lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250922231720.3603805-1-listout@listout.xyz>
Date: Tue, 23 Sep 2025 04:47:20 +0530
From: Brahmajit Das <listout@...tout.xyz>
To: syzbot+f02665daa2abeef4a947@...kaller.appspotmail.com
Cc: clemens@...isch.de,
	linux-kernel@...r.kernel.org,
	linux-sound@...r.kernel.org,
	linux-usb@...r.kernel.org,
	perex@...ex.cz,
	syzkaller-bugs@...glegroups.com,
	tiwai@...e.com
Subject: [PATCH 1/1] ALSA: usb-audio: Avoid NULL dereference in snd_usbmidi_do_output()

Syzkaller reported a general protection fault in snd_usbmidi_do_output(),
caused by dereferencing a NULL URB pointer when accessing
ep->urbs[urb_index].urb.

This can happen in rare race conditions where the URB was not initialized
or was already freed (e.g. during disconnect or after errors), and the
output timer or other path tries to reuse it.

Fix this by checking if the URB is NULL before accessing it, and skipping
the current slot if it is.

Reported-by: syzbot+f02665daa2abeef4a947@...kaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947

Signed-off-by: Brahmajit Das <listout@...tout.xyz>
---
 sound/usb/midi.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..7919a39decb4 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -307,6 +307,10 @@ static void snd_usbmidi_do_output(struct snd_usb_midi_out_endpoint *ep)
 	for (;;) {
 		if (!(ep->active_urbs & (1 << urb_index))) {
 			urb = ep->urbs[urb_index].urb;
+			if (!urb) {
+				// Skip this urb
+				goto next_urb;
+			}
 			urb->transfer_buffer_length = 0;
 			ep->umidi->usb_protocol_ops->output(ep, urb);
 			if (urb->transfer_buffer_length == 0)
@@ -319,6 +323,7 @@ static void snd_usbmidi_do_output(struct snd_usb_midi_out_endpoint *ep)
 				break;
 			ep->active_urbs |= 1 << urb_index;
 		}
+next_urb:
 		if (++urb_index >= OUTPUT_URBS)
 			urb_index = 0;
 		if (urb_index == ep->next_urb)
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ