VAL(cs, proto, bClockID) == id;

	return GET_VAL(cs, proto, bClockID) == id;

}

}
@@ -65,13 +73,27 @@ static bool validate_clock_selector(void *p, int id, int proto) 
{

{

	union uac23_clock_selector_desc *cs = p;

	union uac23_clock_selector_desc *cs = p;





	return GET_VAL(cs, proto, bClockID) == id;

	if (!DESC_LENGTH_CHECK(cs, proto))

		return false;

	if (GET_VAL(cs, proto, bClockID) != id)

		return false;

	/* additional length check for baCSourceID array (in bNrInPins size)

	 * and two more fields (which sizes depend on the protocol)

	 */

	if (proto == UAC_VERSION_3)

		return cs->v3.bLength >= sizeof(cs->v3) + cs->v3.bNrInPins +

			4 /* bmControls */ + 2 /* wCSelectorDescrStr */;

	else

		return cs->v2.bLength >= sizeof(cs->v2) + cs->v2.bNrInPins +

			1 /* bmControls */ + 1 /* iClockSelector */;

}

}





static bool validate_clock_multiplier(void *p, int id, int proto)

static bool validate_clock_multiplier(void *p, int id, int proto)

{

{

	union uac23_clock_multiplier_desc *cs = p;

	union uac23_clock_multiplier_desc *cs = p;





	if (!DESC_LENGTH_CHECK(cs, proto))

		return false;

	return GET_VAL(cs, proto, bClockID) == id;

	return GET_VAL(cs, proto, bClockID) == id;

}

}