summaryrefslogtreecommitdiff
path: root/sound/usb
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2024-07-15 14:35:54 +0200
committerTakashi Iwai <tiwai@suse.de>2024-07-15 16:06:09 +0200
commit2f38cf730caedaeacdefb7ff35b0a3c1168117f9 (patch)
treec7e89afb408dbed7fc07a8f2b0b6be0f20d63198 /sound/usb
parent5fa87a081b2d633b944d5a93f5767623ef2a961d (diff)
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
A malformed USB descriptor may pass the lengthy mixer description with a lot of channels, and this may overflow the 32bit integer shift size, as caught by syzbot UBSAN test. Although this won't cause any real trouble, it's better to address. This patch introduces a sanity check of the number of channels to bail out the parsing when too many channels are found. Reported-by: syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/usb')
-rw-r--r--sound/usb/mixer.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 409fc1164694..fd6b94b3b638 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2014,6 +2014,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
bmaControls = ftr->bmaControls;
}
+ if (channels > 32) {
+ usb_audio_info(state->chip,
+ "usbmixer: too many channels (%d) in unit %d\n",
+ channels, unitid);
+ return -EINVAL;
+ }
+
/* parse the source unit */
err = parse_audio_unit(state, hdr->bSourceID);
if (err < 0)