ALSA: usb-audio: Fix potential out-of-bounce access in MIDI EP parser

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The recently introduced MIDI endpoint parser code has an access to the
field without the size validation, hence it might lead to
out-of-bounce access. Add the sanity checks for the descriptor
sizes.

Fixes: eb596e0fd13c ("ALSA: usb-audio: generate midi streaming substream names from jack names")
Link: https://lore.kernel.org/r/20210511090500.2637-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Takashi Iwai 4 years ago 91e02557 e84749a7

+4 -3

1 changed file

expand all

sound

usb

midi.c

+4 -3

sound/usb/midi.c

··· 1750 1750 struct usb_midi_in_jack_descriptor *injd = 1751 1751 (struct usb_midi_in_jack_descriptor *)extra; 1752 1752 1753 - if (injd->bLength > 4 && 1753 + if (injd->bLength >= sizeof(*injd) && 1754 1754 injd->bDescriptorType == USB_DT_CS_INTERFACE && 1755 1755 injd->bDescriptorSubtype == UAC_MIDI_IN_JACK && 1756 1756 injd->bJackID == jack_id) ··· 1773 1773 struct usb_midi_out_jack_descriptor *outjd = 1774 1774 (struct usb_midi_out_jack_descriptor *)extra; 1775 1775 1776 - if (outjd->bLength > 4 && 1776 + if (outjd->bLength >= sizeof(*outjd) && 1777 1777 outjd->bDescriptorType == USB_DT_CS_INTERFACE && 1778 1778 outjd->bDescriptorSubtype == UAC_MIDI_OUT_JACK && 1779 1779 outjd->bJackID == jack_id) ··· 1820 1820 outjd = find_usb_out_jack_descriptor(hostif, jack_id); 1821 1821 if (outjd) { 1822 1822 sz = USB_DT_MIDI_OUT_SIZE(outjd->bNrInputPins); 1823 - iJack = *(((uint8_t *) outjd) + sz - sizeof(uint8_t)); 1823 + if (outjd->bLength >= sz) 1824 + iJack = *(((uint8_t *) outjd) + sz - sizeof(uint8_t)); 1824 1825 } 1825 1826 } else { 1826 1827 /* and out jacks connect to ins */