Commit 698cbb71 authored Apr 16, 2024 by Chengfeng Ye Committed by Liu Shixin Apr 16, 2024

ALSA: usb-audio: fix null pointer dereference on pointer cs_desc

mainline inclusion
from mainline-v5.16-rc1
commit b97053df
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNFQ
CVE: CVE-2021-47211

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b97053df0f04747c3c1e021ecbe99db675342954



--------------------------------

The pointer cs_desc return from snd_usb_find_clock_source could
be null, so there is a potential null pointer dereference issue.
Fix this by adding a null check before dereference.

Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Link: https://lore.kernel.org/r/20211024111736.11342-1-cyeaa@connect.ust.hk


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Conflicts:
	sound/usb/clock.c
Signed-off-by: Liu Shixin <liushixin2@huawei.com>

parent 5b8899e6

sound/usb/clock.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -538,11 +538,17 @@ static int set_sample_rate_v2v3(struct snd_usb_audio *chip, int iface,
		struct uac3_clock_source_descriptor *cs_desc;

		cs_desc = snd_usb_find_clock_source_v3(chip->ctrl_intf, clock);
		if (!cs_desc)
		return 0;

		bmControls = le32_to_cpu(cs_desc->bmControls);
		} else {
		struct uac_clock_source_descriptor *cs_desc;

		cs_desc = snd_usb_find_clock_source(chip->ctrl_intf, clock);
		if (!cs_desc)
		return 0;

		bmControls = cs_desc->bmControls;
		}