From nobody Mon May 25 03:46:53 2026
Received: from mail-dl1-f54.google.com (mail-dl1-f54.google.com
 [74.125.82.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 525ED78F2B
	for <linux-kernel@vger.kernel.org>; Tue, 19 May 2026 03:32:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779161544; cv=none;
 b=lL7FszEum6qMdEVqplC/7i4eugGNAE2KFrRmKOnfVyRJiVnICbIdOSP7T6tLB/kRupyhfuE9pztVev/SbXCdsUQU3fGBOIjxxW/o95w3TD367K22pBkmLsBZ0JyKg4KrYnos5BmL7rVtsz/NDQqrXHHqX641lPN4EVHjUI9589w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779161544; c=relaxed/simple;
	bh=05iD/qAS6Hmb35Jwib5lGI7jVOda2cbtoKdufYvK23s=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=oAkSD2/KjNJ61/koX8fjxF9Kt11YJ03q0JnuaEjWh/5KMLhw+zmiM1A8P+9A5P9lvACAaGS1//AXvDz7nvi28V0oTdXQL+tYyDj9jHhzOxq4m5X9qgZ0+tIAUpk2/anfi+qfFq171uhQ2AALtmiNlvuUbBdr6Ox+OFIw/v2Ilo0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=cwXdAX75; arc=none smtp.client-ip=74.125.82.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="cwXdAX75"
Received: by mail-dl1-f54.google.com with SMTP id
 a92af1059eb24-135200bc7d2so8377388c88.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 18 May 2026 20:32:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779161542; x=1779766342;
 darn=vger.kernel.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=KEhW2cv9pHxt/OV2GG0kUIG9UFFZnsrejYMLQtjg+Z0=;
        b=cwXdAX75PkFoBwGahK/R6PqLYrAGEa2JfncP2DonvPyYqEaSF3Vir4RqXGXMQBokHg
         ILFUklrXDNIw0yobRop9L7FixjBOTdtqme5joUirGfHtUQD3cBYpa/WAJT5eliF9AED2
         TsfWjYXC0zR6k+wWPEWPxdCrzL9itauLZPMTeHFeCTSEk7Fb7TzfG/Ct4qjlS+ff4K2r
         hvkkbqeKrlqcCpgy5v+WLX1C2xfbmYIoqSNVuX16jzlVhlg/xZFZ6086cPcsGosaoZ05
         pehVaLsm6KiLMjm0sRXRrGhZtV50T8KhekByKj/ts0iLPYNsKilF4X1E06vbEsk4NAQp
         N0EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779161542; x=1779766342;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=KEhW2cv9pHxt/OV2GG0kUIG9UFFZnsrejYMLQtjg+Z0=;
        b=reTDzY4FOBMcml9LsTbYqoZuzyVu6YYNTuUUhkU49B7ADY28mC60Y84GZEYg3m7xkI
         xpnB73aOfEVrfDVoz3byL+CSQT8oPSzHoUR9NUgmYFgBWMUh9BHPNsMFgnfyjRs9dpVB
         eameyYpJrFvJuSCkyrPSPIV3B9xEO2SmJOFHxOkAQ5YpiqpuWX8gU1fSpI4g22GQXkYv
         x9yFvEkXBfHe2CA6MOHKB5DBgqhaGpmZIgmMZ013zZ0yUfQz+PfARxVBmTiaW59krS9R
         HRNPFjPBBrt4E6b4ETMn5FBEWuv1Ib/Kt8Mdc3tNbizOfoeecgiViJ7HwTH5/VxIVYLT
         F4og==
X-Forwarded-Encrypted: i=1;
 AFNElJ9WsSAHSoaSAk/pHDjyYy3d8FmS1vRle5+QomxD7RmSySmYjWRtC7xFcRSa/yyLZMAdCsqIMwTrsmDbPIM=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy3qQkXZRJu/4BllX6546RmBRJqWT5rcaAiHtYx4ctV1g6l0edJ
	NsFiekkF6/y+ZWDbjo6m1Br6mUoihf9rGcOeFViXtJq5k6I+vHkrNJi/72L9vdHR
X-Gm-Gg: Acq92OHhZ9AGf7JCiEvK0fFiuOYVIgzJKjEDUH58A8hbf1rs9RBZuXF8AYGniOFceJT
	V4VrF7nAeyhg5pZWFlFA5hxjiv3WZ19F6/RinytQGKngcSWi3+vnUyCpVmY6VDdqu3fWKMKlEK5
	2nVAQhU40OEOeIZHo0GU/TWbeFB84HNUZiSM0vNPrUkgRvH282uh083+gXhcvQZhx+p+5P7Dlaj
	o4Ikc45LHhqA6hVdk6ubmldn6SqTc3kDMMW3pqPGSvTLzbTkb5vYw4DZredrFoDJpR40ycpWk0n
	Po+7wbQob2vNCjKXAc+pLoZJ8QCf8qEsW3wGT9bPGq9TBuPLBuLO2ZkBTkD3dBIBb+wEc1ZS9qH
	Dd3hST6GGiOrSA5GcARtyJKYnFYduAJ8EVnoHs2AggUYGKhpjQDGs0tHjaVd+e4bMDtrLVwjF7S
	eKEu3mVP1IuzL4EL+gsbYDwN4hTV05ev/dpejZrRY28DRYx7gTme0RCK57reWmFQGnt4OQ998nE
	g==
X-Received: by 2002:a05:7300:ad30:b0:2e7:5737:8364 with SMTP id
 5a478bee46e88-303984e17ffmr8988389eec.15.1779161542347;
        Mon, 18 May 2026 20:32:22 -0700 (PDT)
Received: from [192.168.1.18] (177-4-162-74.user3p.v-tal.net.br.
 [177.4.162.74])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-302973bc9d4sm14971444eec.23.2026.05.18.20.32.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 18 May 2026 20:32:21 -0700 (PDT)
From: =?utf-8?q?C=C3=A1ssio_Gabriel?= <cassiogabrielcontato@gmail.com>
Date: Tue, 19 May 2026 00:32:15 -0300
Subject: [PATCH] ALSA: ua101: Reject too-short USB descriptors
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260519-alsa-ua101-desc-len-v1-1-4307d1a5e054@gmail.com>
X-B4-Tracking: v=1; b=H4sIAAAAAAAC/yXMQQqDMBCF4avIrDuQhGDUq5QuYhx1RNKSMaUg3
 t1Ulx+89+8glJgEumqHRF8WfscC/aggzD5OhDwUg1GmVta06FfxmL1WGgeSgCtFdME61ThjywT
 K85No5N9Vfb5uS+4XCts/BcdxArjNHe13AAAA
X-Change-ID: 20260429-alsa-ua101-desc-len-7c4708724604
To: Takashi Iwai <tiwai@suse.com>, Clemens Ladisch <clemens@ladisch.de>,
 Jaroslav Kysela <perex@perex.cz>
Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
 stable@vger.kernel.org,
 =?utf-8?q?C=C3=A1ssio_Gabriel?= <cassiogabrielcontato@gmail.com>
X-Mailer: b4 0.15.2
X-Developer-Signature: v=1; a=openpgp-sha256; l=1589;
 i=cassiogabrielcontato@gmail.com; h=from:subject:message-id;
 bh=05iD/qAS6Hmb35Jwib5lGI7jVOda2cbtoKdufYvK23s=;
 b=kA0DAAoW0F0/Glr/7oMByyZiAGoL2cOiu2gVWhKEuAYFu/ViMKEXNP0uSWkmwH7pZD+tJnVa0
 Ih1BAAWCgAdFiEEq2KiObyK4NV/XqhI0F0/Glr/7oMFAmoL2cMACgkQ0F0/Glr/7oNY5gD/ee4/
 FtAmiZRV3dQIczdwTSmIRIXyFC6lgKFP/HrGiSMBAJYYo/5uTbkhQQ84R7IzfdeagWJO6RLuva0
 B6bhZUJoG
X-Developer-Key: i=cassiogabrielcontato@gmail.com; a=openpgp;
 fpr=AB62A239BC8AE0D57F5EA848D05D3F1A5AFFEE83

find_format_descriptor() walks the class-specific interface extras by
advancing with bLength. It rejects descriptors that extend past the
remaining buffer, but it does not reject descriptor lengths smaller than
a USB descriptor header.

Reject too-short descriptors before using bLength to advance the local
scan. This keeps the UA-101 parser robust against malformed descriptor
data and matches the usual USB descriptor walking rules.

Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: C=C3=A1ssio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/usb/misc/ua101.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sound/usb/misc/ua101.c b/sound/usb/misc/ua101.c
index d129b42eb979..b9a62e94e06c 100644
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -894,8 +894,9 @@ find_format_descriptor(struct usb_interface *interface)
 		struct uac_format_type_i_discrete_descriptor *desc;
=20
 		desc =3D (struct uac_format_type_i_discrete_descriptor *)extra;
-		if (desc->bLength > extralen) {
-			dev_err(&interface->dev, "descriptor overflow\n");
+		if (desc->bLength < sizeof(struct usb_descriptor_header) ||
+		    desc->bLength > extralen) {
+			dev_err(&interface->dev, "invalid descriptor length\n");
 			return NULL;
 		}
 		if (desc->bLength =3D=3D UAC_FORMAT_TYPE_I_DISCRETE_DESC_SIZE(1) &&

---
base-commit: 7c94f5e77906abd7b9ba81875ae238c802a187cb
change-id: 20260429-alsa-ua101-desc-len-7c4708724604

Best regards,
-- =20
C=C3=A1ssio Gabriel <cassiogabrielcontato@gmail.com>