git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Sun, 9 Nov 2025 09:12:07 +0000 (10:12 +0100)
committer	Takashi Iwai <tiwai@suse.de>
	Mon, 10 Nov 2025 09:48:45 +0000 (10:48 +0100)
commit	05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf
tree	4f896f7eff5298854f359997ccd299ad9c2a5d6d	tree \| snapshot
parent	7a39c723b7472b8aaa2e0a67d2b6c7cf1c45cafb	commit \| diff

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

The PCM stream data in USB-audio driver is transferred over USB URB
packet buffers, and each packet size is determined dynamically.  The
packet sizes are limited by some factors such as wMaxPacketSize USB
descriptor.  OTOH, in the current code, the actually used packet sizes
are determined only by the rate and the PPS, which may be bigger than
the size limit above.  This results in a buffer overflow, as reported
by syzbot.

Basically when the limit is smaller than the calculated packet size,
it implies that something is wrong, most likely a weird USB
descriptor.  So the best option would be just to return an error at
the parameter setup time before doing any further operations.

This patch introduces such a sanity check, and returns -EINVAL when
the packet size is greater than maxpacksize.  The comparison with
ep->packsize[1] alone should suffice since it's always equal or
greater than ep->packsize[0].

Reported-by: syzbot+bfd77469c8966de076f7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7
Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com
Cc: Lizhi Xu <lizhi.xu@windriver.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>