| From d683469b3c93d7e2afd39e6e1970f24700eb7a68 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Mon, 9 Mar 2020 10:59:22 +0100 |
| Subject: ALSA: line6: Fix endless MIDI read loop |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit d683469b3c93d7e2afd39e6e1970f24700eb7a68 upstream. |
| |
| The MIDI input event parser of the LINE6 driver may enter into an |
| endless loop when the unexpected data sequence is given, as it tries |
| to continue the secondary bytes without termination. Also, when the |
| input data is too short, the parser returns a negative error, while |
| the caller doesn't handle it properly. This would lead to the |
| unexpected behavior as well. |
| |
| This patch addresses those issues by checking the return value |
| correctly and handling the one-byte event in the parser properly. |
| |
| The bug was reported by syzkaller. |
| |
| Reported-by: syzbot+cce32521ee0a824c21f7@syzkaller.appspotmail.com |
| Cc: <stable@vger.kernel.org> |
| Link: https://lore.kernel.org/r/000000000000033087059f8f8fa3@google.com |
| Link: https://lore.kernel.org/r/20200309095922.30269-1-tiwai@suse.de |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/usb/line6/driver.c | 2 +- |
| sound/usb/line6/midibuf.c | 2 +- |
| 2 files changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/sound/usb/line6/driver.c |
| +++ b/sound/usb/line6/driver.c |
| @@ -283,7 +283,7 @@ static void line6_data_received(struct u |
| line6_midibuf_read(mb, line6->buffer_message, |
| LINE6_MESSAGE_MAXLEN); |
| |
| - if (done == 0) |
| + if (done <= 0) |
| break; |
| |
| line6->message_length = done; |
| --- a/sound/usb/line6/midibuf.c |
| +++ b/sound/usb/line6/midibuf.c |
| @@ -163,7 +163,7 @@ int line6_midibuf_read(struct midi_buffe |
| int midi_length_prev = |
| midibuf_message_length(this->command_prev); |
| |
| - if (midi_length_prev > 0) { |
| + if (midi_length_prev > 1) { |
| midi_length = midi_length_prev - 1; |
| repeat = 1; |
| } else |