linux-toradex.git/sound/usb/format.c, branch v3.2.47 Linux kernel for Apalis and Colibri modules ALSA: usb-audio: avoid integer overflow in create_fixed_stream_quirk() 2013-06-19T01:16:42+00:00 Xi Wang xi.wang@gmail.com 2012-02-14T10:18:48+00:00 2c8d23aefec3e8b6a8717a0ea469c332a03b1a8a commit 8866f405efd4171f9d9c91901d2dd02f01bacb60 upstream. A malicious USB device could feed in a large nr_rates value. This would cause the subsequent call to kmemdup() to allocate a smaller buffer than expected, leading to out-of-bounds access. This patch validates the nr_rates value and reuses the limit introduced in commit 4fa0e81b ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()"). Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 8866f405efd4171f9d9c91901d2dd02f01bacb60 upstream.

A malicious USB device could feed in a large nr_rates value.  This would
cause the subsequent call to kmemdup() to allocate a smaller buffer than
expected, leading to out-of-bounds access.

This patch validates the nr_rates value and reuses the limit introduced
in commit 4fa0e81b ("ALSA: usb-audio: fix possible hang and overflow
in parse_uac2_sample_rate_range()").

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range() 2013-06-19T01:16:41+00:00 Xi Wang xi.wang@gmail.com 2012-01-08T14:02:52+00:00 c25a53781f61c78bf2a2fa308bbd35b42ba346f6 commit 4fa0e81b83503900be277e6273a79651b375e288 upstream. A malicious USB device may feed in carefully crafted min/max/res values, so that the inner loop in parse_uac2_sample_rate_range() could run for a long time or even never terminate, e.g., given max = INT_MAX. Also nr_rates could be a large integer, which causes an integer overflow in the subsequent call to kmalloc() in parse_audio_format_rates_v2(). Thus, kmalloc() would allocate a smaller buffer than expected, leading to a memory corruption. To exploit the two vulnerabilities, an attacker needs physical access to the machine to plug in a malicious USB device. This patch makes two changes. 1) The type of "rate" is changed to unsigned int, so that the loop could stop once "rate" is larger than INT_MAX. 2) Limit nr_rates to 1024. Suggested-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 4fa0e81b83503900be277e6273a79651b375e288 upstream.

A malicious USB device may feed in carefully crafted min/max/res values,
so that the inner loop in parse_uac2_sample_rate_range() could run for
a long time or even never terminate, e.g., given max = INT_MAX.

Also nr_rates could be a large integer, which causes an integer overflow
in the subsequent call to kmalloc() in parse_audio_format_rates_v2().
Thus, kmalloc() would allocate a smaller buffer than expected, leading
to a memory corruption.

To exploit the two vulnerabilities, an attacker needs physical access
to the machine to plug in a malicious USB device.

This patch makes two changes.

1) The type of "rate" is changed to unsigned int, so that the loop could
   stop once "rate" is larger than INT_MAX.

2) Limit nr_rates to 1024.

Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
ALSA: usb-audio: increase control transfer timeout 2011-09-27T07:21:48+00:00 Clemens Ladisch clemens@ladisch.de 2011-09-26T19:15:27+00:00 17d900c4a1b50bc191b3ca58cbd78acc04a1c5b3 There are certain devices that are reportedly so slow that they need more than 100 ms to handle control transfers. Therefore, increase the timeout in mixer(_quirks).c to 1000 ms. The timeout parameter of snd_usb_ctl_msg() is now constant, so we can drop it. Reported-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Takashi Iwai <tiwai@suse.de> 
There are certain devices that are reportedly so slow that they need
more than 100 ms to handle control transfers.  Therefore, increase the
timeout in mixer(_quirks).c to 1000 ms.

The timeout parameter of snd_usb_ctl_msg() is now constant, so we can
drop it.

Reported-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Merge branch 'topic/misc' into for-linus 2011-05-22T08:01:29+00:00 Takashi Iwai tiwai@suse.de 2011-05-22T08:01:29+00:00 02e5fbf622aabf68bdc02282a17a3aeed054237a 






ALSA: usb-audio: include format.h in format.c
2011-05-18T09:44:41+00:00

Daniel Mack
zonque@gmail.com

2011-05-18T09:28:40+00:00

ee95cb6121dae17bc199cd566503dff1b2dd243b

Just in case a prototype changes, we'll be warned. This also fixes a
sparse warning.

Signed-off-by: Daniel Mack <zonque@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>





Just in case a prototype changes, we'll be warned. This also fixes a
sparse warning.

Signed-off-by: Daniel Mack <zonque@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>







ALSA: usb-audio - Terratec Aureon 7.1 USB ID as C-Media cm6206 quirks
2011-04-28T16:22:41+00:00

Wolfgang Breyha
wbreyha@gmx.net

2011-04-28T14:18:40+00:00

8129e79ed7932bd11d60518d62434a0b687e5771

This patch adds support for the Terratec Aureon 7.1 USB which uses a
C-Media cm6206 and needs all the quirks already found in the past.

Signed-off-by: Wolfgang Breyha <wbreyha@gmx.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>





This patch adds support for the Terratec Aureon 7.1 USB which uses a
C-Media cm6206 and needs all the quirks already found in the past.

Signed-off-by: Wolfgang Breyha <wbreyha@gmx.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>







ALSA: usb-audio: add Edirol SD-90 PCM support
2011-01-10T15:47:10+00:00

Clemens Ladisch
clemens@ladisch.de

2011-01-10T15:30:54+00:00

061b869eca6f725b0119f7dff833288a44bf46c0

Add support for the 24-bit audio I/Os of the Edirol SD-90 interface.

Reported-any-tested-by: Jim Grusendorf <alsa-user@grusendorf.ca>
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>





Add support for the 24-bit audio I/Os of the Edirol SD-90 interface.

Reported-any-tested-by: Jim Grusendorf <alsa-user@grusendorf.ca>
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>







ALSA: usb-audio: fix detection of vendor-specific device protocol settings
2010-09-03T20:36:39+00:00

Clemens Ladisch
clemens@ladisch.de

2010-09-03T08:53:11+00:00

a2acad8298a42b7be684a32fafaf83332bba9c2b

The Audio Class v2 support code in 2.6.35 added checks for the
bInterfaceProtocol field.  However, there are devices (usually those
detected by vendor-specific quirks) that do not have one of the
predefined values in this field, which made the driver reject them.

To fix this regression, restore the old behaviour, i.e., assume that
a device with an unknown bInterfaceProtocol field (other than
UAC_VERSION_2) has more or less UAC-v1-compatible descriptors.

[compile warning fixes by tiwai]

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: Daniel Mack <daniel@caiaq.de>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>





The Audio Class v2 support code in 2.6.35 added checks for the
bInterfaceProtocol field.  However, there are devices (usually those
detected by vendor-specific quirks) that do not have one of the
predefined values in this field, which made the driver reject them.

To fix this regression, restore the old behaviour, i.e., assume that
a device with an unknown bInterfaceProtocol field (other than
UAC_VERSION_2) has more or less UAC-v1-compatible descriptors.

[compile warning fixes by tiwai]

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: Daniel Mack <daniel@caiaq.de>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>







ALSA: sound/usb/format: silence uninitialized variable warnings
2010-08-15T12:28:20+00:00

Dan Carpenter
error27@gmail.com

2010-08-14T17:29:53+00:00

38d7b08f374b640b00d350ac2d12ffed5d723423

Gcc complains that ret might be used uninitialized:

sound/usb/format.c: In function ‘snd_usb_parse_audio_format’:
sound/usb/format.c:354: warning: ‘ret’ may be used uninitialized in this function
sound/usb/format.c:354: note: ‘ret’ was declared here
sound/usb/format.c:414: warning: ‘ret’ may be used uninitialized in this function
sound/usb/format.c:414: note: ‘ret’ was declared here

I suppose it could be uninitialized if there is ever a UAC_VERSION_3
released. Anyway this patch is worthwhile if only to silence the gcc
warning.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>





Gcc complains that ret might be used uninitialized:

sound/usb/format.c: In function ‘snd_usb_parse_audio_format’:
sound/usb/format.c:354: warning: ‘ret’ may be used uninitialized in this function
sound/usb/format.c:354: note: ‘ret’ was declared here
sound/usb/format.c:414: warning: ‘ret’ may be used uninitialized in this function
sound/usb/format.c:414: note: ‘ret’ was declared here

I suppose it could be uninitialized if there is ever a UAC_VERSION_3
released. Anyway this patch is worthwhile if only to silence the gcc
warning.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>







ALSA: usb-audio: simplify control interface access
2010-06-23T14:10:23+00:00

Daniel Mack
daniel@caiaq.de

2010-06-16T15:57:31+00:00

3d8d4dcfd423b01ef7ea7c3c97720764b7adb6df

As the control interface is now carried in struct snd_usb_audio, we can
simplify the API a little and also drop the private ctrlif field from
struct usb_mixer_interface.

Also remove a left-over function prototype in pcm.h.

Signed-off-by: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>





As the control interface is now carried in struct snd_usb_audio, we can
simplify the API a little and also drop the private ctrlif field from
struct usb_mixer_interface.

Also remove a left-over function prototype in pcm.h.

Signed-off-by: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>