From: Takashi Iwai <tiwai@suse.de>
To: Berk Cem Goksel <berkcgoksel@gmail.com>
Cc: zonque@gmail.com, tiwai@suse.de, linux-sound@vger.kernel.org,
stable@vger.kernel.org, andreyknvl@gmail.com
Subject: Re: [PATCH] ALSA: caiaq: fix stack out-of-bounds read in init_card
Date: Mon, 30 Mar 2026 09:33:07 +0200 [thread overview]
Message-ID: <87se9hu5zg.wl-tiwai@suse.de> (raw)
In-Reply-To: <20260329133825.581585-1-berkcgoksel@gmail.com>
On Sun, 29 Mar 2026 15:38:25 +0200,
Berk Cem Goksel wrote:
>
> The loop creates a whitespace-stripped copy of the card shortname
> where `len < sizeof(card->id)` is used for the bounds check. Since
> sizeof(card->id) is 16 and the local id buffer is also 16 bytes,
> writing 16 non-space characters fills the entire buffer,
> overwriting the terminating nullbyte.
>
> When this non-null-terminated string is later passed to
> snd_card_set_id() -> copy_valid_id_string(), the function scans
> forward with `while (*nid && ...)` and reads past the end of the
> stack buffer, reading the contents of the stack.
>
> A USB device with a product name containing many non-ASCII, non-space
> characters (e.g. multibyte UTF-8) will reliably trigger this as follows:
>
> BUG: KASAN: stack-out-of-bounds in copy_valid_id_string
> sound/core/init.c:696 [inline]
> BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c
> sound/core/init.c:718
>
> The off-by-one has been present since commit bafeee5b1f8d ("ALSA:
> snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),
> which first introduced this whitespace-stripping loop. The original
> code never accounted for the null terminator when bounding the copy.
>
> Fix this by changing the loop bound to `sizeof(card->id) - 1`,
> ensuring at least one byte remains as the null terminator.
>
> Fixes: bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname")
> Cc: stable@vger.kernel.org
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Reported-by: Berk Cem Goksel <berkcgoksel@gmail.com>
> Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
Applied now. Thanks.
Takashi
prev parent reply other threads:[~2026-03-30 7:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 13:38 [PATCH] ALSA: caiaq: fix stack out-of-bounds read in init_card Berk Cem Goksel
2026-03-30 7:33 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87se9hu5zg.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=andreyknvl@gmail.com \
--cc=berkcgoksel@gmail.com \
--cc=linux-sound@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zonque@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox