This is a note to let you know that I've just added the patch titled ALSA: usb-audio: Validate MS endpoint descriptors to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: alsa-usb-audio-validate-ms-endpoint-descriptors.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e84749a78dc82bc545f12ce009e3dbcc2c5a8a91 Mon Sep 17 00:00:00 2001 From: Takashi Iwai <tiwai@xxxxxxx> Date: Mon, 10 May 2021 17:06:59 +0200 Subject: ALSA: usb-audio: Validate MS endpoint descriptors From: Takashi Iwai <tiwai@xxxxxxx> commit e84749a78dc82bc545f12ce009e3dbcc2c5a8a91 upstream. snd_usbmidi_get_ms_info() may access beyond the border when a malformed descriptor is passed. This patch adds the sanity checks of the given MS endpoint descriptors, and skips invalid ones. Reported-by: syzbot+6bb23a5d5548b93c94aa@xxxxxxxxxxxxxxxxxxxxxxxxx Cc: <stable@xxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20210510150659.17710-1-tiwai@xxxxxxx Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- sound/usb/midi.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1889,8 +1889,12 @@ static int snd_usbmidi_get_ms_info(struc ms_ep = find_usb_ms_endpoint_descriptor(hostep); if (!ms_ep) continue; + if (ms_ep->bLength <= sizeof(*ms_ep)) + continue; if (ms_ep->bNumEmbMIDIJack > 0x10) continue; + if (ms_ep->bLength < sizeof(*ms_ep) + ms_ep->bNumEmbMIDIJack) + continue; if (usb_endpoint_dir_out(ep)) { if (endpoints[epidx].out_ep) { if (++epidx >= MIDI_MAX_ENDPOINTS) { Patches currently in stable-queue which might be from tiwai@xxxxxxx are queue-5.10/alsa-hda-realtek-fix-silent-headphone-output-on-asus-ux430ua.patch queue-5.10/alsa-hda-realtek-add-fixup-for-hp-omen-laptop.patch queue-5.10/alsa-intel8x0-don-t-update-period-unless-prepared.patch queue-5.10/alsa-hda-realtek-reset-eapd-coeff-to-default-value-for-alc287.patch queue-5.10/alsa-firewire-lib-fix-amdtp_packet-tracepoints-event-for-packet_index-field.patch queue-5.10/alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-d.2-pro.patch queue-5.10/alsa-line6-fix-racy-initialization-of-line6-midi.patch queue-5.10/alsa-firewire-lib-fix-calculation-for-size-of-ir-context-payload.patch queue-5.10/alsa-hda-realtek-add-fixup-for-hp-spectre-x360-15-df0xxx.patch queue-5.10/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch queue-5.10/alsa-dice-fix-stream-format-at-middle-sampling-rate-for-alesis-io-26.patch queue-5.10/alsa-firewire-lib-fix-check-for-the-size-of-isochronous-packet-payload.patch queue-5.10/alsa-usb-audio-validate-ms-endpoint-descriptors.patch queue-5.10/revert-alsa-sb8-add-a-check-for-request_region.patch queue-5.10/alsa-hda-fixup-headset-for-asus-gu502-laptop.patch queue-5.10/alsa-hda-realtek-add-some-clove-ssids-of-alc293.patch