ALSA: usb-audio: avoid integer overflow in create_fixed_stream_quirk()

A malicious USB device could feed in a large nr_rates value. This would cause the subsequent call to kmemdup() to allocate a smaller buffer than expected, leading to out-of-bounds access. This patch validates the nr_rates value and reuses the limit introduced in commit 4fa0e81b ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()"). Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: usb-audio: avoid integer overflow in create_fixed_stream_quirk()
A malicious USB device could feed in a large nr_rates value. This would cause the subsequent call to kmemdup() to allocate a smaller buffer than expected, leading to out-of-bounds access. This patch validates the nr_rates value and reuses the limit introduced in commit 4fa0e81b ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()"). Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Xi Wang · Takashi Iwai
1 parent 27c3afe6e1
Showing 3 changed files with 7 additions and 4 deletions Side-by-side Diff
sound/usb/card.h
sound/usb/format.c
sound/usb/quirks.c
 #ifndef __USBAUDIO_CARD_H
 #define __USBAUDIO_CARD_H
  
+#define MAX_NR_RATES	1024
 #define MAX_PACKS	20
 #define MAX_PACKS_HS	(MAX_PACKS * 8)	/* in high speed mode */
 #define MAX_URBS	8
@@ -209,8 +209,6 @@
 	return 0;
 }
  
-#define MAX_UAC2_NR_RATES 1024
-
 /*
  * Helper function to walk the array of sample rate triplets reported by
  * the device. The problem is that we need to parse whole array first to
@@ -255,7 +253,7 @@
 			fp->rates |= snd_pcm_rate_to_rate_bit(rate);
  
 			nr_rates++;
-			if (nr_rates >= MAX_UAC2_NR_RATES) {
+			if (nr_rates >= MAX_NR_RATES) {
 				snd_printk(KERN_ERR "invalid uac2 rates\n");
 				break;
 			}
@@ -132,9 +132,13 @@
 	unsigned *rate_table = NULL;
  
 	fp = kmemdup(quirk->data, sizeof(*fp), GFP_KERNEL);
-	if (! fp) {
+	if (!fp) {
 		snd_printk(KERN_ERR "cannot memdup\n");
 		return -ENOMEM;
+	}
+	if (fp->nr_rates > MAX_NR_RATES) {
+		kfree(fp);
+		return -EINVAL;
 	}
 	if (fp->nr_rates > 0) {
 		rate_table = kmemdup(fp->rate_table,
1	1	#ifndef __USBAUDIO_CARD_H
2	2	#define __USBAUDIO_CARD_H
3	3
	4	+#define MAX_NR_RATES 1024
4	5	#define MAX_PACKS 20
5	6	#define MAX_PACKS_HS (MAX_PACKS * 8) /* in high speed mode */
6	7	#define MAX_URBS 8
...	...	@@ -209,8 +209,6 @@
209	209	return 0;
210	210	}
211	211
212		-#define MAX_UAC2_NR_RATES 1024
213		-
214	212	/*
215	213	* Helper function to walk the array of sample rate triplets reported by
216	214	* the device. The problem is that we need to parse whole array first to
...	...	@@ -255,7 +253,7 @@
255	253	fp->rates \|= snd_pcm_rate_to_rate_bit(rate);
256	254
257	255	nr_rates++;
258		- if (nr_rates >= MAX_UAC2_NR_RATES) {
	256	+ if (nr_rates >= MAX_NR_RATES) {
259	257	snd_printk(KERN_ERR "invalid uac2 rates\n");
260	258	break;
261	259	}
...	...	@@ -132,9 +132,13 @@
132	132	unsigned *rate_table = NULL;
133	133
134	134	fp = kmemdup(quirk->data, sizeof(*fp), GFP_KERNEL);
135		- if (! fp) {
	135	+ if (!fp) {
136	136	snd_printk(KERN_ERR "cannot memdup\n");
137	137	return -ENOMEM;
	138	+ }
	139	+ if (fp->nr_rates > MAX_NR_RATES) {
	140	+ kfree(fp);
	141	+ return -EINVAL;
138	142	}
139	143	if (fp->nr_rates > 0) {
140	144	rate_table = kmemdup(fp->rate_table,