From nobody Fri Jun 19 09:07:17 2026 Received: from mail-dy1-f173.google.com (mail-dy1-f173.google.com [74.125.82.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB411314D34 for ; Fri, 24 Apr 2026 21:50:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777067420; cv=none; b=AetoCwyQOTLNU7ls7tffgAl2n6qHHAJ/K8jyjmVSYRGne2F1tQlRaO6ofshAjNuWMhAHBWE2aalOAMnv/4hhB6ry4IdVWoZ5hCH4v/8sLU7o103SuwVWHDzpPiIhrJT3l/pRr7EBm3Y9wxlFYBqrF9tU3n+f8/nQSXfxSCeaCuQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777067420; c=relaxed/simple; bh=sOzXWXjps4JMTmPSEpvaGYrcfzquE0jv7XgocWHMu+o=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=RYNYP/wIcaD7nQ7NmubWovlSrspph9SBDtD6yK44dokfbCamcFrBeoN5MNWNGr/Q9X+RjyyumfTGQDOueoRfZ4+31YO8zACFd8DHRtq+tPs/S8IFEi8fnIjhmMwt4O+rZozdSREIQcwqGynjd13NMsZrL2xCHeqGsEvitREQwMU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=h/frN8ZU; arc=none smtp.client-ip=74.125.82.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="h/frN8ZU" Received: by mail-dy1-f173.google.com with SMTP id 5a478bee46e88-2ba9c484e5eso8792328eec.1 for ; Fri, 24 Apr 2026 14:50:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777067418; x=1777672218; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=K7c5cn3YaWCRG575DFbshGCJWY8c9pDATtWOqeL7XQQ=; b=h/frN8ZUKhdauSPza0lxH0uc96qPoTbHNYWW4VOnuJABqqdIfoxgupMA8cg5m8vUwX uxdc9ftaH8DQ1wQWlm32SBd/kxkB1KL7UUhpz5VLvWAoHIKGxqvesZdLZndALDczozxi 0kmNX1zKzSl7csJEOmGbuWtQ3SwG5Zj5CTmp4NQwaTis1ThEVdJGVwx5ts/ui86SH5o6 aZ+1kbVAf9XnmtEZ1PLOGLhiY75lylTjloPq1pAKNMkA8neleZGpFdk1++jM0eWVtVr1 1pc9LpsMvCFVM3z/YUyrJ6vq49mFkAX/O3BGTiRlj65u2Bdysmd2hPtH6cLewn8HzVPe +e1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777067418; x=1777672218; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=K7c5cn3YaWCRG575DFbshGCJWY8c9pDATtWOqeL7XQQ=; b=e8YVAG8cUBWaPpWsoYZhsUkYQhzQK1W+7jL7fYE9caQtZ8W8yBUqjCwjpZ+ajw9p5J jAh2yBO4PSFv7x+xFfmGtBDX7QBcuzMTG0TPo9ZQX7gcTq9k5hGkWe2/tICBTKi7GY5Z L/sP/Vv0AQSnxsHjzxli+1Sr017awoo6ibDCAYbWfOG432cEnEtO68AyOX1s06C0N8zh CtjfxCawTmsSFA6TlsQruCXjPcMs5ouUR/EaytuvkH2wwvYLFkxqT08q0TPYTpyG2XAM OXOsbC27rmikKFTm300/VOpQkOlMs2voTynLSEv6VHgIqqGpIzeo7Y7dJUZXHX5ZutRg i1NA== X-Forwarded-Encrypted: i=1; AFNElJ+WjmsTKo3XHnzDR4XyY8FdPRfE6C8z3Ebaq9M5/zWcPbLNyuvOqzyFLn6tho6qztTqsl3T7mmXg264cYg=@vger.kernel.org X-Gm-Message-State: AOJu0YywoF4yQUpOhT78h1vfJ4ppFetReq1irLgJj87xF91AAPcZxn4+ o+q++YORgRkBIOFJNXhbD9z3fgSv06ct6E5Gp6eZM5FSrmrQz2VHYf2R X-Gm-Gg: AeBDieu3pTyjskYgoCQR3iWuLJ48xhwoSGjJL0AU2on5edR6vydn3+OpwFXyQs/OHwz Yhj3fM20se5kLmRDFs1oY9VDIlY6KaZkxjJuuRVY5lIFaLFvr+jxJzaeJPwxUHv1e6z7Bqcq/4T U2tLVMXhMO7yxTV7A7GMt8UjZasiNeCumRG3q6Idjhs62oDbDZo4yEOhoznLhBIdHL6p1zzo4pj 93sSNUSnbsyk35LIqOpdcHGg2QCdjJQTxtZox1mk7QU4QSstmFnBilNztXkkSDScGAxyFBCCj7x Tv+3o4RMEsXjTnt82wq/EcoehURYR+w0KprWfeKG51lur3t9wwkvNW3B7/tTnClvkfSCklcm0ce ZjEaaG4J11eqzqZlBIw6E4fNvYZBNbKQ+bklT70gW3kHYc7T3pZmpREAt34/16RxNyHB7hrsepZ HGp7UN7qRCzxZ8RAR+ZYd+N9aj2ltlOHUdack9F4GGxuWF1EOnHP2BDnbmxGVlYPejj5TaY3oh5 77fuiPjaa9Q8e1Z+RLYgpg= X-Received: by 2002:a05:7300:dc88:b0:2be:171c:5048 with SMTP id 5a478bee46e88-2e4646cbd46mr16530489eec.5.1777067417797; Fri, 24 Apr 2026 14:50:17 -0700 (PDT) Received: from [192.168.1.18] (177-4-161-87.user3p.v-tal.net.br. [177.4.161.87]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2e53ac84c38sm34723359eec.13.2026.04.24.14.50.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Apr 2026 14:50:17 -0700 (PDT) From: =?utf-8?q?C=C3=A1ssio_Gabriel?= Date: Fri, 24 Apr 2026 18:50:10 -0300 Subject: [PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/yXMwQ6CMAwA0F8hPdtkbssg/orx0I0KJQTNyoiR8 O9OPb7L20E5Cytcmh0yb6LyWCrOpwbSSMvAKH01WGOD8dYjzUpYNGKh5DDNRVfOqPJm9LFr++C caQNBDZ6Z7/L65dfb31rixGn9jnAcH0X7XLN+AAAA X-Change-ID: 20260424-alsa-usb-uac3-cluster-size-4b87d633076a To: Takashi Iwai , Jaroslav Kysela , Youngjun Lee Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, =?utf-8?q?C=C3=A1ssio_Gabriel?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1424; i=cassiogabrielcontato@gmail.com; h=from:subject:message-id; bh=sOzXWXjps4JMTmPSEpvaGYrcfzquE0jv7XgocWHMu+o=; b=owGbwMvMwCV2IdZeKur/u2bG02pJDJmvn07LfebX8jLij8IECwmd//zJfzcyFpXeKHIs2xbet 63u9bGvHaUsDGJcDLJiiiyrkxZZ7ul6cLU+boUHzBxWJpAhDFycAjCRvQyMDId3Zmqvd/6j6JUd IcgU7M3HUr3qFPv7o4xTG56/KQ8PYmT47xShG2aw9xp3+yXXt7sXzbv0Qrl0wT2ez9nTDUW2PbA 7xQkA X-Developer-Key: i=cassiogabrielcontato@gmail.com; a=openpgp; fpr=AB62A239BC8AE0D57F5EA848D05D3F1A5AFFEE83 The UAC3 cluster descriptor length check in snd_usb_get_audioformat_uac3()was added to make sure that the buffer is large enough for a struct uac3_cluster_header_descriptor before the returned data is cast and used. However, the check uses sizeof(cluster), where cluster is a pointer, not the size of the descriptor header. This makes the validation depend on the architecture pointer size and does not match the intended object size. Check against sizeof(*cluster) instead. Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_ge= t_audioformat_uac3()") Cc: stable@vger.kernel.org Signed-off-by: C=C3=A1ssio Gabriel --- sound/usb/stream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/usb/stream.c b/sound/usb/stream.c index 2532bf97e05e..6c51226f771b 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -1003,7 +1003,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *ch= ip, * and request Cluster Descriptor */ wLength =3D le16_to_cpu(hc_header.wLength); - if (wLength < sizeof(cluster)) + if (wLength < sizeof(*cluster)) return NULL; cluster =3D kzalloc(wLength, GFP_KERNEL); if (!cluster) --- base-commit: 876c495d412ef67bd4d0bdc4b74b0bd3d9f4e890 change-id: 20260424-alsa-usb-uac3-cluster-size-4b87d633076a Best regards, -- =20 C=C3=A1ssio Gabriel