Re: [PATCH] ALSA: firewire: isight: bound the sample count to the packet payload

Next message: Miaohe Lin: "Re: [PATCH v9 2/6] mm/memory-failure: surface unhandlable kernel pages as -ENOTRECOVERABLE"
Previous message: Dan Carpenter: "Re: [PATCH] staging: fbtft: fix unaligned access and txbuf safety issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Thu Jun 25 2026 - 08:03:32 EST

On Sun, 21 Jun 2026 17:09:07 +0200,
Maoyi Xie wrote:
>
> isight_packet() takes the frame count from the device iso packet and
> checks it only against the device claimed iso length.
>
> count = be32_to_cpu(payload->sample_count);
> if (likely(count <= (length - 16) / 4))
> isight_samples(isight, payload->samples, count);
>
> length is the iso header data_length. It can be up to 0xffff. So the
> gate allows a count up to about 16379. isight_samples() then copies
> count frames out of payload->samples into the PCM DMA buffer.
>
> payload->samples holds only 2 * MAX_FRAMES_PER_PACKET values. The
> device multiplexes two samples per frame. A count past
> MAX_FRAMES_PER_PACKET reads past the payload. A count past the buffer
> size writes past runtime->dma_area. The smallest PCM buffer is larger
> than MAX_FRAMES_PER_PACKET. Bounding the count to MAX_FRAMES_PER_PACKET
> keeps both the read and the write in range.
>
> A malicious or faulty Apple iSight on the FireWire bus reaches this
> during a normal capture.
>
> Add the MAX_FRAMES_PER_PACKET bound to the gate.
>
> Fixes: 3a691b28a0ca ("ALSA: add Apple iSight microphone driver")
> Suggested-by: Takashi Sakamoto <o-takashi@xxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>

Thanks, applied now.

Takashi