[PATCH OLK-6.6 0/2] *** fix CVE-2026-23208 ***
*** fix CVE-2026-23208 *** Edward Adam Davis (1): ALSA: usb-audio: Prevent excessive number of frames Takashi Iwai (1): ALSA: usb-audio: Use the right limit for PCM OOB check sound/usb/pcm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.43.0
From: Edward Adam Davis <eadavis@qq.com> stable inclusion from stable-v6.18.10 commit 62932d9ed639a9fa71b4ac1a56766a4b43abb7e4 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13764 CVE: CVE-2026-23208 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit ef5749ef8b307bf8717945701b1b79d036af0a15 ] In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333 Reported-by: syzbot+6db0415d6d5c635f72cb@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6db0415d6d5c635f72cb Tested-by: syzbot+6db0415d6d5c635f72cb@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Link: https://patch.msgid.link/tencent_9AECE6CD2C7A826D902D696C289724E8120A@qq.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: sound/usb/pcm.c [Context Conflicts] Signed-off-by: Lin Ruifeng <linruifeng4@huawei.com> --- sound/usb/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c index 08bf535ed163..3a4666e3bf27 100644 --- a/sound/usb/pcm.c +++ b/sound/usb/pcm.c @@ -1505,7 +1505,7 @@ static int prepare_playback_urb(struct snd_usb_substream *subs, for (i = 0; i < ctx->packets; i++) { counts = snd_usb_endpoint_next_packet_size(ep, ctx, i, avail); - if (counts < 0) + if (counts < 0 || frames + counts >= ep->max_urb_frames) break; /* set up descriptor */ urb->iso_frame_desc[i].offset = frames * stride; -- 2.43.0
From: Takashi Iwai <tiwai@suse.de> stable inclusion from stable-v6.18.10 commit ecd164120c248c2d1db3ebc54f35443b796efe29 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13764 CVE: CVE-2026-23208 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit 70b4db7d258118a7464f039112a74ddb49a95b06 upstream. The recent fix commit for addressing the OOB access of PCM URB data buffer caused a regression on Behringer UMC2020HD device, resulting in choppy sound. The fix used ep->max_urb_frames for the upper limit check, and this is no right value to be referred. Use the actual buffer size (ctx->buffer_size) as the upper limit instead, which also avoids the regression on the device above. Fixes: ef5749ef8b30 ("ALSA: usb-audio: Prevent excessive number of frames") Link: https://bugzilla.kernel.org/show_bug.cgi?id=220997 Link: https://patch.msgid.link/20260121082025.718748-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: sound/usb/pcm.c [Context Conflicts] Signed-off-by: Lin Ruifeng <linruifeng4@huawei.com> --- sound/usb/pcm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c index 3a4666e3bf27..5aadd1221f72 100644 --- a/sound/usb/pcm.c +++ b/sound/usb/pcm.c @@ -1505,7 +1505,8 @@ static int prepare_playback_urb(struct snd_usb_substream *subs, for (i = 0; i < ctx->packets; i++) { counts = snd_usb_endpoint_next_packet_size(ep, ctx, i, avail); - if (counts < 0 || frames + counts >= ep->max_urb_frames) + if (counts < 0 || + (frames + counts) * stride > ctx->buffer_size) break; /* set up descriptor */ urb->iso_frame_desc[i].offset = frames * stride; -- 2.43.0
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/21079 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/FC6... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/21079 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/FC6...
participants (2)
-
Lin Ruifeng -
patchwork bot