Commit f17d1691 authored Jul 15, 2024 by Takashi Iwai Committed by ZhangPeng Aug 26, 2024

ALSA: usb: Fix UBSAN warning in parse_audio_unit()

stable inclusion
from stable-v6.6.47
commit f95d175a9e5fcf747c3ae87ca2f663cac2d846f6
bugzilla: https://gitee.com/openeuler/kernel/issues/IAHMJO

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f95d175a9e5fcf747c3ae87ca2f663cac2d846f6



--------------------------------

[ Upstream commit 2f38cf730caedaeacdefb7ff35b0a3c1168117f9 ]

A malformed USB descriptor may pass the lengthy mixer description with
a lot of channels, and this may overflow the 32bit integer shift
size, as caught by syzbot UBSAN test.  Although this won't cause any
real trouble, it's better to address.

This patch introduces a sanity check of the number of channels to bail
out the parsing when too many channels are found.

Reported-by:  <syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com
Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.de


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>

parent 82e16f86

sound/usb/mixer.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -2021,6 +2021,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
		bmaControls = ftr->bmaControls;
		}

		if (channels > 32) {
		usb_audio_info(state->chip,
		"usbmixer: too many channels (%d) in unit %d\n",
		channels, unitid);
		return -EINVAL;
		}

		/* parse the source unit */
		err = parse_audio_unit(state, hdr->bSourceID);
		if (err < 0)