Re: [PATCH 6.1.y] ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

[Sasha Levin <sashal@xxxxxxxxxx>]

[ Sasha's backport helper bot ]

Hi,

Found matching upstream commit: b909df18ce2a998afef81d58bbd1a05dc0788c40

Status in newer kernel trees:
6.12.y | Not found
6.11.y | Not found
6.6.y | Not found
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
1:  b909df18ce2a9 ! 1:  3ff25a47e0cd2 ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
    @@ Commit message
         Cc: stable@xxxxxxxxxx
         Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@xxxxxxxxxx
         Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
    +    (cherry picked from commit b909df18ce2a998afef81d58bbd1a05dc0788c40)
    +    Signed-off-by: Benoît Sevens <bsevens@xxxxxxxxxx>
     
      ## sound/usb/quirks.c ##
     @@ sound/usb/quirks.c: int snd_usb_create_quirk(struct snd_usb_audio *chip,
    @@ sound/usb/quirks.c: static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
      
      	err = usb_reset_configuration(dev);
      	if (err < 0)
    -@@ sound/usb/quirks.c: static void mbox3_setup_defaults(struct usb_device *dev)
    +@@ sound/usb/quirks.c: static void mbox3_setup_48_24_magic(struct usb_device *dev)
      static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)
      {
      	struct usb_host_config *config = dev->actconfig;
    @@ sound/usb/quirks.c: static void mbox3_setup_defaults(struct usb_device *dev)
      	int descriptor_size;
      
     @@ sound/usb/quirks.c: static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)
    - 	dev_dbg(&dev->dev, "MBOX3: device initialised!\n");
    + 	dev_dbg(&dev->dev, "device initialised!\n");
      
      	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
     -		&dev->descriptor, sizeof(dev->descriptor));
     -	config = dev->actconfig;
     +		&new_device_descriptor, sizeof(new_device_descriptor));
      	if (err < 0)
    - 		dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err);
    + 		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
     +	if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
    -+		dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n",
    ++		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
     +			new_device_descriptor.bNumConfigurations);
     +	else
     +		memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |