lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251014040149.1031348-1-r772577952@gmail.com>
Date: Tue, 14 Oct 2025 12:01:49 +0800
From: Jiaming Zhang <r772577952@...il.com>
To: gregkh@...uxfoundation.org
Cc: broonie@...nel.org,
	cryolitia@...ontech.com,
	linux-kernel@...r.kernel.org,
	linux-sound@...r.kernel.org,
	perex@...ex.cz,
	pierre-louis.bossart@...ux.dev,
	quic_wcheng@...cinc.com,
	r772577952@...il.com,
	syzkaller@...glegroups.com,
	tiwai@...e.com
Subject: [PATCH] ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

Hi Greg,

Thanks for the guidance. You're right, the root cause of this issue is
that a USB audio device is created without a proper interface.

To fix this issue, I added a check for the NULL return value in
try_to_register_card() before calling usb_interface_claimed().
I have tested patch with the reproducer on the latest version (v6.18-rc1),
the issue was not triggered again.

Please let me know if any changes are needed.

Best regards,
Jiaming Zhang
---

In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().

Reported-by: Jiaming Zhang <r772577952@...il.com>
Signed-off-by: Jiaming Zhang <r772577952@...il.com>
---
 sound/usb/card.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sound/usb/card.c b/sound/usb/card.c
index 1d5a65eac933..270dad84d825 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -891,10 +891,16 @@ get_alias_quirk(struct usb_device *dev, unsigned int id)
  */
 static int try_to_register_card(struct snd_usb_audio *chip, int ifnum)
 {
+	struct usb_interface *iface;
+
 	if (check_delayed_register_option(chip) == ifnum ||
-	    chip->last_iface == ifnum ||
-	    usb_interface_claimed(usb_ifnum_to_if(chip->dev, chip->last_iface)))
+	    chip->last_iface == ifnum)
+		return snd_card_register(chip->card);
+
+	iface = usb_ifnum_to_if(chip->dev, chip->last_iface);
+	if (iface && usb_interface_claimed(iface))
 		return snd_card_register(chip->card);
+
 	return 0;
 }
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ