On Thu, Dec 05, 2024 at 01:07:58PM +0000, Benoît Sevens wrote:
> From: Takashi Iwai <tiwai@xxxxxxx>
>
> Upstream commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6
>
> The current USB-audio driver code doesn't check bLength of each
> descriptor at traversing for clock descriptors. That is, when a
> device provides a bogus descriptor with a shorter bLength, the driver
> might hit out-of-bounds reads.
>
> For addressing it, this patch adds sanity checks to the validator
> functions for the clock descriptor traversal. When the descriptor
> length is shorter than expected, it's skipped in the loop.
>
> For the clock source and clock multiplier descriptors, we can just
> check bLength against the sizeof() of each descriptor type.
> OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
> of bNrInPins elements and two more fields at its tail, hence those
> have to be checked in addition to the sizeof() check.
>
> This patch ports the upstream commit a3dd4d63eeb4 to trees that do not
> include the refactoring commit 9ec730052fa2 ("ALSA: usb-audio:
> Refactoring UAC2/3 clock setup code"). That commit provides union
> objects for pointing both UAC2 and UAC3 objects and unifies the clock
> source, selector and multiplier helper functions. This means we need to
> perform the check in each version specific helper function, but on the
> other hand do not need to do version specific union dereferencing in the
> macros and helper functions.
>
> Reported-by: Benoît Sevens <bsevens@xxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@xxxxxxxxxx
> Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@xxxxxxx
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> (cherry picked from commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6)
> Signed-off-by: Benoît Sevens <bsevens@xxxxxxxxxx>
> ---
> sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++--
> 1 file changed, 30 insertions(+), 2 deletions(-)
What changed in v2?
