lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <92eb4af2-8a38-4075-9353-21afe34d57d9@oracle.com>
Date: Tue, 17 Dec 2024 11:54:49 +0530
From: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To: Sasha Levin <sashal@...nel.org>, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Cc: Takashi Iwai <tiwai@...e.de>,
        syzbot+78d5b129a762182225aa@...kaller.appspotmail.com, perex@...ex.cz,
        tiwai@...e.com, kl@...wtf, peter.ujfalusi@...ux.intel.com,
        xristos.thes@...il.com, linux-sound@...r.kernel.org,
        Vegard Nossum <vegard.nossum@...cle.com>
Subject: Re: [PATCH AUTOSEL 5.15 13/13] ALSA: usb: Fix UBSAN warning in
 parse_audio_unit()

Hi Sasha,

On 28/07/24 21:38, Sasha Levin wrote:
> From: Takashi Iwai <tiwai@...e.de>
> 
> [ Upstream commit 2f38cf730caedaeacdefb7ff35b0a3c1168117f9 ]
> 
> A malformed USB descriptor may pass the lengthy mixer description with
> a lot of channels, and this may overflow the 32bit integer shift
> size, as caught by syzbot UBSAN test.  Although this won't cause any
> real trouble, it's better to address.
> 
> This patch introduces a sanity check of the number of channels to bail
> out the parsing when too many channels are found.
> 
> Reported-by: syzbot+78d5b129a762182225aa@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com
> Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.de
> Signed-off-by: Takashi Iwai <tiwai@...e.de>
> Signed-off-by: Sasha Levin <sashal@...nel.org>

FYI: This 13 patch series and similar AUTOSEL sets for other stable 
kernels didn't go into stable yet.

Thanks,
Harshit

> ---
>   sound/usb/mixer.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
> index d818eee53c90a..f10634dc118d6 100644
> --- a/sound/usb/mixer.c
> +++ b/sound/usb/mixer.c
> @@ -1985,6 +1985,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
>   		bmaControls = ftr->bmaControls;
>   	}
>   
> +	if (channels > 32) {
> +		usb_audio_info(state->chip,
> +			       "usbmixer: too many channels (%d) in unit %d\n",
> +			       channels, unitid);
> +		return -EINVAL;
> +	}
> +
>   	/* parse the source unit */
>   	err = parse_audio_unit(state, hdr->bSourceID);
>   	if (err < 0)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ