* [PATCH] ALSA: usb-audio: Use correct version for UAC3 header validation
@ 2026-02-26 1:08 Jun Seo
2026-02-26 6:38 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Jun Seo @ 2026-02-26 1:08 UTC (permalink / raw)
To: tiwai, perex; +Cc: linux-sound, linux-kernel, stable, Jun Seo
The entry of the validators table for UAC3 AC header descriptor is
defined with the wrong protocol version UAC_VERSION_2, while it should
have been UAC_VERSION_3. This results in the validator never matching
for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
header descriptors to bypass validation entirely. A malicious USB
device presenting a truncated UAC3 header could exploit this to cause
out-of-bounds reads when the driver later accesses unvalidated
descriptor fields.
The bug was introduced in the same commit as the recently fixed UAC3
feature unit sub-type typo, and appears to be from the same copy-paste
error when the UAC3 section was created from the UAC2 section.
Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
Cc: <stable@vger.kernel.org>
Signed-off-by: Jun Seo <jun.seo.93@proton.me>
---
sound/usb/validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/validate.c b/sound/usb/validate.c
index 4bb4893f6e74..f62b7cc041dc 100644
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -281,7 +281,7 @@ static const struct usb_desc_validator audio_validators[] = {
/* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
/* UAC3 */
- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
+ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
struct uac3_input_terminal_descriptor),
FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
--
2.53.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ALSA: usb-audio: Use correct version for UAC3 header validation
2026-02-26 1:08 [PATCH] ALSA: usb-audio: Use correct version for UAC3 header validation Jun Seo
@ 2026-02-26 6:38 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2026-02-26 6:38 UTC (permalink / raw)
To: Jun Seo; +Cc: tiwai, perex, linux-sound, linux-kernel, stable, Jun Seo
On Thu, 26 Feb 2026 02:08:20 +0100,
Jun Seo wrote:
>
> The entry of the validators table for UAC3 AC header descriptor is
> defined with the wrong protocol version UAC_VERSION_2, while it should
> have been UAC_VERSION_3. This results in the validator never matching
> for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
> header descriptors to bypass validation entirely. A malicious USB
> device presenting a truncated UAC3 header could exploit this to cause
> out-of-bounds reads when the driver later accesses unvalidated
> descriptor fields.
>
> The bug was introduced in the same commit as the recently fixed UAC3
> feature unit sub-type typo, and appears to be from the same copy-paste
> error when the UAC3 section was created from the UAC2 section.
>
> Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Jun Seo <jun.seo.93@proton.me>
Thanks, applied now.
Takashi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-26 6:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26 1:08 [PATCH] ALSA: usb-audio: Use correct version for UAC3 header validation Jun Seo
2026-02-26 6:38 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox