5d78e1c2b7
syzbot found the following crash on: general protection fault: 0000 [#1] SMP KASAN RIP: 0010:snd_usb_pipe_sanity_check+0x80/0x130 sound/usb/helper.c:75 Call Trace: snd_usb_motu_microbookii_communicate.constprop.0+0xa0/0x2fb sound/usb/quirks.c:1007 snd_usb_motu_microbookii_boot_quirk sound/usb/quirks.c:1051 [inline] snd_usb_apply_boot_quirk.cold+0x163/0x370 sound/usb/quirks.c:1280 usb_audio_probe+0x2ec/0x2010 sound/usb/card.c:576 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 really_probe+0x281/0x650 drivers/base/dd.c:548 .... It was introduced in commit 801ebf1043ae for checking pipe and endpoint types. It is fixed by adding a check of the ep pointer in question. BugLink: https://syzkaller.appspot.com/bug?extid=d59c4387bfb6eced94e2 Reported-by: syzbot <syzbot+d59c4387bfb6eced94e2@syzkaller.appspotmail.com> Fixes: 801ebf1043ae ("ALSA: usb-audio: Sanity checks for each pipe and EP types") Cc: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Hillf Danton <hdanton@sina.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
138 lines
2.9 KiB
C
138 lines
2.9 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
*/
|
|
|
|
#include <linux/init.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/usb.h>
|
|
|
|
#include "usbaudio.h"
|
|
#include "helper.h"
|
|
#include "quirks.h"
|
|
|
|
/*
|
|
* combine bytes and get an integer value
|
|
*/
|
|
unsigned int snd_usb_combine_bytes(unsigned char *bytes, int size)
|
|
{
|
|
switch (size) {
|
|
case 1: return *bytes;
|
|
case 2: return combine_word(bytes);
|
|
case 3: return combine_triple(bytes);
|
|
case 4: return combine_quad(bytes);
|
|
default: return 0;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* parse descriptor buffer and return the pointer starting the given
|
|
* descriptor type.
|
|
*/
|
|
void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype)
|
|
{
|
|
u8 *p, *end, *next;
|
|
|
|
p = descstart;
|
|
end = p + desclen;
|
|
for (; p < end;) {
|
|
if (p[0] < 2)
|
|
return NULL;
|
|
next = p + p[0];
|
|
if (next > end)
|
|
return NULL;
|
|
if (p[1] == dtype && (!after || (void *)p > after)) {
|
|
return p;
|
|
}
|
|
p = next;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* find a class-specified interface descriptor with the given subtype.
|
|
*/
|
|
void *snd_usb_find_csint_desc(void *buffer, int buflen, void *after, u8 dsubtype)
|
|
{
|
|
unsigned char *p = after;
|
|
|
|
while ((p = snd_usb_find_desc(buffer, buflen, p,
|
|
USB_DT_CS_INTERFACE)) != NULL) {
|
|
if (p[0] >= 3 && p[2] == dsubtype)
|
|
return p;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/* check the validity of pipe and EP types */
|
|
int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe)
|
|
{
|
|
static const int pipetypes[4] = {
|
|
PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
|
|
};
|
|
struct usb_host_endpoint *ep;
|
|
|
|
ep = usb_pipe_endpoint(dev, pipe);
|
|
if (!ep || usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
|
|
return -EINVAL;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Wrapper for usb_control_msg().
|
|
* Allocates a temp buffer to prevent dmaing from/to the stack.
|
|
*/
|
|
int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
|
|
__u8 requesttype, __u16 value, __u16 index, void *data,
|
|
__u16 size)
|
|
{
|
|
int err;
|
|
void *buf = NULL;
|
|
int timeout;
|
|
|
|
if (snd_usb_pipe_sanity_check(dev, pipe))
|
|
return -EINVAL;
|
|
|
|
if (size > 0) {
|
|
buf = kmemdup(data, size, GFP_KERNEL);
|
|
if (!buf)
|
|
return -ENOMEM;
|
|
}
|
|
|
|
if (requesttype & USB_DIR_IN)
|
|
timeout = USB_CTRL_GET_TIMEOUT;
|
|
else
|
|
timeout = USB_CTRL_SET_TIMEOUT;
|
|
|
|
err = usb_control_msg(dev, pipe, request, requesttype,
|
|
value, index, buf, size, timeout);
|
|
|
|
if (size > 0) {
|
|
memcpy(data, buf, size);
|
|
kfree(buf);
|
|
}
|
|
|
|
snd_usb_ctl_msg_quirk(dev, pipe, request, requesttype,
|
|
value, index, data, size);
|
|
|
|
return err;
|
|
}
|
|
|
|
unsigned char snd_usb_parse_datainterval(struct snd_usb_audio *chip,
|
|
struct usb_host_interface *alts)
|
|
{
|
|
switch (snd_usb_get_speed(chip->dev)) {
|
|
case USB_SPEED_HIGH:
|
|
case USB_SPEED_WIRELESS:
|
|
case USB_SPEED_SUPER:
|
|
case USB_SPEED_SUPER_PLUS:
|
|
if (get_endpoint(alts, 0)->bInterval >= 1 &&
|
|
get_endpoint(alts, 0)->bInterval <= 4)
|
|
return get_endpoint(alts, 0)->bInterval - 1;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
return 0;
|
|
}
|
|
|