* [PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check
@ 2026-04-24 21:50 Cássio Gabriel
2026-04-27 11:51 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Cássio Gabriel @ 2026-04-24 21:50 UTC (permalink / raw)
To: Takashi Iwai, Jaroslav Kysela, Youngjun Lee
Cc: linux-sound, linux-kernel, stable, Cássio Gabriel
The UAC3 cluster descriptor length check in
snd_usb_get_audioformat_uac3()was added to
make sure that the buffer is large enough for
a struct uac3_cluster_header_descriptor before the
returned data is cast and used.
However, the check uses sizeof(cluster), where cluster
is a pointer, not the size of the descriptor header.
This makes the validation depend on the architecture
pointer size and does not match the intended object size.
Check against sizeof(*cluster) instead.
Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 2532bf97e05e..6c51226f771b 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -1003,7 +1003,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
* and request Cluster Descriptor
*/
wLength = le16_to_cpu(hc_header.wLength);
- if (wLength < sizeof(cluster))
+ if (wLength < sizeof(*cluster))
return NULL;
cluster = kzalloc(wLength, GFP_KERNEL);
if (!cluster)
---
base-commit: 876c495d412ef67bd4d0bdc4b74b0bd3d9f4e890
change-id: 20260424-alsa-usb-uac3-cluster-size-4b87d633076a
Best regards,
--
Cássio Gabriel <cassiogabrielcontato@gmail.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check
2026-04-24 21:50 [PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Cássio Gabriel
@ 2026-04-27 11:51 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2026-04-27 11:51 UTC (permalink / raw)
To: Cássio Gabriel
Cc: Takashi Iwai, Jaroslav Kysela, Youngjun Lee, linux-sound,
linux-kernel, stable
On Fri, 24 Apr 2026 23:50:10 +0200,
Cássio Gabriel wrote:
>
> The UAC3 cluster descriptor length check in
> snd_usb_get_audioformat_uac3()was added to
> make sure that the buffer is large enough for
> a struct uac3_cluster_header_descriptor before the
> returned data is cast and used.
>
> However, the check uses sizeof(cluster), where cluster
> is a pointer, not the size of the descriptor header.
> This makes the validation depend on the architecture
> pointer size and does not match the intended object size.
>
> Check against sizeof(*cluster) instead.
>
> Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Applied now. Thanks.
Takashi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-27 11:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-24 21:50 [PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Cássio Gabriel
2026-04-27 11:51 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox