In snd_usb_get_audioformat_uac3(), the length value returned from
snd_usb_ctl_msg() is used directly for memory allocation without
validation. This length is controlled by the USB device.

The allocated buffer is cast to a uac3_cluster_header_descriptor
and its fields are accessed without verifying that the buffer
is large enough. If the device returns a smaller than expected
length, this leads to an out-of-bounds read.

Add a length check to ensure the buffer is large enough for
uac3_cluster_header_descriptor.

Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
---
 sound/usb/stream.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index c1ea8844a46fc420ee703b8640580cef851ef4b7..aa91d63749f2ca34e906d1e1366ca9f095ac01ae 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -987,6 +987,8 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
 	 * and request Cluster Descriptor
 	 */
 	wLength = le16_to_cpu(hc_header.wLength);
+	if (wLength < sizeof(cluster))
+		return NULL;
 	cluster = kzalloc(wLength, GFP_KERNEL);
 	if (!cluster)
 		return ERR_PTR(-ENOMEM);

---
base-commit: 86731a2a651e58953fc949573895f2fa6d456841
change-id: 20250623-uac3-oob-fix-78e8d3eb85a7

Best regards,
-- 
Youngjun Lee <yjjuny.lee@samsung.com>

On Mon, 23 Jun 2025 13:05:25 +0200,
Youngjun Lee wrote:
> 
> In snd_usb_get_audioformat_uac3(), the length value returned from
> snd_usb_ctl_msg() is used directly for memory allocation without
> validation. This length is controlled by the USB device.
> 
> The allocated buffer is cast to a uac3_cluster_header_descriptor
> and its fields are accessed without verifying that the buffer
> is large enough. If the device returns a smaller than expected
> length, this leads to an out-of-bounds read.
> 
> Add a length check to ensure the buffer is large enough for
> uac3_cluster_header_descriptor.
> 
> Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>

Applied now.  Thanks.


Takashi