ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
commit2bac3a35488148f066d355ebfe44a872aa9a7546
authorHui Peng <benquike@gmail.com>
Thu, 15 Aug 2019 04:31:34 +0000 (15 00:31 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 6 Sep 2019 08:19:44 +0000 (6 10:19 +0200)
tree44200f9cd507e16c3f377ddcd1602988ee1b5644
parent669a50559acf0f6c47a3f61d627c81758358e29f
ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term

commit 19bce474c45be69a284ecee660aa12d8f1e88f18 upstream.

`check_input_term` recursively calls itself with input from
device side (e.g., uac_input_terminal_descriptor.bCSourceID)
as argument (id). In `check_input_term`, if `check_input_term`
is called with the same `id` argument as the caller, it triggers
endless recursive call, resulting kernel space stack overflow.

This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids and stop the execution if some id
has been checked (similar to how parse_audio_unit handles unitid
argument).

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sound/usb/mixer.c