ALSA: firewire: isight: possible out of bounds write from a device sample count

[Maoyi Xie]

Hi all,

I think isight_samples() in sound/firewire/isight.c can write past the PCM
DMA buffer when an iSight reports a large sample count. I would appreciate
it if you could take a look.

isight_packet() reads two values straight from the device iso packet.

	length = be32_to_cpup(header) >> 16;
	...
	count = be32_to_cpu(payload->sample_count);
	if (likely(count <= (length - 16) / 4))
		isight_samples(isight, payload->samples, count);

length is the iso header data_length and count is the payload sample_count,
both from the device. The only check on count is against the device-claimed
length, not against the PCM buffer. With length up to 0xffff the gate allows
count up to about 16379 frames.

isight_samples() then copies count frames into runtime->dma_area. It never
clamps count to runtime->buffer_size. isight_open() sets period_bytes_min
to 1900 and periods_min to 2, so the smallest buffer is 950 frames, about
3800 bytes. A device that reports a count near 16379 makes the copy run far
past the buffer, tens of kilobytes out of bounds.

The sibling drop path isight_dropped_samples() does clamp the count against
runtime->buffer_size before it advances the pointer. The sample copy path
is missing the same bound.

The controller does not catch this either. The iso header data_length is
DMA written from the device packet and is never compared against the queued
payload_length, so a device can over report the length.

The attacker here is a malicious or faulty Apple iSight on the FireWire
bus. The host only needs the capture stream open and running, which is
normal use of the microphone.

I reproduced it under KASAN on 7.1-rc7. A count of 16379 makes KASAN report
a slab out of bounds write past the PCM DMA buffer. A count that fits the
buffer stays clean.

The fix I tried clamps count to runtime->buffer_size in isight_samples
before the copy, mirroring isight_dropped_samples.

Does this look like a real bug to you? If it does I am happy to send a
proper patch with a Fixes tag pointing at 3a691b28a0ca ("ALSA: add Apple
iSight microphone driver").

Thanks,
Maoyi
https://maoyixie.com/