ALSA: usb: Fix UBSAN warning in parse_audio_unit()

A malformed USB descriptor may pass the lengthy mixer description with a lot of channels, and this may overflow the 32bit integer shift size, as caught by syzbot UBSAN test. Although this won't cause any real trouble, it's better to address. This patch introduces a sanity check of the number of channels to bail out the parsing when too many channels are found. Reported-by: syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.deSigned-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: usb: Fix UBSAN warning in parse_audio_unit()
A malformed USB descriptor may pass the lengthy mixer description with a lot of channels, and this may overflow the 32bit integer shift size, as caught by syzbot UBSAN test. Although this won't cause any real trouble, it's better to address. This patch introduces a sanity check of the number of channels to bail out the parsing when too many channels are found. Reported-by: syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.deSigned-off-by: Takashi Iwai <tiwai@suse.de>
2f38cf73 · Takashi Iwai · 5fa87a08 · 2f38cf73
Commit 2f38cf73 authored Jul 15, 2024 by Takashi Iwai
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

sound/usb/mixer.c sound/usb/mixer.c +7 -0

No files found.
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2014,6 +2014,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
 		bmaControls = ftr->bmaControls;
 	}

+	if (channels > 32) {
+		usb_audio_info(state->chip,
+			       "usbmixer: too many channels (%d) in unit %d\n",
+			       channels, unitid);
+		return -EINVAL;
+	}
+
 	/* parse the source unit */
 	err = parse_audio_unit(state, hdr->bSourceID);
 	if (err < 0)