At Wed, 4 Jan 2012 12:39:09 -0500, Xi Wang wrote:
A malicious USB device may feed in carefully crafted min/max/res values, so that the inner loop in parse_uac2_sample_rate_range() could run for a long time or even never terminate, e.g., given max = INT_MAX.
Also nr_rates could be a large integer, which causes an integer overflow in the subsequent call to kmalloc() in parse_audio_format_rates_v2(). Thus, kmalloc() would allocate a smaller buffer than expected, leading to a memory corruption.
To exploit the two vulnerabilities, an attacker needs physical access to the machine to plug in a malicious USB device.
This patch makes two changes.
The type of "rate" is changed to unsigned int, so that the loop could stop once "rate" is larger than INT_MAX.
Limit nr_rates to avoid overflow.
Signed-off-by: Xi Wang xi.wang@gmail.com
Thanks for the patch. As of now, I have little time to evaluate, so I might have missed something, but I wonder whether
/* avoid overflow */ if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int)) break;
is the best way to check. This looks ugly to me. If we need to limit the number of rates, better to define some proper numbers as the upper limit. And then, it should warn, not only breaking loop.
Anyway I'll check this tomorrow in more details.
thanks,
Takashi
sound/usb/format.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/sound/usb/format.c b/sound/usb/format.c index 89421d1..a99de67 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -226,7 +226,7 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets, int min = combine_quad(&data[2 + 12 * i]); int max = combine_quad(&data[6 + 12 * i]); int res = combine_quad(&data[10 + 12 * i]);
int rate;
unsigned int rate;if ((max < 0) || (min < 0) || (res < 0) || (max < min)) continue;
@@ -253,6 +253,9 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets, fp->rates |= snd_pcm_rate_to_rate_bit(rate);
nr_rates++;
/* avoid overflow */if (nr_rates == KMALLOC_MAX_SIZE / sizeof(int))break; /* avoid endless loop */ if (res == 0)-- 1.7.5.4