lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 1 Sep 2019 15:43:13 -0400
From:   Hui Peng <benquike@...il.com>
To:     carnil@...ian.org
Cc:     stable@...r.kernel.org, mathias.payer@...elwelt.net,
        perex@...ex.cz, tiwai@...e.com, gregkh@...uxfoundation.org,
        wang6495@....edu, alsa-devel@...a-project.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit


On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInPins` - 1, the current implementation
>> assumes that descriptor is always valid (the length  of descriptor
>> is no shorter than 5 + `bNrInPins`). If a descriptor read from
>> the device side is invalid, it may trigger out-of-bound memory
>> access.
>>
>> ```
>> struct uac_mixer_unit_descriptor {
>> 	__u8 bLength;
>> 	__u8 bDescriptorType;
>> 	__u8 bDescriptorSubtype;
>> 	__u8 bUnitID;
>> 	__u8 bNrInPins;
>> 	__u8 baSourceID[];
>> }
>> ```
>>
>> This patch fixes the bug by add a sanity check on the length of
>> the descriptor.
>>
>> CVE: CVE-2018-15117
> FWIW, the correct CVE id should be probably CVE-2019-15117 here.

Yes, the CVE id was wrong. I have updated it in the attached patch.

> But there was already a patch queued and released in 5.2.10 and
> 4.19.68 for this issue (as far I can see; is this correct?)

Yes, it should have been fixed in those branches.

But google asked me to back port it to v4.4.190 and v4.14.141.

I have mentioned it in one previous email, but it was blocked by vger
because it was sent in html format.

Can you apply it to these 2 versions? (it applies to both versions)

Thanks.

> Regards,
> Salvatore

View attachment "0001-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch" of type "text/x-patch" (1603 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ