From: Johan Carlsson <johan.carlsson@teenage.engineering> stable inclusion from stable-v5.10.214 commit 5cd466673b34bac369334f66cbe14bb77b7d7827 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q91N CVE: CVE-2024-27436 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 ] If a usb audio device sets more bits than the amount of channels it could write outside of the map array. Signed-off-by: Johan Carlsson <johan.carlsson@teenage.engineering> Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") Message-ID: <20240313081509.9801-1-johan.carlsson@teenage.engineering> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Yuan Can <yuancan@huawei.com> --- sound/usb/stream.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sound/usb/stream.c b/sound/usb/stream.c index c4f4585f9b85..f51e901a9689 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -301,9 +301,12 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, c = 0; if (bits) { - for (; bits && *maps; maps++, bits >>= 1) + for (; bits && *maps; maps++, bits >>= 1) { if (bits & 1) chmap->map[c++] = *maps; + if (c == chmap->channels) + break; + } } else { /* If we're missing wChannelConfig, then guess something to make sure the channel map is not skipped entirely */ -- 2.17.1