From nobody Sat Jun 13 14:07:08 2026 Received: from mail-dy1-f176.google.com (mail-dy1-f176.google.com [74.125.82.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A808A2EA172 for ; Thu, 7 May 2026 03:41:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778125266; cv=none; b=bSl08zpWiB+LiG5KyMx01tsyVuWHF+OBZprDHe5qJ2Oll5zzJaObPMdALT/dJwgs7mfLQIM8HiNJS7+/Lqw1ESxmPDRScM+nrcaKuB4ZtL3aV+APL1wDQ5r8cQ65UmVwttUJ3QHiQqpZJ+95U2DliIzk+pCccNyEnJAsZO4Qudo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778125266; c=relaxed/simple; bh=R13vLbMiQobZCeft4wigQy1eZvd+q8ciWDUl2RXDnSA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=tvnmBRjvVR9RApCWvdfMutUcWvOVMQaAu3+JHNfpeGW1AFsmCxnZdexcG0vxyVNmm0V8uugvTAuc0ojBOunuSMyVxatEtnSt/gdJOlt9Qnxc1F6Iwgdy/5Gaq2ujVvW0S7fqjNqv61fKbsORykyMB0F0afFHY9W18i89zH99+ZU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jetE1igu; arc=none smtp.client-ip=74.125.82.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jetE1igu" Received: by mail-dy1-f176.google.com with SMTP id 5a478bee46e88-2ba895adfeaso423587eec.0 for ; Wed, 06 May 2026 20:41:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778125264; x=1778730064; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=6kzYvobmwTuDLJkkrhcaqeyyYJZesImpA5sRmM1ajfQ=; b=jetE1igu4yRztwEosAB0RUUM9CUct286nfoXid8c0JXdLvfmxzY+wzRpa4+gn1vOkV WSKLPcX3oDMwSoBVOdc0vl8/59kMvsQijFkfJ0v759cSWgPn8jR4dbiNckj/bki7u1k5 siuq3dvUmjQ6Iw4Chk1istYkrvjVsfLGgYYqgcDe4lzSUW5Lkge6sSQDRIWIMjsKlUNL v0LXpuCEKKdPM6lpWHTEDBOMBKk2Flud2ByJz6F5SIi+crnGmsRjATw15uxrgpr19/Nq /A+fvyvJfnffacpG/lDYUna2E8Zrqg2UT6zZVmULSm8+NHF0nJh0m9OFTmKelqfyWm3X eWEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778125264; x=1778730064; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6kzYvobmwTuDLJkkrhcaqeyyYJZesImpA5sRmM1ajfQ=; b=qu3+61Lo0LIICbywCc9LpKN+idTA5PYfC1OEHKI4gmioYrl93pyTWOlVEmiNT1PY+T N6I8IDfiGeCHUhNLfdjHRo5hr8uncYK53vwRIefVz0csrNB42SDXEi7mpucrvA7qWY+1 eAIMDQdu9yMJ8BcKhKUPpYJACEYjHMSUwLwelswoYwdLctkyMeUrNrAIGlpJqrzBWmDq +ottwRcu/GPFzuQDdCLj3/vFhGddDtVXkktARl15AY8vH6dRva2xV+MBxTYiZTfBu1W0 UFwbSW0Nf7UPsctsuGXTJBPqv3J6auBT10d39rH/kH6TB+lrh9J9Qwn8LOJfw/iWgNrD ClKg== X-Forwarded-Encrypted: i=1; AFNElJ+Udy8h/hT0r38SbdPxhhrFZrRtkxrcuQmrem74lOvfLLrolk9UnIjEWv8N6VPEVKVTpCIav995QTrXwvI=@vger.kernel.org X-Gm-Message-State: AOJu0YyVEb3j0U3cDdleV8LNy+c/K1L7eDx5zMkpDk5Ph/PcI3n2I4To xocu/3hfH9m/Jbb/KvgwtGfLKJ6iIZ337MDi8b1uMxo141iZMLsLmZzJ X-Gm-Gg: AeBDietSSA6M109adllQdYaKMeMWWNHj78DGLd/qdJQgC3lM9kDO5zHJlty5zKaed9A CTMv7Z0tPkNCzTsFnju38ntyFxrdbt8LK/+0Z9K9PdfWfjuPlT6SJOgab4tuoaOgwWPAuOIAutx I++nmkXdY7vS3uOBFLufalaPi9kqn2EA3fxjxLe5jfCptsOgej4Gar/0JwmqZbnqMUtR0kdnGlh BqcZXif7/6al4Ngy1EF8ZOfOEQ4Rgvk7IZ8RDnLt+IhP4UlGtKp+Vc3pRTUXySdMIu6/9Gw2top wRkWIDSSusuz3fhsiHlhzVVFduuDMgtQHoRGFjODremNQvtlr1QHbAdShafvmqkQlYkyiaUH/Ce GNMa2p0U6wZJYnKrBqLGshikBNXDPdSDVeK0HoNltQX9q/AjNTYOzwWJrahgFXxr6kTqeOcwJ6z e9veHWVNK9RaNp+0TVRm6E6K59ygOUJWkKnbAHbOyYtNf/akPnDyEJ7LUBlsx4jppgtBsjAB2A7 ZZqUbogh2pd X-Received: by 2002:a05:7300:2387:b0:2c1:558c:16e1 with SMTP id 5a478bee46e88-2f54b897efemr3072912eec.4.1778125263705; Wed, 06 May 2026 20:41:03 -0700 (PDT) Received: from [192.168.1.18] (177-4-161-87.user3p.v-tal.net.br. [177.4.161.87]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2f570384e46sm6882677eec.26.2026.05.06.20.41.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 May 2026 20:41:03 -0700 (PDT) From: =?utf-8?q?C=C3=A1ssio_Gabriel?= Date: Thu, 07 May 2026 00:40:51 -0300 Subject: [PATCH 1/2] ALSA: usb-audio: Bound MIDI endpoint descriptor scans Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com> References: <20260507-usb-midi-endpoint-scan-bounds-v1-0-329d7348160e@gmail.com> In-Reply-To: <20260507-usb-midi-endpoint-scan-bounds-v1-0-329d7348160e@gmail.com> To: Takashi Iwai , Andreas Steinmetz , Clemens Ladisch , Jaroslav Kysela Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?C=C3=A1ssio_Gabriel?= , stable@vger.kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1587; i=cassiogabrielcontato@gmail.com; h=from:subject:message-id; bh=R13vLbMiQobZCeft4wigQy1eZvd+q8ciWDUl2RXDnSA=; b=owGbwMvMwCV2IdZeKur/u2bG02pJDJl/OE9qTbT50svyzOzVDX8/K6npH0/P27nuqP6qRUl1G zb79+eXdpSyMIhxMciKKbKsTlpkuafrwdX6uBUeMHNYmUCGMHBxCsBENnEz/DNRrj+19xDbxWuV bPeSph/obn1z1qivzHyBpMavjzf5Sr8xMrwMKrnks/Tb6/jl4aZvbc2EGISq24tbDs4r09HPLHN J4gQA X-Developer-Key: i=cassiogabrielcontato@gmail.com; a=openpgp; fpr=AB62A239BC8AE0D57F5EA848D05D3F1A5AFFEE83 snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan. Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has= more than one extra endpoint descriptor") Cc: stable@vger.kernel.org Signed-off-by: C=C3=A1ssio Gabriel --- sound/usb/midi.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sound/usb/midi.c b/sound/usb/midi.c index 0a5b8941ebda..d87e3f357cf7 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1951,15 +1951,17 @@ static struct usb_ms_endpoint_descriptor *find_usb_= ms_endpoint_descriptor( while (extralen > 3) { struct usb_ms_endpoint_descriptor *ms_ep =3D (struct usb_ms_endpoint_descriptor *)extra; + int length =3D ms_ep->bLength; =20 - if (ms_ep->bLength > 3 && + if (!length || length > extralen) + break; + + if (length > 3 && ms_ep->bDescriptorType =3D=3D USB_DT_CS_ENDPOINT && ms_ep->bDescriptorSubtype =3D=3D UAC_MS_GENERAL) return ms_ep; - if (!extra[0]) - break; - extralen -=3D extra[0]; - extra +=3D extra[0]; + extralen -=3D length; + extra +=3D length; } return NULL; } --=20 2.54.0 From nobody Sat Jun 13 14:07:08 2026 Received: from mail-dl1-f52.google.com (mail-dl1-f52.google.com [74.125.82.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95EE42EACF2 for ; Thu, 7 May 2026 03:41:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778125271; cv=none; b=QeZC01bV2xKO97TfjEOdMMxnGcSaAwx6QvXVtInDVifp/bFda5nJw2YlTigodfAeeTAWLC5oEpDooOszxj0WeGJ9bCCWu4yJDGWfEvoJGLl4+Vk9j2CyClKB/FXx5p4YnhsMYtbfbTvf5t5pmDL+eRDo/zulfrrf+Ei7vVmaeaw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778125271; c=relaxed/simple; bh=5ZxZyVybouA1Mduqbo3hKVa/J06PZ5yuIW+r71ae+mc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=NSBqbwJj4X9Koy2x2H3FiH1j/G39SzNe7xpKp/zHmJWtKar3ru4RZ192dSzBMBXFBGSoLqBTMNm67OKVWMU66UOVBn4ryGYVA6SeFvQ8SQ+PB/bp3JDvU5ozZsgeMdJVSI+VnP/v2AvLbbQc+LbYpRkYQ77jBLoY/7PAdSmv+z4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ckc78MDN; arc=none smtp.client-ip=74.125.82.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ckc78MDN" Received: by mail-dl1-f52.google.com with SMTP id a92af1059eb24-130c653cce4so1169126c88.1 for ; Wed, 06 May 2026 20:41:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778125267; x=1778730067; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=nleLAQUlrvdfXv9QhDg66/S/1PB+xB3gu8412xW8j5s=; b=Ckc78MDNLJRna3a8udTpjqtPB7GgSb1Lfr1P23wEVvk41m7O4hLedsnRb2qsi86Yiu qAvh/24esl/egLk4+HMw2W76QZDiYVc9qTAS4lwIqutjYvkOudK/xM8ub5DDI892rQ0E hQD6x2xgbCiiwUTrBU4vk9WHY5UvzbyWn4p0cN3Gt4VxqV6zg2nk3qyY5EWROXfvyhv0 E3C604/vyZPVWxoAsKb9aFk8FJwd8mqGAOIsxS/2DsAtO0hKxXlVmzZdUdygb9SvVbz/ AhGQRhTvM9Gc8h0iM2Fue3g2l3+Wz+j7+wGAP3PlWbFpT/s1LjrKzEOkLn9cKQLAG3Q5 7rDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778125267; x=1778730067; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=nleLAQUlrvdfXv9QhDg66/S/1PB+xB3gu8412xW8j5s=; b=Aw3eNhB/8ixWJSlXRX1xLQFhz2zpfTJHD5KZyMLFezZh4F9psnUOSRHssO/1Vn7DRX gpW2q1JS+CrC7cTT5nTutOWIzX8V2v/UYBS4qPKIzEQLCuSFHqDfctIzfZ25+LPjrk1u REMmr84SohGp7ctfuGgEfDcAjqo47UU26hzc7fZ3I4nXkuDPX6wvNPs/61D938dNdJNC An46OdlOAoVvZd0bz55nUEl9XpMGs1L4KxSHUisbJ+fDLOHGG2VrmRXPtoZNo7b/ETz6 u+8ZEHcB1mI49rLnXxfSGdtxsu00Bl9H3+l8rIfyzXYEL5CiXWBG8kd8/T0s6IwPANdy p2pw== X-Forwarded-Encrypted: i=1; AFNElJ/Yz52L6mdSNd0/zViEPbOBUPIa9yIe4YrSVWSlYMWXNu5lOjerH5yRUCHC9AEmDuUquHSuQmVjM2VI9xs=@vger.kernel.org X-Gm-Message-State: AOJu0Yzf7Bpy52Ol5ExpqhBbAIMzfBIjaLkwLOS2Q24qo9Qzl1hJDqvK UWS7lxfoOL+XTJFOg9LZ6TrLS35ExxFaRNiQC64IZ4HhFlodrQhkt2FP X-Gm-Gg: AeBDietU17mq1ymUIx14fbSA70Aqcwm36KQFu/Waac74QbAd72zvIxvkjudYt36/u5B ed60W3AENzZOyV9kSVvdcwRVAoYox2/keliy16CkHd71IUnd2VTaDKPPG5HDk2N1VHAKu9Qczmr xdht1rGBz/I3e7Q2JIcuJb20Keu1GWfl/tLyqwF4ajBtjZagd0eptpGn44AQq7MK2tAgqbW1o9N qrC2A+JfmW9mO0Rw5JXrzMhQMupqudlzMq19SiPEoW7GXF7OVO3LGMjE0K1nOWPuXe+f92X8ixj garnbHJleqEbYWWx1HDkfezpOefUZOmnyoIyr8DnMzYICJ5xqCCH02xhbsFfel7Y2boSpaV7725 Oa6NoJyCWF5EZ/tU/YKdXSX3jSG9peqnj3a0rPKArZ4KFqPheDTjo56KJD3tWZhoQmD8SfuJZAR asdQqVNMs7i1K8AV9LiPNTSa7Au7js2aju3nTlovQzNFVDZGl+RqI4EZqlUQngkZZbxd9rwj1fH 7pwtl1K/udI X-Received: by 2002:a05:7022:61a:b0:12d:de3f:d847 with SMTP id a92af1059eb24-1319cf558acmr3091983c88.42.1778125266546; Wed, 06 May 2026 20:41:06 -0700 (PDT) Received: from [192.168.1.18] (177-4-161-87.user3p.v-tal.net.br. [177.4.161.87]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2f570384e46sm6882677eec.26.2026.05.06.20.41.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 May 2026 20:41:06 -0700 (PDT) From: =?utf-8?q?C=C3=A1ssio_Gabriel?= Date: Thu, 07 May 2026 00:40:52 -0300 Subject: [PATCH 2/2] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-usb-midi-endpoint-scan-bounds-v1-2-329d7348160e@gmail.com> References: <20260507-usb-midi-endpoint-scan-bounds-v1-0-329d7348160e@gmail.com> In-Reply-To: <20260507-usb-midi-endpoint-scan-bounds-v1-0-329d7348160e@gmail.com> To: Takashi Iwai , Andreas Steinmetz , Clemens Ladisch , Jaroslav Kysela Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?C=C3=A1ssio_Gabriel?= , stable@vger.kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1495; i=cassiogabrielcontato@gmail.com; h=from:subject:message-id; bh=5ZxZyVybouA1Mduqbo3hKVa/J06PZ5yuIW+r71ae+mc=; b=owGbwMvMwCV2IdZeKur/u2bG02pJDJl/OE9d/lZ7Veedv5TJ87eHvH3Tz4mtsXwY3DxPYZ1t0 MkgpcPtHaUsDGJcDLJiiiyrkxZZ7ul6cLU+boUHzBxWJpAhDFycAjAR22CG/+7Kj/U3ygWn/ZAJ CX+5+8S12x8sVnKpyqh4yd+YtWfexA0M/xQ41nlzGR9nTzx+5uTzNSmii1p2tjfIGUxf/XBb/I/ vPlwA X-Developer-Key: i=cassiogabrielcontato@gmail.com; a=openpgp; fpr=AB62A239BC8AE0D57F5EA848D05D3F1A5AFFEE83 The USB MIDI 2.0 endpoint parser has the same descriptor walking pattern as the legacy MIDI parser. It validates bLength against bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the remaining bytes in the endpoint-extra scan. A malformed device can therefore make later baAssoGrpTrmBlkID[] reads consume bytes past the walked descriptor. Reject zero-length and overlong descriptors while walking endpoint extras. Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support") Cc: stable@vger.kernel.org Signed-off-by: C=C3=A1ssio Gabriel --- sound/usb/midi2.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sound/usb/midi2.c b/sound/usb/midi2.c index 2785600d2312..04aeb9052f13 100644 --- a/sound/usb/midi2.c +++ b/sound/usb/midi2.c @@ -496,15 +496,17 @@ static void *find_usb_ms_endpoint_descriptor(struct u= sb_host_endpoint *hostep, while (extralen > 3) { struct usb_ms_endpoint_descriptor *ms_ep =3D (struct usb_ms_endpoint_descriptor *)extra; + int length =3D ms_ep->bLength; =20 - if (ms_ep->bLength > 3 && + if (!length || length > extralen) + break; + + if (length > 3 && ms_ep->bDescriptorType =3D=3D USB_DT_CS_ENDPOINT && ms_ep->bDescriptorSubtype =3D=3D subtype) return ms_ep; - if (!extra[0]) - break; - extralen -=3D extra[0]; - extra +=3D extra[0]; + extralen -=3D length; + extra +=3D length; } return NULL; } --=20 2.54.0