ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()

[ Upstream commit fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a ]

In snd_usb_get_audioformat_uac3(), the length value returned from
snd_usb_ctl_msg() is used directly for memory allocation without
validation. This length is controlled by the USB device.

The allocated buffer is cast to a uac3_cluster_header_descriptor
and its fields are accessed without verifying that the buffer
is large enough. If the device returns a smaller than expected
length, this leads to an out-of-bounds read.

Add a length check to ensure the buffer is large enough for
uac3_cluster_header_descriptor.

Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Link: https://patch.msgid.link/20250623-uac3-oob-fix-v1-1-527303eaf40a@samsung.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index e14c725acebf2c1dbf69f56b421081a3beb1b1cb..0f1558ef8555357a671ce28b627589d482f9cc15 100644 (file)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -982,6 +982,8 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
         * and request Cluster Descriptor
         */
        wLength = le16_to_cpu(hc_header.wLength);
+       if (wLength < sizeof(cluster))
+               return NULL;
        cluster = kzalloc(wLength, GFP_KERNEL);
        if (!cluster)
                return ERR_PTR(-ENOMEM);