From nobody Sun Feb 8 02:21:34 2026 Received: from bg1.exmail.qq.com (bg1.exmail.qq.com [114.132.58.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C64F732E738 for ; Tue, 16 Dec 2025 06:03:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.132.58.6 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765865001; cv=none; b=qY9UAUiPs4V6nEnA/AhmLodHW8kv5EUwpB92KXdhVBU3/PT/hK1fUXmE6kR00Iqlb+IRhnem8+dJeniAsWXc01vuwpMunOivI9blL3XQRQkN4AB5pb40rYq++EcU+rU5UPk8DciJeIDBlTzji2TGx/fhRpN9yFEhB7wWqO+ttA8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765865001; c=relaxed/simple; bh=qf2DToJKcVofOC+wLSCtVPxKtD+NtVQkWXwsI0GMHtM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=TvoB4ZHeFXOrgQU1KKD6XU1ZF09Z7REmiTzRA2smDtqeLWr95kyvZ33w/h7vZksYrnNA5hvXT8iibsMkkuDTz99tLwtCLQlbtA4VYWorw0inPcsLKzr71QG6wDGWVcYDPsR4SspU3jGnZfkaMJFD1sqU2/zpKB5mPNPaZOTHD6c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=darknavy.com; spf=pass smtp.mailfrom=darknavy.com; dkim=pass (1024-bit key) header.d=darknavy.com header.i=@darknavy.com header.b=JWoOipna; arc=none smtp.client-ip=114.132.58.6 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=darknavy.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=darknavy.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=darknavy.com header.i=@darknavy.com header.b="JWoOipna" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=darknavy.com; s=litx2311; t=1765864944; bh=Qg6eCpBsOaOXTHBmaq1NQahZu3HYrOD54TuA171nEmw=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=JWoOipna7iwZYUBtT2DGeLy5R1O8ThyRoT/ovUpsqcUiyKsIZgFkiIJxmERhorg35 nxkkL2MMzHwo0tclPqcc9jdi1MOaMJGZA7ER1fUI8OBaP1bxUxqboxdm9I6TXNrvKz MWYOgVaNLDBvnYTNKbe+2Ce6Qr62aYQ21J94nnnE= X-QQ-mid: esmtpsz20t1765864938teeba9f43 X-QQ-Originating-IP: nJoj9iCtCkLkpvIYaJwyL4D5UcurBASJvz3QvVoWGx4= Received: from localhost.localdomain ( [223.166.168.213]) by bizesmtp.qq.com (ESMTP) with id ; Tue, 16 Dec 2025 14:02:12 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 0 X-BIZMAIL-ID: 14045563849092445381 EX-QQ-RecipientCnt: 6 From: Shipei Qu To: Jaroslav Kysela , Takashi Iwai Cc: Shipei Qu , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org, DARKNAVY Subject: [PATCH v2] ALSA: usb-mixer: us16x08: validate meter packet indices Date: Tue, 16 Dec 2025 14:01:56 +0800 Message-Id: <20251216060156.41320-4-qu@darknavy.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: esmtpsz:darknavy.com:qybglogicsvrsz:qybglogicsvrsz4b-0 X-QQ-XMAILINFO: NJ/+omVLhVgau0Cu4IckbaQfHuNUYDl0pApOy69J+9SefH4vyoebKGxr bQKK+XoAzRirncElo+evHX0cMHjAFa2JJBMW0hnUkCpNCD/is8gsiL7D7Tv5fXQ6aj+X95i YK7Flxxe3Ti0KDttO1Ha7XJ8r+YAcdANLNDjn/c/O4LQoZWZtTy5Xd3VvhQ9tOcgRzJa8CN huO8SlpWy1qy9tyxg1HFGtNElsdWqFm2tVEKkY9x4zcwOjTMPrVHXgB36VLKcfOFW2y5LJR rR8cMai0eETpS51PHVgKASjKPwXmlzejDzm1BtdpWQbUwMPl/h5nZOisr4QWqyXhGzn/NuL KImPfl2kvm/2RDCFKTS7jAWPeDapX5VDJJJA7aWN7MhyuISR2gmT3d99A7WFGSCBdRNJuL4 aSMhbOg4zPOQS7iR4XrCPeN+sMafPL1b4KkiFWbo3dq+ZYEvfO6Ak6NdhkfyOeQPJoC8e6i +XmuQRPyL8FDx3fc3n+NXffkvbG2PHULObrE25zTzQ1ejNlBYwa2eHF/QKa+MDGaZwKjgEN U7W8iwNbjpAT71ahM/Y1SFaOe+SE+NjpoxnZOj3dbVvsM7uyFstuVuPSbU+1mijZ3TZrKtO gasIkb4vLrakIv8LnrYNIFv+l2u3MwtkXv8LXSU38YBWNyu2gm7oJTbrsPINPy98HUFspZ7 estwyHJNP3GlhNwsMHyVpt8dvfgEsyDb6EvqurdlplSsoo7K76Nc/+wzzeKzbD0wxheoikk qpSCkem+2IS542ZfgUD+luFqI3uKh6X4yqL6EqtyMxL4L6ls47QjLb4pz8nfqXHQRd6h2AM S/hep3whvX3f+Zs+hwz9jwE+Xw1pqrClTzzUmcCpjqoYoIfRpDrVETNfF8+OeBjXSdfUwEY 2Xr2mrQfMseFdJn5EQiPYlvStFVvT98hmzxSQTT6Sk4otsehYhceQBGIFPj0RqC4uYQm4mB +QEj5jLopMvFnYtYiaMZnfdFhJuKf+a773prKV4LXfIyKYK5f75AwGvv1kB9CFMDc8nMLCD 65XxTc8IKwKqzn0KgZ X-QQ-XMRINFO: NI4Ajvh11aEj8Xl/2s1/T8w= X-QQ-RECHKSPAM: 0 Content-Type: text/plain; charset="utf-8" Hi, resending with a properly formatted diff (the previous email had a malformed patch header). The change itself is the same: while fuzzing a USB gadget th= at emulates a Tascam US-16x08 we found that get_meter_levels_from_urb() in mixer_us16x08.c uses a channel index taken directly from the 64-byte meter packet to index meter_level[], comp_level[] and master_level[] without any bounds checking. A malformed packet can therefore cause out-of-bounds write= s in the snd_us16x08_meter_store. A malicious USB audio device (or USB gadget implementation) that pretends t= o be a US-16x08-compatible interface can trigger this by sending crafted meter packets. We have a small USB gadget-based PoC for this behaviour and can sh= are it if that would be helpful. This driver is used by common distributions (e.g. Ubuntu) when a US-16x08 or compatible USB audio device is present. The same pattern is present in curr= ent mainline kernels. This issue was first reported via security@kernel.org. The kernel security = team explained that, in the upstream threat model, USB endpoints are expected to= be trusted (i.e. only trusted devices should be bound to drivers), so they consider this a normal bug rather than a security vulnerability, and asked = us to send a fix to the development lists. The patch below adds simple range checks before updating these arrays. Reported-by: DARKNAVY (@DarkNavyOrg) Signed-off-by: Shipei Qu --- sound/usb/mixer_us16x08.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c index 1c5712c31..f9df40730 100644 --- a/sound/usb/mixer_us16x08.c +++ b/sound/usb/mixer_us16x08.c @@ -655,17 +655,25 @@ static void get_meter_levels_from_urb(int s, u8 *meter_urb) { int val =3D MUC2(meter_urb, s) + (MUC3(meter_urb, s) << 8); + int ch =3D MUB2(meter_urb, s) - 1; + + if (ch < 0) + return; =20 if (MUA0(meter_urb, s) =3D=3D 0x61 && MUA1(meter_urb, s) =3D=3D 0x02 && MUA2(meter_urb, s) =3D=3D 0x04 && MUB0(meter_urb, s) =3D=3D 0x62) { - if (MUC0(meter_urb, s) =3D=3D 0x72) - store->meter_level[MUB2(meter_urb, s) - 1] =3D val; - if (MUC0(meter_urb, s) =3D=3D 0xb2) - store->comp_level[MUB2(meter_urb, s) - 1] =3D val; + if (ch < SND_US16X08_MAX_CHANNELS) { + if (MUC0(meter_urb, s) =3D=3D 0x72) + store->meter_level[ch] =3D val; + if (MUC0(meter_urb, s) =3D=3D 0xb2) + store->comp_level[ch] =3D val; + } } if (MUA0(meter_urb, s) =3D=3D 0x61 && MUA1(meter_urb, s) =3D=3D 0x02 && - MUA2(meter_urb, s) =3D=3D 0x02 && MUB0(meter_urb, s) =3D=3D 0x62) - store->master_level[MUB2(meter_urb, s) - 1] =3D val; + MUA2(meter_urb, s) =3D=3D 0x02 && MUB0(meter_urb, s) =3D=3D 0x62) { + if (ch < ARRAY_SIZE(store->master_level)) + store->master_level[ch] =3D val; + } } =20 /* Function to retrieve current meter values from the device. --=20 2.45.1