Commit d832ccbc authored by Takashi Iwai's avatar Takashi Iwai
Browse files

ALSA: usb-audio: Validate UAC3 power domain descriptors, too 



UAC3 power domain descriptors need to be verified with its variable
bLength for avoiding the unexpected OOB accesses by malicious
firmware, too.

Fixes: 9a2fe9b8 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Reported-and-tested-by: default avatarYoungjun Lee <yjjuny.lee@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent e26ad671

sound/usb/validate.c

+12 −0
Original line number Diff line number Diff line
@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(const void *p, 
	return d->bLength >= sizeof(*d) + 4 + 2;

}



static bool validate_uac3_power_domain_unit(const void *p,

					    const struct usb_desc_validator *v)

{

	const struct uac3_power_domain_descriptor *d = p;



	if (d->bLength < sizeof(*d))

		return false;

	/* baEntities[] + wPDomainDescrStr */

	return d->bLength >= sizeof(*d) + d->bNrEntities + 2;

}



static bool validate_midi_out_jack(const void *p,

				   const struct usb_desc_validator *v)

{
@@ -285,6 +296,7 @@ static const struct usb_desc_validator audio_validators[] = { 
	      struct uac3_clock_multiplier_descriptor),

	/* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */

	/* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */

	FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),

	{ } /* terminator */

};