Re: [PATCH] ALSA: usb-audio: Prevent urb from writing out of bounds

Next message: Mark Brown: "Re: [PATCH] ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present()"
Previous message: Bill Wendling: "Re: linux-next-20251029 - build error in amdgpu"
In reply to: Takashi Iwai: "Re: [PATCH] ALSA: usb-audio: Prevent urb from writing out of bounds"
Next in thread: syzbot: "Re: [syzbot] [sound?] [usb?] KASAN: slab-out-of-bounds Write in copy_to_urb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Thu Nov 06 2025 - 18:52:19 EST

On Thu, 06 Nov 2025 17:41:07 +0100 Takashi Iwai wrote:
> OK, then a fix like below would work?

Test Takashi's fix.

#syz test

--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1362,6 +1362,11 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
ep->sample_rem = ep->cur_rate % ep->pps;
ep->packsize[0] = ep->cur_rate / ep->pps;
ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps;
+ if (ep->packsize[1] > ep->maxpacksize) {
+ usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n",
+ ep->maxpacksize, ep->cur_rate, ep->pps);
+ return -EINVAL;
+ }

/* calculate the frequency in 16.16 format */
ep->freqm = ep->freqn;
--