queue-6.1/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001
 From: Takashi Iwai <tiwai@suse.de>
 Date: Thu, 14 Aug 2025 10:12:42 +0200
 Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too

 From: Takashi Iwai <tiwai@suse.de>

 commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream.

 UAC3 power domain descriptors need to be verified with its variable
 bLength for avoiding the unexpected OOB accesses by malicious
 firmware, too.

 Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
 Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
 Cc: <stable@vger.kernel.org>
 Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
 Signed-off-by: Takashi Iwai <tiwai@suse.de>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  sound/usb/validate.c |   12 ++++++++++++
  1 file changed, 12 insertions(+)

 --- a/sound/usb/validate.c
 +++ b/sound/usb/validate.c
 @@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c
  	return d->bLength >= sizeof(*d) + 4 + 2;
  }

 +static bool validate_uac3_power_domain_unit(const void *p,
 +					    const struct usb_desc_validator *v)
 +{
 +	const struct uac3_power_domain_descriptor *d = p;
 +
 +	if (d->bLength < sizeof(*d))
 +		return false;
 +	/* baEntities[] + wPDomainDescrStr */
 +	return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
 +}
 +
  static bool validate_midi_out_jack(const void *p,
  				   const struct usb_desc_validator *v)
  {
 @@ -285,6 +296,7 @@ static const struct usb_desc_validator a
  	      struct uac3_clock_multiplier_descriptor),
  	/* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
  	/* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
 +	FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
  	{ } /* terminator */
  };
	From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001
	From: Takashi Iwai <tiwai@suse.de>
	Date: Thu, 14 Aug 2025 10:12:42 +0200
	Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too

	From: Takashi Iwai <tiwai@suse.de>

	commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream.

	UAC3 power domain descriptors need to be verified with its variable
	bLength for avoiding the unexpected OOB accesses by malicious
	firmware, too.

	Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
	Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
	Cc: <stable@vger.kernel.org>
	Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	sound/usb/validate.c \| 12 ++++++++++++
	1 file changed, 12 insertions(+)

	--- a/sound/usb/validate.c
	+++ b/sound/usb/validate.c
	@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c
	return d->bLength >= sizeof(*d) + 4 + 2;
	}

	+static bool validate_uac3_power_domain_unit(const void *p,
	+ const struct usb_desc_validator *v)
	+{
	+ const struct uac3_power_domain_descriptor *d = p;
	+
	+ if (d->bLength < sizeof(*d))
	+ return false;
	+ /* baEntities[] + wPDomainDescrStr */
	+ return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
	+}
	+
	static bool validate_midi_out_jack(const void *p,
	const struct usb_desc_validator *v)
	{
	@@ -285,6 +296,7 @@ static const struct usb_desc_validator a
	struct uac3_clock_multiplier_descriptor),
	/* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
	/* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
	+ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
	{ } /* terminator */
	};