| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251106235128.8908-1-hdanton@sina.com>
Date: Fri, 7 Nov 2025 07:51:26 +0800
From: Hillf Danton <hdanton@...a.com>
To: Takashi Iwai <tiwai@...e.de>
Cc: Lizhi Xu <lizhi.xu@...driver.com>,
linux-kernel@...r.kernel.org,
linux-sound@...r.kernel.org,
linux-usb@...r.kernel.org,
perex@...ex.cz,
syzbot+bfd77469c8966de076f7@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com,
tiwai@...e.com
Subject: Re: [PATCH] ALSA: usb-audio: Prevent urb from writing out of bounds
On Thu, 06 Nov 2025 17:41:07 +0100 Takashi Iwai wrote:
> OK, then a fix like below would work?
Test Takashi's fix.
#syz test
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1362,6 +1362,11 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
ep->sample_rem = ep->cur_rate % ep->pps;
ep->packsize[0] = ep->cur_rate / ep->pps;
ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps;
+ if (ep->packsize[1] > ep->maxpacksize) {
+ usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n",
+ ep->maxpacksize, ep->cur_rate, ep->pps);
+ return -EINVAL;
+ }
/* calculate the frequency in 16.16 format */
ep->freqm = ep->freqn;
--
Powered by blists - more mailing lists