From nobody Tue Apr  7 14:04:56 2026
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0FED29B204
	for <linux-kernel@vger.kernel.org>; Thu, 26 Feb 2026 01:08:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772068112; cv=none;
 b=NrIKzhgiGomQv+EvXmIEQVKjs628f7s+MRNX5i6IQeO2XSX5QwALi8TLsqTJq4Kk5klyH29QtOTH4WJqiCozqVIKOv9ZEwXXJGSB2jmIzZTyWcDqNa1jVcKJRtf1A+/mZbIgL9kzEXBEMaMX9K+wZ1ivkvt1z0lyr6FOQNrTa3E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772068112; c=relaxed/simple;
	bh=MleScNebmr/QZFfWvQ29HJiOauZJpd6IuQ2pFpYsVGI=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=HIJ/KSJ+UH05PLSoql62OQI+DtrMY/u5REqwVbfIKqiqBFKzN4oNnSWZNlQayD5P8eECeK5ZRi20xYf/kjDqTip/UwktHztiqyEMCWuPpmZubjhJ8H55tLUT61gud5IN4IvboJnmajwnDy+fWtsiPEKwODoy+DHICmkv6bmQHeA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=nIHxo6ac; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="nIHxo6ac"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-824c9da9928so185688b3a.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 25 Feb 2026 17:08:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772068110; x=1772672910;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=DxujHuUWM9SO1xRU6A6jFOae3alKTW9P6VcQ6W3nWNM=;
        b=nIHxo6acgv0WCazzt2jlAXIHVxH206IDO0ynTQJSthc0Y2uhoe9HxCB4OPFsvz52Xi
         Ivx5rBeSe/jbVITXQA30GS3GkJcxWd/DLPp6wPaInv9y8WrKPPJnmmPEkuCHCGCCmbCG
         KHRlwAnRTC3FUsZx2Md+0/F54PUI1VlL7OFaJJJ3f4pIaHe156z7MAWstQm63/yL/9bJ
         bOwBLOLejeXaBC1ZkbaJuufQvlcVIvJ/4NNq3DP4n7u4MMSR5wQb/oGMaEpmo4jwI1f3
         FKUTGGiod75qEDoMxxFK6CfRdq2nCdxtlGg2Tym57VAqZw5ybycO7Kq13LaFq2N+BH7j
         ZPxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772068110; x=1772672910;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DxujHuUWM9SO1xRU6A6jFOae3alKTW9P6VcQ6W3nWNM=;
        b=IMaReZFKsfLcnTYyVdxprwOGOzuxCDGaNHabTa6dqDwiUzm38wAi8Cn+UzI6V9BbEi
         GLfSfVfJRTO4gOVzekXXF1XJlJDB3YgW1QsPlxsBBCbu5IpOkvZ0/ZRmGOGqTj341zeA
         O9S51rnS3Iy9KkAyJW8ojU7N3zUL3UW8+kOIDEm4ABZerosd7Pp9AkzgYJ1aWjheYkuK
         fTxWejxMYBW/ce9tXW4uyqwK5iWXK6QnYA+ntugPwGHaIjRQEbSa8x66peTM2DM9ZcFq
         NbNyIyXueIWGY6lUPotMOUutEqDcveRfS5Khrfvgu7LpHpjMqQWJ00U4HRQ+2G3zdiKj
         ko1A==
X-Forwarded-Encrypted: i=1;
 AJvYcCVfcDeSqRaSRJCQFNbTHzM+WV1fg+8IrBTj5+oCE+3OgYVIs7cs1YmrZPKvlvY+gLYMWWMoMaLtDAxL6OQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YwWSrATwgmsACAQzd5fbJDMfZhf9X/LhkgiTzc0UmVM+yNkU1Vc
	l4vtlqUv5JvyhaWEMEaDlJftRa/bFIVC90D+z4MgcNebva81pyg1Z82VJXtYfq7y
X-Gm-Gg: ATEYQzwv1ubjVCZVsCsPDYxn9svYeZHNSh2yNd6iwDFOZ2hkE3WsY+y8IrwQ6mMz3PC
	Az81wQURJIqIo3uF56kxfT9h9PkCkytKTO0TuLdZcNYWsw6eEQNwRVk1yt3usakxsz01VLYGvjT
	+DkmWw0q6NJgypti+gYJ4vBZ/MwBFCn6bFBccqlp/Db1BCPxp7h43d+cpHN/QoQM0ooXHH4p2Yu
	7XpQ9zMbpZwrFBvwNjMi7O94Rus8PPYTOK03vF5ryTKCCKF2RcSiYiblz1WSg670KVDS5FPQac+
	v+L45WzKe6VuLcGfgMgyw4TQBqcYwbXASo62hUuOFwcz8Z+aH0m0k/vE01BS1UFBkoL3t28e+nk
	pmAWD333tBdLwdjwp9LL9ZyXgNvl1L1md8OzwFXGlKKWsDgxgK8Y0X3MZMn7mZniO3yMAeY15RC
	HMDbeCjkXc4rI9RhbY2GkOyZY1Yk8Q8NE=
X-Received: by 2002:a05:6a00:2e14:b0:7ff:885f:9c2a with SMTP id
 d2e1a72fcca58-826da8da56bmr16240676b3a.12.1772068110181;
        Wed, 25 Feb 2026 17:08:30 -0800 (PST)
Received: from localhost ([14.52.27.3])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82739d4d880sm507672b3a.7.2026.02.25.17.08.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Feb 2026 17:08:29 -0800 (PST)
From: Jun Seo <junwoo93s@gmail.com>
X-Google-Original-From: Jun Seo <jun.seo.93@proton.me>
To: tiwai@suse.com,
	perex@perex.cz
Cc: linux-sound@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Jun Seo <jun.seo.93@proton.me>
Subject: [PATCH] ALSA: usb-audio: Use correct version for UAC3 header
 validation
Date: Thu, 26 Feb 2026 10:08:20 +0900
Message-ID: <20260226010820.36529-1-jun.seo.93@proton.me>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The entry of the validators table for UAC3 AC header descriptor is
defined with the wrong protocol version UAC_VERSION_2, while it should
have been UAC_VERSION_3.  This results in the validator never matching
for actual UAC3 devices (protocol =3D=3D UAC_VERSION_3), causing their
header descriptors to bypass validation entirely.  A malicious USB
device presenting a truncated UAC3 header could exploit this to cause
out-of-bounds reads when the driver later accesses unvalidated
descriptor fields.

The bug was introduced in the same commit as the recently fixed UAC3
feature unit sub-type typo, and appears to be from the same copy-paste
error when the UAC3 section was created from the UAC2 section.

Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units=
")
Cc: <stable@vger.kernel.org>
Signed-off-by: Jun Seo <jun.seo.93@proton.me>
---
 sound/usb/validate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/validate.c b/sound/usb/validate.c
index 4bb4893f6e74..f62b7cc041dc 100644
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -281,7 +281,7 @@ static const struct usb_desc_validator audio_validators=
[] =3D {
 	/* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
=20
 	/* UAC3 */
-	FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
+	FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
 	FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
 	      struct uac3_input_terminal_descriptor),
 	FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
--=20
2.53.0