Unverified Commit e1673f16 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14375 fix CVE-2024-53197 

Merge Pull Request from: @ci-robot 
 
PR sync from: Tengda Wu <wutengda2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5QCKSQI4O4E3YFBAFPMPTGSSC6YLLA4A/ 
Fix CVE-2024-53197.

Benoît Sevens (1):
  ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and
    Mbox devices

Dan Carpenter (1):
  ALSA: usb-audio: Fix a DMA to stack memory bug


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IBEAFE 
 
Link:https://gitee.com/openeuler/kernel/pulls/14375

 

Reviewed-by: default avatarXu Kuohai <xukuohai@huawei.com>
Reviewed-by: default avatarLi Nan <linan122@huawei.com>
Signed-off-by: default avatarLi Nan <linan122@huawei.com>
parents 908c8608 6df145ef

sound/usb/quirks.c

+25 −5
Original line number Diff line number Diff line
@@ -595,6 +595,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, 
static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor *new_device_descriptor = NULL;

	int err;



	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
@@ -605,11 +606,20 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 
				      0x10, 0x43, 0x0001, 0x000a, NULL, 0);

		if (err < 0)

			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);



		new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

		if (!new_device_descriptor)

			return -ENOMEM;

		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

				&dev->descriptor, sizeof(dev->descriptor));

		config = dev->actconfig;

				new_device_descriptor, sizeof(*new_device_descriptor));

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

		if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

			dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

				new_device_descriptor->bNumConfigurations);

		else

			memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));

		kfree(new_device_descriptor);

		err = usb_reset_configuration(dev);

		if (err < 0)

			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
@@ -941,6 +951,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) 
static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)

{

	struct usb_host_config *config = dev->actconfig;

	struct usb_device_descriptor *new_device_descriptor = NULL;

	int err;

	u8 bootresponse[0x12];

	int fwsize;
@@ -975,11 +986,21 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) 


	dev_dbg(&dev->dev, "device initialised!\n");



	new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);

	if (!new_device_descriptor)

		return -ENOMEM;



	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,

		&dev->descriptor, sizeof(dev->descriptor));

	config = dev->actconfig;

		new_device_descriptor, sizeof(*new_device_descriptor));

	if (err < 0)

		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);

	if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)

		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",

			new_device_descriptor->bNumConfigurations);

	else

		memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));



	kfree(new_device_descriptor);



	err = usb_reset_configuration(dev);

	if (err < 0)
@@ -1024,7 +1045,6 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev) 
	return 0;

}





#define MICROBOOK_BUF_SIZE 128



static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf,