[Pkg-oss4-maintainers] Bug#775662: oss4: Insufficient validation of USB device descriptors

Ben Hutchings ben at decadent.org.uk
Sun Jan 18 10:24:30 UTC 2015 

Source: oss4
Version: 4.2-build2006-2
Severity: critical
Tags: security

[This was originally sent to the security team in 2012 but didn't go
further than that.  However, the code has not changed at all since
then.]

In kernel/drv/oss_usb/oss_usb.c:

- count_source_controls(), add_controls_for_mixer(),
  add_controls_for_proc(), add_controls_for_selector(),
  translate_feature_mask_usb2(), translate_feature_mask(),
  add_controls_for_feature(), traverse_source_controls(),
  traverse_target_controls(), setup_legacy_mixer(),
  get_feature_mask(), mixer_dump() and ossusb_init_audioctl()
  do not check that descriptors are as long as expected.
- setup_legacy_mixer() does not reject invalid source unit numbers.
  These are arbitrary unsigned bytes but used as an index within an
  array of length 40.

In kernel/drv/oss_usb/ossusb_audio.c:

- prepare_altsetting() does not reject altsetting descriptors with an
  invalid terminal link unit number.
- setup_format_I() and setup_format_II() do not check that descriptors
  are as long as expected.

In kernel/drv/oss_usb/ossusb_midi.c:

- ossusb_init_midistream() does not check that descriptors are as
  long as expected.  (It requires that an altsetting descriptor is
  at least 3 bytes long, but may use more than that.)

While unit numbers are validated in some places, validation is
inconsistent and probably wrong:

      if (un->source <= 0 && un->source < devc->nunits)
    if (*d > 0 && *d < devc->nunits)
  if (portc->terminal_link > 0 && portc->terminal_link <= devc->nunits)

An invalid USB device descriptor may cause memory corruption or a
crash.

I didn't find any case where the driver would copy a lot of data from
the device descriptor, but I know people manage to exploit bugs for
privilege escalation even though they provide only very limited control
over the data to be written.

[I just noticed another bug in count_source_controls():

  un = &devc->units[unit];
  d = un->desc;

  if (un == NULL)
    return 0;

It's a bit late to be checking for a null pointer here.  Thankfully this
shouldn't cause anything worse than a crash on Linux.]

Ben.

-- 
Ben Hutchings
The generation of random numbers is too important to be left to chance.
                                                            - Robert Coveyou
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-oss4-maintainers/attachments/20150118/4e157fcb/attachment.sig>

More information about the Pkg-oss4-maintainers mailing list