Re: [PATCH 0/2] ALSA: caiaq: fix S4 OOB read and bound the EP1 input parsers

[Takashi Iwai]

On Thu, 18 Jun 2026 08:03:15 +0200,
Maoyi Xie wrote:
> 
> Hi Takashi,
> 
> Thanks for confirming the Traktor Kontrol S4 out-of-bounds read and for
> the follow-up on the neighbouring parsers.
> 
> Patch 1 is the actual fix. snd_usb_caiaq_tks4_dispatch() loops on the raw
> urb->actual_length. That value is controlled by the device and is not
> required to be a multiple of the 16-byte message block. Once len drops
> below 16 the unsigned "len -= TKS4_MSGBLOCK_SIZE" underflows. The loop
> then keeps walking buf past ep4_in_buf[EP4_BUFSIZE]. The fix iterates
> only while a full block remains, which also discards any trailing partial
> block. The X1 and Maschine arms already floor the length before dispatch,
> so only the S4 arm was affected.
> 
> Patch 2 adds the length checks you suggested to
> snd_caiaq_input_read_erp() and snd_caiaq_input_read_io(). Both are
> reachable through snd_usb_caiaq_input_dispatch(). As you noted,
> snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch()
> already have the length floored by their callers, so they are left
> unchanged. The two parsers patch 2 touches are not an out-of-bounds
> access either. Every offset is a fixed driver constant within the 64-byte
> ep1_in_buf. A short reply does make them decode stale data, though, so the
> guards drop such replies per device path. Patch 2 carries your
> Suggested-by.
> 
> Patch 1 carries a Fixes tag and Cc: stable. Patch 2 does not.
> 
> Maoyi Xie (2):
>   ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input
>     parser
>   ALSA: caiaq: bound the length in the EP1 input parsers

Applied both patches now.  Thanks.


Takashi