On Thu, Dec 05, 2024 at 09:29:25AM +0000, Benoît Sevens wrote: > From: Takashi Iwai <tiwai@xxxxxxx> > > The current USB-audio driver code doesn't check bLength of each > descriptor at traversing for clock descriptors. That is, when a > device provides a bogus descriptor with a shorter bLength, the driver > might hit out-of-bounds reads. > > For addressing it, this patch adds sanity checks to the validator > functions for the clock descriptor traversal. When the descriptor > length is shorter than expected, it's skipped in the loop. > > For the clock source and clock multiplier descriptors, we can just > check bLength against the sizeof() of each descriptor type. > OTOH, the clock selector descriptor of UAC2 and UAC3 has an array > of bNrInPins elements and two more fields at its tail, hence those > have to be checked in addition to the sizeof() check. > > Reported-by: Benoît Sevens <bsevens@xxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@xxxxxxxxxx > Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@xxxxxxx > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > (cherry picked from commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6) You did _MUCH_ more than just cherry picking this. Please document your changes somehow, this is much different from the original commit. thanks, greg k-h
