From: Takashi Iwai <tiwai@suse.de>
To: Maoyi Xie <maoyixie.tju@gmail.com>
Cc: Daniel Mack <zonque@gmail.com>, Jaroslav Kysela <perex@perex.cz>,
Takashi Iwai <tiwai@suse.com>,
linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/2] ALSA: caiaq: fix S4 OOB read and bound the EP1 input parsers
Date: Thu, 18 Jun 2026 12:38:08 +0200 [thread overview]
Message-ID: <87bjd8nnfz.wl-tiwai@suse.de> (raw)
In-Reply-To: <178176259547.3343534.6658931377288378506@maoyixie.com>
On Thu, 18 Jun 2026 08:03:15 +0200,
Maoyi Xie wrote:
>
> Hi Takashi,
>
> Thanks for confirming the Traktor Kontrol S4 out-of-bounds read and for
> the follow-up on the neighbouring parsers.
>
> Patch 1 is the actual fix. snd_usb_caiaq_tks4_dispatch() loops on the raw
> urb->actual_length. That value is controlled by the device and is not
> required to be a multiple of the 16-byte message block. Once len drops
> below 16 the unsigned "len -= TKS4_MSGBLOCK_SIZE" underflows. The loop
> then keeps walking buf past ep4_in_buf[EP4_BUFSIZE]. The fix iterates
> only while a full block remains, which also discards any trailing partial
> block. The X1 and Maschine arms already floor the length before dispatch,
> so only the S4 arm was affected.
>
> Patch 2 adds the length checks you suggested to
> snd_caiaq_input_read_erp() and snd_caiaq_input_read_io(). Both are
> reachable through snd_usb_caiaq_input_dispatch(). As you noted,
> snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch()
> already have the length floored by their callers, so they are left
> unchanged. The two parsers patch 2 touches are not an out-of-bounds
> access either. Every offset is a fixed driver constant within the 64-byte
> ep1_in_buf. A short reply does make them decode stale data, though, so the
> guards drop such replies per device path. Patch 2 carries your
> Suggested-by.
>
> Patch 1 carries a Fixes tag and Cc: stable. Patch 2 does not.
>
> Maoyi Xie (2):
> ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input
> parser
> ALSA: caiaq: bound the length in the EP1 input parsers
Applied both patches now. Thanks.
Takashi
prev parent reply other threads:[~2026-06-18 10:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 6:03 [PATCH 0/2] ALSA: caiaq: fix S4 OOB read and bound the EP1 input parsers Maoyi Xie
2026-06-18 6:03 ` [PATCH 1/2] ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser Maoyi Xie
2026-06-18 6:03 ` [PATCH 2/2] ALSA: caiaq: bound the length in the EP1 input parsers Maoyi Xie
2026-06-18 10:38 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjd8nnfz.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=maoyixie.tju@gmail.com \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
--cc=zonque@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox