Re: [syzbot] [sound?] [usb?] UBSAN: shift-out-of-bounds in parse_audio_unit

From: Edward Adam Davis
Date: Tue Jul 16 2024 - 06:32:25 EST

Next message: Claudiu: "[PATCH v2 09/11] arm64: dts: renesas: rzg3s-smarc-som: Enable RTC"
Previous message: Claudiu: "[PATCH v2 08/11] arm64: dts: renesas: rzg3s-smarc-som: Enable VBATTB clock"
In reply to: syzbot: "Re: [syzbot] [sound?] [usb?] UBSAN: shift-out-of-bounds in parse_audio_unit"
Next in thread: syzbot: "Re: [syzbot] [sound?] [usb?] UBSAN: shift-out-of-bounds in parse_audio_unit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

invalid bControlSize and bLength make channels too large

#syz test: upstream a19ea421490d

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 409fc1164694..17081ada6802 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2000,6 +2000,8 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
if (state->mixer->protocol == UAC_VERSION_1) {
csize = hdr->bControlSize;
channels = (hdr->bLength - 7) / csize - 1;
+ if (channels > 32)
+ return -EINVAL;
bmaControls = hdr->bmaControls;
} else if (state->mixer->protocol == UAC_VERSION_2) {
struct uac2_feature_unit_descriptor *ftr = _ftr;

Next message: Claudiu: "[PATCH v2 09/11] arm64: dts: renesas: rzg3s-smarc-som: Enable RTC"
Previous message: Claudiu: "[PATCH v2 08/11] arm64: dts: renesas: rzg3s-smarc-som: Enable VBATTB clock"
In reply to: syzbot: "Re: [syzbot] [sound?] [usb?] UBSAN: shift-out-of-bounds in parse_audio_unit"
Next in thread: syzbot: "Re: [syzbot] [sound?] [usb?] UBSAN: shift-out-of-bounds in parse_audio_unit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]