Commit df1d8abf authored by Takashi Iwai's avatar Takashi Iwai
Browse files

ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces 



The Scarlett2 mixer quirk in USB-audio driver may hit a NULL
dereference when a malformed USB descriptor is passed, since it
assumes the presence of an endpoint in the parsed interface in
scarlett2_find_fc_interface(), as reported by fuzzer.

For avoiding the NULL dereference, just add the sanity check of
bNumEndpoints and skip the invalid interface.

Reported-by: default avatar <syzbot+8f29539ef9a1c8334f42@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/69acbbe1.050a0220.310d8.0001.GAE@google.com


Reported-by: default avatar <syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/69acf72a.050a0220.310d8.0004.GAE@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260309104632.141895-1-tiwai@suse.de


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 542127f6

sound/usb/mixer_scarlett2.c

+2 −0
Original line number Diff line number Diff line
@@ -8251,6 +8251,8 @@ static int scarlett2_find_fc_interface(struct usb_device *dev, 


		if (desc->bInterfaceClass != 255)

			continue;

		if (desc->bNumEndpoints < 1)

			continue;



		epd = get_endpoint(intf->altsetting, 0);

		private->bInterfaceNumber = desc->bInterfaceNumber;