Commit 324f3e03 authored Nov 28, 2025 by Junrui Luo Committed by Takashi Iwai Nov 29, 2025

ALSA: dice: fix buffer overflow in detect_stream_formats()



The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.

Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 58579c05 ("ALSA: dice: use extended protocol to detect available stream formats")
Cc: stable@vger.kernel.org
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com


Signed-off-by: Takashi Iwai <tiwai@suse.de>

parent d01a3aad

sound/firewire/dice/dice-extension.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -116,7 +116,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr)
		break;

		base_offset += EXT_APP_STREAM_ENTRIES;
		stream_count = be32_to_cpu(reg[0]);
		stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS);
		err = read_stream_entries(dice, section_addr, base_offset,
		stream_count, mode,
		dice->tx_pcm_chs,
		@@ -125,7 +125,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr)
		break;

		base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE;
		stream_count = be32_to_cpu(reg[1]);
		stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS);
		err = read_stream_entries(dice, section_addr, base_offset,
		stream_count,
		mode, dice->rx_pcm_chs,