From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Takashi Iwai <tiwai@suse.de>,
syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, xristos.thes@gmail.com,
peter.ujfalusi@linux.intel.com, kl@kl.wtf,
linux-sound@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 4/4] ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Date: Sun, 28 Jul 2024 12:10:53 -0400 [thread overview]
Message-ID: <20240728161055.2054513-4-sashal@kernel.org> (raw)
In-Reply-To: <20240728161055.2054513-1-sashal@kernel.org>
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 2f38cf730caedaeacdefb7ff35b0a3c1168117f9 ]
A malformed USB descriptor may pass the lengthy mixer description with
a lot of channels, and this may overflow the 32bit integer shift
size, as caught by syzbot UBSAN test. Although this won't cause any
real trouble, it's better to address.
This patch introduces a sanity check of the number of channels to bail
out the parsing when too many channels are found.
Reported-by: syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com
Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 6c8cdce8156be..fbfb729212d3b 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1921,6 +1921,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
bmaControls = ftr->bmaControls;
}
+ if (channels > 32) {
+ usb_audio_info(state->chip,
+ "usbmixer: too many channels (%d) in unit %d\n",
+ channels, unitid);
+ return -EINVAL;
+ }
+
/* parse the source unit */
err = parse_audio_unit(state, hdr->bSourceID);
if (err < 0)
--
2.43.0
prev parent reply other threads:[~2024-07-28 16:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-28 16:10 [PATCH AUTOSEL 4.19 1/4] PCI: Add ACS quirk for Broadcom BCM5760X NIC Sasha Levin
2024-07-28 16:10 ` [PATCH AUTOSEL 4.19 2/4] PCI/AER: Disable AER service on suspend Sasha Levin
2024-07-28 16:10 ` [PATCH AUTOSEL 4.19 3/4] PCI: Add missing bridge lock to pci_bus_lock() Sasha Levin
2024-07-28 16:10 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240728161055.2054513-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kl@kl.wtf \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=peter.ujfalusi@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
--cc=xristos.thes@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox