From: Takashi Iwai <tiwai@suse.de>
To: Maoyi Xie <maoyixie.tju@gmail.com>
Cc: Daniel Mack <zonque@gmail.com>, Jaroslav Kysela <perex@perex.cz>,
Takashi Iwai <tiwai@suse.com>,
linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/2] ALSA: caiaq: fix S4 OOB read and bound the EP1 input parsers
Date: Thu, 18 Jun 2026 12:38:08 +0200 [thread overview]
Message-ID: <87bjd8nnfz.wl-tiwai@suse.de> (raw)
In-Reply-To: <178176259547.3343534.6658931377288378506@maoyixie.com>
On Thu, 18 Jun 2026 08:03:15 +0200,
Maoyi Xie wrote:
>
> Hi Takashi,
>
> Thanks for confirming the Traktor Kontrol S4 out-of-bounds read and for
> the follow-up on the neighbouring parsers.
>
> Patch 1 is the actual fix. snd_usb_caiaq_tks4_dispatch() loops on the raw
> urb->actual_length. That value is controlled by the device and is not
> required to be a multiple of the 16-byte message block. Once len drops
> below 16 the unsigned "len -= TKS4_MSGBLOCK_SIZE" underflows. The loop
> then keeps walking buf past ep4_in_buf[EP4_BUFSIZE]. The fix iterates
> only while a full block remains, which also discards any trailing partial
> block. The X1 and Maschine arms already floor the length before dispatch,
> so only the S4 arm was affected.
>
> Patch 2 adds the length checks you suggested to
> snd_caiaq_input_read_erp() and snd_caiaq_input_read_io(). Both are
> reachable through snd_usb_caiaq_input_dispatch(). As you noted,
> snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch()
> already have the length floored by their callers, so they are left
> unchanged. The two parsers patch 2 touches are not an out-of-bounds
> access either. Every offset is a fixed driver constant within the 64-byte
> ep1_in_buf. A short reply does make them decode stale data, though, so the
> guards drop such replies per device path. Patch 2 carries your
> Suggested-by.
>
> Patch 1 carries a Fixes tag and Cc: stable. Patch 2 does not.
>
> Maoyi Xie (2):
> ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input
> parser
> ALSA: caiaq: bound the length in the EP1 input parsers
Applied both patches now. Thanks.
Takashi
prev parent reply other threads:[~2026-06-18 10:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 6:03 [PATCH 0/2] ALSA: caiaq: fix S4 OOB read and bound the EP1 input parsers Maoyi Xie
2026-06-18 6:03 ` [PATCH 1/2] ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser Maoyi Xie
2026-06-18 6:03 ` [PATCH 2/2] ALSA: caiaq: bound the length in the EP1 input parsers Maoyi Xie
2026-06-18 10:38 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjd8nnfz.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=maoyixie.tju@gmail.com \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
--cc=zonque@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.