From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
alsa-devel@alsa-project.org, Dongxiang Ke <kdx.glider@gmail.com>,
Takashi Iwai <tiwai@suse.de>,
tiwai@suse.com
Subject: [PATCH AUTOSEL 5.19 14/22] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()
Date: Wed, 14 Sep 2022 05:00:55 -0400 [thread overview]
Message-ID: <20220914090103.470630-14-sashal@kernel.org> (raw)
In-Reply-To: <20220914090103.470630-1-sashal@kernel.org>
From: Dongxiang Ke <kdx.glider@gmail.com>
[ Upstream commit e53f47f6c1a56d2af728909f1cb894da6b43d9bf ]
There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and
the number of it's interfaces less than 4, an out-of-bounds read bug occurs
when parsing the interface descriptor for this device.
Fix this by checking the number of interfaces.
Signed-off-by: Dongxiang Ke <kdx.glider@gmail.com>
Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index ceb93d798182c..40ce8a1cb318a 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -1105,7 +1105,7 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
* Dallas DS4201 workaround: It presents 5 altsettings, but the last
* one misses syncpipe, and does not produce any sound.
*/
- if (chip->usb_id == USB_ID(0x04fa, 0x4201))
+ if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4)
num = 4;
for (i = 0; i < num; i++) {
--
2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dongxiang Ke <kdx.glider@gmail.com>, Takashi Iwai <tiwai@suse.de>,
Sasha Levin <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 5.19 14/22] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()
Date: Wed, 14 Sep 2022 05:00:55 -0400 [thread overview]
Message-ID: <20220914090103.470630-14-sashal@kernel.org> (raw)
In-Reply-To: <20220914090103.470630-1-sashal@kernel.org>
From: Dongxiang Ke <kdx.glider@gmail.com>
[ Upstream commit e53f47f6c1a56d2af728909f1cb894da6b43d9bf ]
There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and
the number of it's interfaces less than 4, an out-of-bounds read bug occurs
when parsing the interface descriptor for this device.
Fix this by checking the number of interfaces.
Signed-off-by: Dongxiang Ke <kdx.glider@gmail.com>
Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index ceb93d798182c..40ce8a1cb318a 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -1105,7 +1105,7 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
* Dallas DS4201 workaround: It presents 5 altsettings, but the last
* one misses syncpipe, and does not produce any sound.
*/
- if (chip->usb_id == USB_ID(0x04fa, 0x4201))
+ if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4)
num = 4;
for (i = 0; i < num; i++) {
--
2.35.1
next prev parent reply other threads:[~2022-09-14 9:03 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 9:00 [PATCH AUTOSEL 5.19 01/22] arm64: dts: juno: Add missing MHU secure-irq Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 02/22] spi: cadence-quadspi: Disable irqs during indirect reads Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 03/22] ASoC: nau8824: Fix semaphore unbalance at error paths Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 04/22] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 05/22] ASoC: fsl_aud2htx: register platform component before registering cpu dai Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 06/22] ASoC: fsl_aud2htx: Add error handler for pm_runtime_enable Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 07/22] scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of DID_REQUEUE Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 08/22] rxrpc: Fix local destruction being repeated Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 09/22] rxrpc: Fix calc of resend age Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 10/22] wifi: mac80211_hwsim: check length for virtio packets Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 11/22] ALSA: hda/sigmatel: Keep power up while beep is enabled Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 12/22] erofs: avoid the potentially wrong m_plen for big pcluster Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 13/22] ALSA: hda/tegra: Align BDL entry to 4KB boundary Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` Sasha Levin [this message]
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 14/22] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 15/22] drm/ttm: update bulk move object of ghost BO Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 16/22] net: usb: qmi_wwan: add Quectel RM520N Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 17/22] afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 18/22] scsi: mpt3sas: Fix use-after-free warning Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 19/22] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 20/22] drm/amdgpu: prevent toc firmware memory leak Sasha Levin
2022-09-14 9:01 ` Sasha Levin
2022-09-14 9:01 ` Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 21/22] drm/panfrost: devfreq: set opp to the recommended one to configure regulator Sasha Levin
2022-09-14 9:01 ` Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 22/22] mksysmap: Fix the mismatch of 'L0' symbols in System.map Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220914090103.470630-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=kdx.glider@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.