From: Youngjun Lee Date: Mon, 23 Jun 2025 11:05:25 +0000 (+0900) Subject: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() X-Git-Tag: v5.10.240~162 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2dc1c3edf67abd30c757f8054a5da61927cdda21;p=thirdparty%2Fkernel%2Fstable.git ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() [ Upstream commit fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a ] In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor. Signed-off-by: Youngjun Lee Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") Link: https://patch.msgid.link/20250623-uac3-oob-fix-v1-1-527303eaf40a@samsung.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- diff --git a/sound/usb/stream.c b/sound/usb/stream.c index 0c77f244e5d66..d6d3ce9e96373 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -983,6 +983,8 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip, * and request Cluster Descriptor */ wLength = le16_to_cpu(hc_header.wLength); + if (wLength < sizeof(cluster)) + return NULL; cluster = kzalloc(wLength, GFP_KERNEL); if (!cluster) return ERR_PTR(-ENOMEM);