kernel_optimize_test/sound/usb
Xi Wang 4fa0e81b83 ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()
A malicious USB device may feed in carefully crafted min/max/res values,
so that the inner loop in parse_uac2_sample_rate_range() could run for
a long time or even never terminate, e.g., given max = INT_MAX.

Also nr_rates could be a large integer, which causes an integer overflow
in the subsequent call to kmalloc() in parse_audio_format_rates_v2().
Thus, kmalloc() would allocate a smaller buffer than expected, leading
to a memory corruption.

To exploit the two vulnerabilities, an attacker needs physical access
to the machine to plug in a malicious USB device.

This patch makes two changes.

1) The type of "rate" is changed to unsigned int, so that the loop could
   stop once "rate" is larger than INT_MAX.

2) Limit nr_rates to 1024.

Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-01-08 16:03:12 +01:00
..
6fire ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
caiaq ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
misc ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
usx2y ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
card.c ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
card.h ALSA: usb: refine delay information with USB frame counter 2011-09-12 10:30:20 +02:00
clock.c ALSA: usb-audio: increase control transfer timeout 2011-09-27 09:21:48 +02:00
clock.h ALSA: usb-audio: simplify control interface access 2010-06-23 16:10:23 +02:00
debug.h ALSA: usb-audio: make hwc_debug a noop in case HW_CONST_DEBUG is not set 2011-05-18 11:44:35 +02:00
endpoint.c ALSA: snd-usb: move code from urb.c to endpoint.c 2011-09-14 17:07:03 +02:00
endpoint.h ALSA: snd-usb: move code from urb.c to endpoint.c 2011-09-14 17:07:03 +02:00
format.c ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range() 2012-01-08 16:03:12 +01:00
format.h ALSA: usb-audio: parse more format descriptors with structs 2010-05-27 09:48:31 +02:00
helper.c ALSA: usb-audio: increase control transfer timeout 2011-09-27 09:21:48 +02:00
helper.h ALSA: usb-audio: increase control transfer timeout 2011-09-27 09:21:48 +02:00
Kconfig ALSA: snd-usb-caiaq: Add support for Maschine 2011-10-13 08:16:46 +02:00
Makefile ALSA: snd-usb: move code from urb.c to endpoint.c 2011-09-14 17:07:03 +02:00
midi.c sound: Add module.h to the previously silent sound users 2011-10-31 19:31:21 -04:00
midi.h ALSA: usb-audio: add support for Akai MPD16 2010-05-21 17:12:30 +02:00
mixer_maps.c ALSA: usb-audio: unify constants from specification 2010-05-31 18:17:22 +02:00
mixer_quirks.c ALSA: usb-audio: increase control transfer timeout 2011-09-27 09:21:48 +02:00
mixer_quirks.h ALSA: usb-mixer: factor out quirks 2010-03-12 12:20:26 +01:00
mixer.c ALSA: snd_usb_audio: add Logitech HD Webcam c510 to quirk-384 2011-11-09 12:22:38 +01:00
mixer.h ALSA: snd-usb: operate on given mixer interface only 2011-08-04 16:24:10 +02:00
pcm.c ALSA: usb-audio: increase control transfer timeout 2011-09-27 09:21:48 +02:00
pcm.h ALSA: usb: refine delay information with USB frame counter 2011-09-12 10:30:20 +02:00
power.h ALSA: usbaudio: implement USB autosuspend 2011-03-11 14:59:29 +01:00
proc.c ALSA: usb-audio: automatically detect feedback format 2010-10-27 09:17:41 +02:00
proc.h ALSA: usb-audio: refactor code 2010-03-05 08:17:14 +01:00
quirks-table.h ALSA: snd-usb: added VOX ToneLab ST midi handling 2011-12-12 12:49:02 +01:00
quirks.c ALSA: usb-audio: Use kmemdup rather than duplicating its implementation 2011-11-10 19:51:45 +01:00
quirks.h ALSA: usb-audio: refactor code 2010-03-05 08:17:14 +01:00
stream.c ALSA: snd-usb: move code from urb.c to endpoint.c 2011-09-14 17:07:03 +02:00
stream.h ALSA: snd-usb: re-order code 2011-09-14 17:07:02 +02:00
usbaudio.h ALSA: usb-audio: add Starr Labs USB MIDI support 2011-08-26 14:12:34 +02:00