From patchwork Tue Mar 29 17:25:49 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kamal Mostafa <kamal@canonical.com>
X-Patchwork-Id: 603098
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3qZHkH6z0zz9s5g;
	Wed, 30 Mar 2016 04:26:15 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1akxP9-0004jj-Ja; Tue, 29 Mar 2016 17:26:11 +0000
Received: from mail-pf0-f195.google.com ([209.85.192.195])
	by huckleberry.canonical.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
	(Exim 4.76) (envelope-from <kamal@whence.com>) id 1akxOr-0004ab-R1
	for kernel-team@lists.ubuntu.com; Tue, 29 Mar 2016 17:25:53 +0000
Received: by mail-pf0-f195.google.com with SMTP id q129so3553313pfb.3
	for <kernel-team@lists.ubuntu.com>;
	Tue, 29 Mar 2016 10:25:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=Jc+UEWZLLG3gMXDVVb1raoValLPwpY1MV1/mPfXvHhw=;
	b=Q5zVxPH+koGwXwHkaRss45Cn54KqlRJY+D+uxEc8xtnGm/kgiBcEWtAIZIZSCGsR+R
	RXDMvQiS0ayL2+63kuS/vsoNoSvZk4h4JKta6GyT15wK2EVjBSqhIYDJrdmVwL2CMrG2
	F5qlv3fr66QzQPwSUtY7xJn/YgVmL3SJMfa4rBvaHb/xt0f3GURkz91zcw3ixnn+ERjr
	4s4A07VzFIEbSoluVpszn5Vi8NIK1dU+skTap5EZNUov+gxBzbEzcXV1evniTKTndLiQ
	LSbomgbpwpPGAfwCt1/0zUMW0gChcihEynBY2QMMPfOYmA8OsUGm3cL4fmDVnuRXZljc
	+kvA==
X-Gm-Message-State: 
 AD7BkJIFvZFg6aH6/UpMg1JKE5Qi0vxzdpVBldvPW7yXW18OXtrHMRun5lwhw8ZNwXgMmw==
X-Received: by 10.98.69.84 with SMTP id s81mr5248548pfa.125.1459272352518;
	Tue, 29 Mar 2016 10:25:52 -0700 (PDT)
Received: from fourier (c-76-126-59-13.hsd1.ca.comcast.net. [76.126.59.13])
	by smtp.gmail.com with ESMTPSA id
	ux2sm44694293pac.46.2016.03.29.10.25.51
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 29 Mar 2016 10:25:52 -0700 (PDT)
Received: from kamal by fourier with local (Exim 4.86_2)
	(envelope-from <kamal@whence.com>)
	id 1akxOo-0000MB-EN; Tue, 29 Mar 2016 10:25:50 -0700
From: Kamal Mostafa <kamal@canonical.com>
To: Takashi Iwai <tiwai@suse.de>
Subject: [4.2.y-ckt stable] Patch "ALSA: usb-audio: Add sanity checks for
	endpoint accesses" has been added to the 4.2.y-ckt tree
Date: Tue, 29 Mar 2016 10:25:49 -0700
Message-Id: <1459272349-1336-1-git-send-email-kamal@canonical.com>
X-Mailer: git-send-email 2.7.4
X-Extended-Stable: 4.2
Cc: Kamal Mostafa <kamal@canonical.com>, kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

This is a note to let you know that I have just added a patch titled

    ALSA: usb-audio: Add sanity checks for endpoint accesses

to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue

This patch is scheduled to be released in version 4.2.8-ckt7.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 4.2.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

---8<------------------------------------------------------------

From 6f90f265b9093701571b469c61e988ec1765b82d Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 15 Mar 2016 15:20:58 +0100
Subject: ALSA: usb-audio: Add sanity checks for endpoint accesses

commit 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a upstream.

Add some sanity check codes before actually accessing the endpoint via
get_endpoint() in order to avoid the invalid access through a
malformed USB descriptor.  Mostly just checking bNumEndpoints, but in
one place (snd_microii_spdif_default_get()), the validity of iface and
altsetting index is checked as well.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 sound/usb/clock.c        | 2 ++
 sound/usb/endpoint.c     | 3 +++
 sound/usb/mixer_quirks.c | 4 ++++
 sound/usb/pcm.c          | 2 ++
 4 files changed, 11 insertions(+)

--
2.7.4

diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 2ed260b..7ccbcaf 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
 	unsigned char data[3];
 	int err, crate;

+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;

 	/* if endpoint doesn't have sampling rate control, bail out */
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 03b0744..e7f470a 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -413,6 +413,9 @@ exit_clear:
  *
  * New endpoints will be added to chip->ep_list and must be freed by
  * calling snd_usb_endpoint_free().
+ *
+ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
+ * bNumEndpoints > 1 beforehand.
  */
 struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
 					      struct usb_host_interface *alts,
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index db9547d..f8ffcda4 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1532,7 +1532,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,

 	/* use known values for that card: interface#1 altsetting#1 */
 	iface = usb_ifnum_to_if(chip->dev, 1);
+	if (!iface || iface->num_altsetting < 2)
+		return -EINVAL;
 	alts = &iface->altsetting[1];
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;

 	err = snd_usb_ctl_msg(chip->dev,
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
index b4ef410..cbb9325 100644
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
 	unsigned char data[1];
 	int err;

+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;

 	data[0] = 1;