* [PATCH] ALSA: dice: fix buffer overflow in detect_stream_formats()
@ 2025-11-28 4:06 Junrui Luo
2025-11-29 9:34 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Junrui Luo @ 2025-11-28 4:06 UTC (permalink / raw)
To: Clemens Ladisch, Takashi Sakamoto, Jaroslav Kysela, Takashi Iwai
Cc: Takashi Iwai, linux-sound, linux-kernel, Yuhao Jiang, Junrui Luo,
stable
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
sound/firewire/dice/dice-extension.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/firewire/dice/dice-extension.c b/sound/firewire/dice/dice-extension.c
index 02f4a8318e38..48bfb3ad93ce 100644
--- a/sound/firewire/dice/dice-extension.c
+++ b/sound/firewire/dice/dice-extension.c
@@ -116,7 +116,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr)
break;
base_offset += EXT_APP_STREAM_ENTRIES;
- stream_count = be32_to_cpu(reg[0]);
+ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS);
err = read_stream_entries(dice, section_addr, base_offset,
stream_count, mode,
dice->tx_pcm_chs,
@@ -125,7 +125,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr)
break;
base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE;
- stream_count = be32_to_cpu(reg[1]);
+ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS);
err = read_stream_entries(dice, section_addr, base_offset,
stream_count,
mode, dice->rx_pcm_chs,
---
base-commit: aa7243aaf1947a0cb54c44337795d6759493fe02
change-id: 20251128-fixes-658c1dc7a517
Best regards,
--
Junrui Luo <moonafterrain@outlook.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] ALSA: dice: fix buffer overflow in detect_stream_formats()
2025-11-28 4:06 [PATCH] ALSA: dice: fix buffer overflow in detect_stream_formats() Junrui Luo
@ 2025-11-29 9:34 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2025-11-29 9:34 UTC (permalink / raw)
To: Junrui Luo
Cc: Clemens Ladisch, Takashi Sakamoto, Jaroslav Kysela, Takashi Iwai,
Takashi Iwai, linux-sound, linux-kernel, Yuhao Jiang, stable
On Fri, 28 Nov 2025 05:06:31 +0100,
Junrui Luo wrote:
>
> The function detect_stream_formats() reads the stream_count value directly
> from a FireWire device without validating it. This can lead to
> out-of-bounds writes when a malicious device provides a stream_count value
> greater than MAX_STREAMS.
>
> Fix by applying the same validation to both TX and RX stream counts in
> detect_stream_formats().
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
> Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Applied now. Thanks.
Takashi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-29 9:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-28 4:06 [PATCH] ALSA: dice: fix buffer overflow in detect_stream_formats() Junrui Luo
2025-11-29 9:34 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox