This is a note to let you know that I've just added the patch titled
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
alsa-usb-fix-ubsan-warning-in-parse_audio_unit.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 3baa763a182de8152b189ade9656d1d652c466c2
Author: Takashi Iwai <tiwai@xxxxxxx>
Date: Sun Jul 28 12:08:55 2024 -0400
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
[ Upstream commit 2f38cf730caedaeacdefb7ff35b0a3c1168117f9 ]
A malformed USB descriptor may pass the lengthy mixer description with
a lot of channels, and this may overflow the 32bit integer shift
size, as caught by syzbot UBSAN test. Although this won't cause any
real trouble, it's better to address.
This patch introduces a sanity check of the number of channels to bail
out the parsing when too many channels are found.
Reported-by: syzbot+78d5b129a762182225aa@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@xxxxxxxxxx
Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@xxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 4b979218d3b0..5163d5e7682e 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2008,6 +2008,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
bmaControls = ftr->bmaControls;
}
+ if (channels > 32) {
+ usb_audio_info(state->chip,
+ "usbmixer: too many channels (%d) in unit %d\n",
+ channels, unitid);
+ return -EINVAL;
+ }
+
/* parse the source unit */
err = parse_audio_unit(state, hdr->bSourceID);
if (err < 0)
