From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com,
Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.10 15/22] ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Date: Thu, 15 Aug 2024 15:25:23 +0200 [thread overview]
Message-ID: <20240815131831.848225473@linuxfoundation.org> (raw)
In-Reply-To: <20240815131831.265729493@linuxfoundation.org>
6.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 2f38cf730caedaeacdefb7ff35b0a3c1168117f9 ]
A malformed USB descriptor may pass the lengthy mixer description with
a lot of channels, and this may overflow the 32bit integer shift
size, as caught by syzbot UBSAN test. Although this won't cause any
real trouble, it's better to address.
This patch introduces a sanity check of the number of channels to bail
out the parsing when too many channels are found.
Reported-by: syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com
Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index d1bdb0b93bda0..8cc2d4937f340 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2021,6 +2021,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
bmaControls = ftr->bmaControls;
}
+ if (channels > 32) {
+ usb_audio_info(state->chip,
+ "usbmixer: too many channels (%d) in unit %d\n",
+ channels, unitid);
+ return -EINVAL;
+ }
+
/* parse the source unit */
err = parse_audio_unit(state, hdr->bSourceID);
if (err < 0)
--
2.43.0
next prev parent reply other threads:[~2024-08-15 13:38 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-15 13:25 [PATCH 6.10 00/22] 6.10.6-rc1 review Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 01/22] exec: Fix ToCToU between perm check and set-uid/gid usage Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 02/22] drm/amd/display: Defer handling mst up request in resume Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 03/22] drm/amd/display: Separate setting and programming of cursor Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 04/22] drm/amd/display: Prevent IPX From Link Detect and Set Mode Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 05/22] LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 06/22] nvme/pci: Add APST quirk for Lenovo N60z laptop Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 07/22] ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 08/22] bpf, net: Use DEV_STAT_INC() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 09/22] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 10/22] f2fs: fix to cover read extent cache access with lock Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 11/22] fou: remove warn in gue_gro_receive on unsupported protocol Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 12/22] jfs: fix null ptr deref in dtInsertEntry Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 13/22] jfs: Fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 14/22] fs/ntfs3: Do copy_to_user out of run_lock Greg Kroah-Hartman
2024-08-15 13:25 ` Greg Kroah-Hartman [this message]
2024-08-15 13:25 ` [PATCH 6.10 16/22] platform/x86/amd/pmf: Fix to Update HPD Data When ALS is Disabled Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 17/22] platform/x86: ideapad-laptop: introduce a generic notification chain Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 18/22] platform/x86: ideapad-laptop: move ymc_trigger_ec from lenovo-ymc Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 19/22] platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 20/22] binfmt_flat: Fix corruption when not offsetting data start Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 21/22] drm/amd/display: Solve mst monitors blank out problem after resume Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.10 22/22] drm/amdgpu/display: Fix null pointer dereference in dc_stream_program_cursor_position Greg Kroah-Hartman
2024-08-15 14:41 ` [PATCH 6.10 00/22] 6.10.6-rc1 review Kevin Holm
2024-08-15 15:07 ` Guenter Roeck
2024-08-16 8:51 ` Greg Kroah-Hartman
2024-08-15 18:01 ` Justin Forbes
2024-08-15 18:34 ` Markus Reichelt
2024-08-15 20:26 ` Peter Schneider
2024-08-15 20:32 ` Pavel Machek
2024-08-15 22:13 ` Florian Fainelli
2024-08-16 8:45 ` Anders Roxell
2024-08-16 10:08 ` Christian Heusel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240815131831.848225473@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox