Skip to content

{ciqlts9_2} ALSA: usb-audio: Fix out of bounds reads when finding clock sources#241

Merged
PlaidCat merged 1 commit intociqlts9_2from
{ajain}_ciqlts9_2
May 2, 2025
Merged

{ciqlts9_2} ALSA: usb-audio: Fix out of bounds reads when finding clock sources#241
PlaidCat merged 1 commit intociqlts9_2from
{ajain}_ciqlts9_2

Conversation

@jainanmol84
Copy link

@jainanmol84 jainanmol84 commented May 2, 2025

  • Commit Message Requirements
  • Built against Vault/LTS Environment
  • kABI Check Passed, where Valid (Pre 9.4 RT does not have kABI stability)
  • Boot Test
  • Kernel SelfTest results
  • Additional Tests as determined relevant

Commit message

jira VULN-46532
cve CVE-2024-53150
commit-author Takashi Iwai <tiwai@suse.de>
commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6

The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors.  That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads.

For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal.  When the descriptor length is shorter than expected, it's skipped in the loop.

For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

	Reported-by: Benoît Sevens <bsevens@google.com>
	Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6)
	Signed-off-by: Anmol Jain <ajain@ciq.com>

Kernel build logs

/home/anmol/kernel-src-tree
no .config file found, moving on
[TIMER]{MRPROPER}: 0s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-_ajain__ciqlts9_2-4278f6283"
Making olddefconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/confdata.o
  HOSTCC  scripts/kconfig/expr.o
  LEX     scripts/kconfig/lexer.lex.c
  YACC    scripts/kconfig/parser.tab.[ch]
  HOSTCC  scripts/kconfig/lexer.lex.o
  HOSTCC  scripts/kconfig/menu.o
  HOSTCC  scripts/kconfig/parser.tab.o
  HOSTCC  scripts/kconfig/preprocess.o
  HOSTCC  scripts/kconfig/symbol.o
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  WRAP    arch/x86/include/generated/uapi/asm/bpf_perf_event.h
  WRAP    arch/x86/include/generated/uapi/asm/errno.h
  WRAP    arch/x86/include/generated/uapi/asm/fcntl.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctl.h
    [--snip--]
  STRIP   /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/snd-usbmidi-lib.ko
  SIGN    /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/snd-usbmidi-lib.ko
  INSTALL /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/usx2y/snd-usb-us122l.ko
  STRIP   /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/usx2y/snd-usb-us122l.ko
  SIGN    /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/usx2y/snd-usb-us122l.ko
  INSTALL /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  STRIP   /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  SIGN    /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  INSTALL /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/virtio/virtio_snd.ko
  STRIP   /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/virtio/virtio_snd.ko
  INSTALL /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  STRIP   /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/sound/xen/snd_xen_front.ko
  INSTALL /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/virt/lib/irqbypass.ko
  STRIP   /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-_ajain__ciqlts9_2-4278f6283+
[TIMER]{MODULES}: 36s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-_ajain__ciqlts9_2-4278f6283+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 42s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-_ajain__ciqlts9_2-35c80df27+ and Index to 2
The default is /boot/loader/entries/c0d861f4dcc048a1831709161fca1f03-5.14.0-_ajain__ciqlts9_2-35c80df27+.conf with index 2 and kernel /boot/vmlinuz-5.14.0-_ajain__ciqlts9_2-35c80df27+
The default is /boot/loader/entries/c0d861f4dcc048a1831709161fca1f03-5.14.0-_ajain__ciqlts9_2-35c80df27+.conf with index 2 and kernel /boot/vmlinuz-5.14.0-_ajain__ciqlts9_2-35c80df27+
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 0s
[TIMER]{BUILD}: 3166s
[TIMER]{MODULES}: 36s
[TIMER]{INSTALL}: 42s
[TIMER]{TOTAL} 3250s
Rebooting in 10 seconds

kernel-build.log

Kselftests

$ grep '^ok ' kselftest-before.log | wc -l && grep '^ok ' kselftest-after.log | wc -l
316
314

$ grep '^not ok ' kselftest-before.log | wc -l && grep '^not ok ' kselftest-after.log | wc -l
67
69
kselftest-after.log
kselftest-before.log

@jainanmol84
ALSA: usb-audio: Fix out of bounds reads when finding clock sources
4278f62 
jira VULN-46532
cve CVE-2024-53150
commit-author Takashi Iwai <tiwai@suse.de>
commit a3dd4d6

The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors.  That is, when a
device provides a bogus descriptor with a shorter bLength, the driver
might hit out-of-bounds reads.

For addressing it, this patch adds sanity checks to the validator
functions for the clock descriptor traversal.  When the descriptor
length is shorter than expected, it's skipped in the loop.

For the clock source and clock multiplier descriptors, we can just
check bLength against the sizeof() of each descriptor type.
OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
of bNrInPins elements and two more fields at its tail, hence those
have to be checked in addition to the sizeof() check.

	Reported-by: Benoît Sevens <bsevens@google.com>
	Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com
Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit a3dd4d6)
	Signed-off-by: Anmol Jain <ajain@ciq.com>
@bmastbergen bmastbergen self-requested a review May 2, 2025 19:29
bmastbergen
bmastbergen approved these changes May 2, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🥌 Thanks Anmol!

PlaidCat
PlaidCat approved these changes May 2, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat merged commit d0b4f23 into ciqlts9_2 May 2, 2025
3 checks passed
@jainanmol84 jainanmol84 deleted the {ajain}_ciqlts9_2 branch August 6, 2025 11:12
bmastbergen pushed a commit to bmastbergen/kernel-src-tree that referenced this pull request Aug 29, 2025
@PlaidCat
selftests/bpf: Add mprog API tests for BPF tcx opts
78b9f42 
jira LE-1907
Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4
commit-author Daniel Borkmann <daniel@iogearbox.net>
commit cd13c91

Add a big batch of test coverage to assert all aspects of the tcx opts
attach, detach and query API:

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ctrliq#238     tc_opts_after:OK
  ctrliq#239     tc_opts_append:OK
  ctrliq#240     tc_opts_basic:OK
  ctrliq#241     tc_opts_before:OK
  ctrliq#242     tc_opts_chain_classic:OK
  ctrliq#243     tc_opts_demixed:OK
  ctrliq#244     tc_opts_detach:OK
  ctrliq#245     tc_opts_detach_after:OK
  ctrliq#246     tc_opts_detach_before:OK
  ctrliq#247     tc_opts_dev_cleanup:OK
  ctrliq#248     tc_opts_invalid:OK
  ctrliq#249     tc_opts_mixed:OK
  ctrliq#250     tc_opts_prepend:OK
  ctrliq#251     tc_opts_replace:OK
  ctrliq#252     tc_opts_revision:OK
  Summary: 15/0 PASSED, 0 SKIPPED, 0 FAILED

	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20230719140858.13224-8-daniel@iogearbox.net
	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
(cherry picked from commit cd13c91)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen pushed a commit to bmastbergen/kernel-src-tree that referenced this pull request Aug 29, 2025
@PlaidCat
selftests/bpf: Add various more tcx test cases
1bd1f2d 
jira LE-1907
Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4
commit-author Daniel Borkmann <daniel@iogearbox.net>
commit ccd9a8b

Add several new tcx test cases to improve test coverage. This also includes
a few new tests with ingress instead of clsact qdisc, to cover the fix from
commit dc644b5 ("tcx: Fix splat in ingress_destroy upon tcx_entry_free").

  # ./test_progs -t tc
  [...]
  ctrliq#234     tc_links_after:OK
  ctrliq#235     tc_links_append:OK
  ctrliq#236     tc_links_basic:OK
  ctrliq#237     tc_links_before:OK
  ctrliq#238     tc_links_chain_classic:OK
  ctrliq#239     tc_links_chain_mixed:OK
  ctrliq#240     tc_links_dev_cleanup:OK
  ctrliq#241     tc_links_dev_mixed:OK
  ctrliq#242     tc_links_ingress:OK
  ctrliq#243     tc_links_invalid:OK
  ctrliq#244     tc_links_prepend:OK
  ctrliq#245     tc_links_replace:OK
  ctrliq#246     tc_links_revision:OK
  ctrliq#247     tc_opts_after:OK
  ctrliq#248     tc_opts_append:OK
  ctrliq#249     tc_opts_basic:OK
  ctrliq#250     tc_opts_before:OK
  ctrliq#251     tc_opts_chain_classic:OK
  ctrliq#252     tc_opts_chain_mixed:OK
  ctrliq#253     tc_opts_delete_empty:OK
  ctrliq#254     tc_opts_demixed:OK
  ctrliq#255     tc_opts_detach:OK
  ctrliq#256     tc_opts_detach_after:OK
  ctrliq#257     tc_opts_detach_before:OK
  ctrliq#258     tc_opts_dev_cleanup:OK
  ctrliq#259     tc_opts_invalid:OK
  ctrliq#260     tc_opts_mixed:OK
  ctrliq#261     tc_opts_prepend:OK
  ctrliq#262     tc_opts_replace:OK
  ctrliq#263     tc_opts_revision:OK
  [...]
  Summary: 44/38 PASSED, 0 SKIPPED, 0 FAILED

	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/8699efc284b75ccdc51ddf7062fa2370330dc6c0.1692029283.git.daniel@iogearbox.net
	Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
(cherry picked from commit ccd9a8b)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
github-actions bot pushed a commit that referenced this pull request Mar 27, 2026
@hyperenju @anguy11
iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
fecacfc 
iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the
value could change in runtime, we should use num_tx_queues instead.

Moreover iavf_get_ethtool_stats() uses num_active_queues while
iavf_get_sset_count() and iavf_get_stat_strings() use
real_num_tx_queues, which triggers out-of-bounds writes when we do
"ethtool -L" and "ethtool -S" simultaneously [1].

For example when we change channels from 1 to 8, Thread 3 could be
scheduled before Thread 2, and out-of-bounds writes could be triggered
in Thread 3:

Thread 1 (ethtool -L)       Thread 2 (work)        Thread 3 (ethtool -S)
iavf_set_channels()
...
iavf_alloc_queues()
-> num_active_queues = 8
iavf_schedule_finish_config()
                                                   iavf_get_sset_count()
                                                   real_num_tx_queues: 1
                                                   -> buffer for 1 queue
                                                   iavf_get_ethtool_stats()
                                                   num_active_queues: 8
                                                   -> out-of-bounds!
                            iavf_finish_config()
                            -> real_num_tx_queues = 8

Use immutable num_tx_queues in all related functions to avoid the issue.

[1]
 BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270
 Write of size 8 at addr ffffc900031c9080 by task ethtool/5800

 CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x6f/0xb0
  print_report+0x170/0x4f3
  kasan_report+0xe1/0x180
  iavf_add_one_ethtool_stat+0x200/0x270
  iavf_get_ethtool_stats+0x14c/0x2e0
  __dev_ethtool+0x3d0c/0x5830
  dev_ethtool+0x12d/0x270
  dev_ioctl+0x53c/0xe30
  sock_do_ioctl+0x1a9/0x270
  sock_ioctl+0x3d4/0x5e0
  __x64_sys_ioctl+0x137/0x1c0
  do_syscall_64+0xf3/0x690
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7f7da0e6e36d
 ...
  </TASK>

 The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830
 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000
 index:0xffff88813a013de0 pfn:0x13a013
 flags: 0x200000000000000(node=0|zone=2)
 raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
 raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                    ^
  ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fixes: 64430f7 ("iavf: Fix displaying queue statistics shown by ethtool")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@bmastbergen bmastbergen Awaiting requested review from bmastbergen

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jainanmol84 @PlaidCat @bmastbergen