[PATCH 0/2] ALSA: usb-audio: Fix endpoint-extra bounds checks in USB MIDI parsers

[PATCH 0/2] ALSA: usb-audio: Fix endpoint-extra bounds checks in USB MIDI parsers

[Cássio Gabriel]

Both the legacy USB MIDI and USB MIDI 2.0 endpoint descriptor
walkers can return a class-specific endpoint descriptor without
first checking that bLength fits in the remaining endpoint-extra
scan.

The later parsers validate the internal flexible-array sizes
before reading baAssocJackID[] or baAssoGrpTrmBlkID[], but they
still trust the descriptor returned by the walker. A malformed
device can therefore make the parser consume bytes past
the walked descriptor span.

- Patch 1 bounds the legacy MIDI endpoint descriptor walk.
- Patch 2 applies the same fix to the MIDI 2.0 endpoint descriptor walk.

No behavior changes for valid devices; malformed endpoint-extra descriptors
are now rejected during parsing instead.

Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
Cássio Gabriel (2):
      ALSA: usb-audio: Bound MIDI endpoint descriptor scans
      ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans

 sound/usb/midi.c  | 12 +++++++-----
 sound/usb/midi2.c | 12 +++++++-----
 2 files changed, 14 insertions(+), 10 deletions(-)
---
base-commit: 627f14c46d507a5f14a159d27c0042a6811903d6
change-id: 20260423-usb-midi-endpoint-scan-bounds-3d67b2b5f45c

Best regards,
--  
Cássio Gabriel <cassiogabrielcontato@gmail.com>

[PATCH 1/2] ALSA: usb-audio: Bound MIDI endpoint descriptor scans

[Cássio Gabriel]

snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
descriptor size before using baAssocJackID[], but the descriptor walker can
still return a class-specific endpoint descriptor whose bLength exceeds the
remaining bytes in the endpoint-extra scan.

That leaves later flexible-array reads bounded by bLength, but not by the
remaining bytes in the endpoint-extra scan.

Stop walking when bLength is zero or
extends past the remaining endpoint-extra scan.

Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/usb/midi.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index 0a5b8941ebda..d87e3f357cf7 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1951,15 +1951,17 @@ static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor(
 	while (extralen > 3) {
 		struct usb_ms_endpoint_descriptor *ms_ep =
 				(struct usb_ms_endpoint_descriptor *)extra;
+		int length = ms_ep->bLength;
 
-		if (ms_ep->bLength > 3 &&
+		if (!length || length > extralen)
+			break;
+
+		if (length > 3 &&
 		    ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
 		    ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
 			return ms_ep;
-		if (!extra[0])
-			break;
-		extralen -= extra[0];
-		extra += extra[0];
+		extralen -= length;
+		extra += length;
 	}
 	return NULL;
 }

-- 
2.54.0

[PATCH 2/2] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans

[Cássio Gabriel]

The USB MIDI 2.0 endpoint parser has the same descriptor walking
pattern as the legacy MIDI parser. It validates bLength against
bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the
remaining bytes in the endpoint-extra scan.

A malformed device can therefore make later baAssoGrpTrmBlkID[] reads
consume bytes past the walked descriptor.

Reject zero-length and overlong descriptors while walking endpoint
extras.

Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/usb/midi2.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/sound/usb/midi2.c b/sound/usb/midi2.c
index 2785600d2312..04aeb9052f13 100644
--- a/sound/usb/midi2.c
+++ b/sound/usb/midi2.c
@@ -496,15 +496,17 @@ static void *find_usb_ms_endpoint_descriptor(struct usb_host_endpoint *hostep,
 	while (extralen > 3) {
 		struct usb_ms_endpoint_descriptor *ms_ep =
 			(struct usb_ms_endpoint_descriptor *)extra;
+		int length = ms_ep->bLength;
 
-		if (ms_ep->bLength > 3 &&
+		if (!length || length > extralen)
+			break;
+
+		if (length > 3 &&
 		    ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
 		    ms_ep->bDescriptorSubtype == subtype)
 			return ms_ep;
-		if (!extra[0])
-			break;
-		extralen -= extra[0];
-		extra += extra[0];
+		extralen -= length;
+		extra += length;
 	}
 	return NULL;
 }

-- 
2.54.0

Re: [PATCH 0/2] ALSA: usb-audio: Fix endpoint-extra bounds checks in USB MIDI parsers

[Takashi Iwai]

On Thu, 07 May 2026 05:40:50 +0200,
Cássio Gabriel wrote:
> 
> Both the legacy USB MIDI and USB MIDI 2.0 endpoint descriptor
> walkers can return a class-specific endpoint descriptor without
> first checking that bLength fits in the remaining endpoint-extra
> scan.
> 
> The later parsers validate the internal flexible-array sizes
> before reading baAssocJackID[] or baAssoGrpTrmBlkID[], but they
> still trust the descriptor returned by the walker. A malformed
> device can therefore make the parser consume bytes past
> the walked descriptor span.
> 
> - Patch 1 bounds the legacy MIDI endpoint descriptor walk.
> - Patch 2 applies the same fix to the MIDI 2.0 endpoint descriptor walk.
> 
> No behavior changes for valid devices; malformed endpoint-extra descriptors
> are now rejected during parsing instead.
> 
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ---
> Cássio Gabriel (2):
>       ALSA: usb-audio: Bound MIDI endpoint descriptor scans
>       ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans

Applied both to for-linus branch now.  Thanks.


Takashi