| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 08 Jan 2012 10:09:11 +0100 From: Takashi Iwai <tiwai@...e.de> To: Xi Wang <xi.wang@...il.com> Cc: Jaroslav Kysela <perex@...ex.cz>, Clemens Ladisch <clemens@...isch.de>, Daniel Mack <zonque@...il.com>, Wolfgang Breyha <wbreyha@....net>, alsa-devel@...a-project.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range() At Wed, 4 Jan 2012 12:39:09 -0500, Xi Wang wrote: > > A malicious USB device may feed in carefully crafted min/max/res values, > so that the inner loop in parse_uac2_sample_rate_range() could run for > a long time or even never terminate, e.g., given max = INT_MAX. > > Also nr_rates could be a large integer, which causes an integer overflow > in the subsequent call to kmalloc() in parse_audio_format_rates_v2(). > Thus, kmalloc() would allocate a smaller buffer than expected, leading > to a memory corruption. > > To exploit the two vulnerabilities, an attacker needs physical access > to the machine to plug in a malicious USB device. > > This patch makes two changes. > > 1) The type of "rate" is changed to unsigned int, so that the loop could > stop once "rate" is larger than INT_MAX. > > 2) Limit nr_rates to avoid overflow. > > Signed-off-by: Xi Wang <xi.wang@...il.com> Thanks for the patch. As of now, I have little time to evaluate, so I might have missed something, but I wonder whether /* avoid overflow */ if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int)) break; is the best way to check. This looks ugly to me. If we need to limit the number of rates, better to define some proper numbers as the upper limit. And then, it should warn, not only breaking loop. Anyway I'll check this tomorrow in more details. thanks, Takashi > --- > sound/usb/format.c | 5 ++++- > 1 files changed, 4 insertions(+), 1 deletions(-) > > diff --git a/sound/usb/format.c b/sound/usb/format.c > index 89421d1..a99de67 100644 > --- a/sound/usb/format.c > +++ b/sound/usb/format.c > @@ -226,7 +226,7 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets, > int min = combine_quad(&data[2 + 12 * i]); > int max = combine_quad(&data[6 + 12 * i]); > int res = combine_quad(&data[10 + 12 * i]); > - int rate; > + unsigned int rate; > > if ((max < 0) || (min < 0) || (res < 0) || (max < min)) > continue; > @@ -253,6 +253,9 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets, > fp->rates |= snd_pcm_rate_to_rate_bit(rate); > > nr_rates++; > + /* avoid overflow */ > + if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int)) > + break; > > /* avoid endless loop */ > if (res == 0) > -- > 1.7.5.4 > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists