git.osdn.net Git - sagit-ice-cold/kernel_xiaomi

author	Hui Peng <benquike@gmail.com>
	Thu, 15 Aug 2019 04:31:34 +0000 (00:31 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 6 Sep 2019 08:18:15 +0000 (10:18 +0200)
commit	735a16d1afc01320392669f4ea64c84d435faf1c
tree	e2e186b8533eb9cd78038ab7911cfa0a3cee0f35	tree \| snapshot
parent	1a48b39d1885a7a1fe92e96ada091b7b1ea6dd35	commit \| diff

ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term

commit 19bce474c45be69a284ecee660aa12d8f1e88f18 upstream.

`check_input_term` recursively calls itself with input from
device side (e.g., uac_input_terminal_descriptor.bCSourceID)
as argument (id). In `check_input_term`, if `check_input_term`
is called with the same `id` argument as the caller, it triggers
endless recursive call, resulting kernel space stack overflow.

This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids and stop the execution if some id
has been checked (similar to how parse_audio_unit handles unitid
argument).

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>