lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87bjqemr3s.wl-tiwai@suse.de>
Date: Mon, 23 Jun 2025 17:09:59 +0200
From: Takashi Iwai <tiwai@...e.de>
To: Youngjun Lee <yjjuny.lee@...sung.com>
Cc: Jaroslav Kysela <perex@...ex.cz>,
	Takashi Iwai <tiwai@...e.com>,
	linux-sound@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()

On Mon, 23 Jun 2025 13:05:25 +0200,
Youngjun Lee wrote:
> 
> In snd_usb_get_audioformat_uac3(), the length value returned from
> snd_usb_ctl_msg() is used directly for memory allocation without
> validation. This length is controlled by the USB device.
> 
> The allocated buffer is cast to a uac3_cluster_header_descriptor
> and its fields are accessed without verifying that the buffer
> is large enough. If the device returns a smaller than expected
> length, this leads to an out-of-bounds read.
> 
> Add a length check to ensure the buffer is large enough for
> uac3_cluster_header_descriptor.
> 
> Signed-off-by: Youngjun Lee <yjjuny.lee@...sung.com>

Applied now.  Thanks.


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ