Commit d7be29a4 authored May 08, 2024 by Dongxiang Ke Committed by Lin Yujun May 08, 2024

ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()

stable inclusion
from stable-v4.19.258
commit 2a308e415d247a23d4d64c964c02e782eede2936
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9LKC3
CVE: CVE-2022-48701

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2a308e415d247a23d4d64c964c02e782eede2936



--------------------------------

commit e53f47f6 upstream.

There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and
the number of it's interfaces less than 4, an out-of-bounds read bug occurs
when parsing the interface descriptor for this device.

Fix this by checking the number of interfaces.

Signed-off-by: Dongxiang Ke <kdx.glider@gmail.com>
Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lin Yujun <linyujun809@huawei.com>

parent b9f13a64

sound/usb/stream.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1110,7 +1110,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
		* Dallas DS4201 workaround: It presents 5 altsettings, but the last
		* one misses syncpipe, and does not produce any sound.
		*/
		if (chip->usb_id == USB_ID(0x04fa, 0x4201))
		if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4)
		num = 4;

		for (i = 0; i < num; i++) {