Skip to content

[fips-8-compliant] Multiple VULNS 2025.10.31 #663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Nov 3, 2025
Merged

[fips-8-compliant] Multiple VULNS 2025.10.31 #663

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
9a0abee
KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
PlaidCat Oct 31, 2025
17f8974
Bluetooth: L2CAP: Fix user-after-free
PlaidCat Oct 31, 2025
be9843e
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
PlaidCat Oct 31, 2025
2f9ee34
Bluetooth: L2CAP: Fix use-after-free
PlaidCat Oct 31, 2025
5f174e1
crypto: seqiv - Handle EBUSY correctly
PlaidCat Oct 31, 2025
223a7c8
Bluetooth: Fix potential use-after-free when clear keys
PlaidCat Oct 31, 2025
667626e
net_sched: hfsc: Fix a UAF vulnerability in class handling
PlaidCat Oct 31, 2025
a3251a4
sctp: linearize cloned gso packets in sctp_rcv
PlaidCat Oct 31, 2025
2be65f1
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
PlaidCat Oct 31, 2025
8bc6736
ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
PlaidCat Oct 31, 2025
f7af68d
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
PlaidCat Oct 31, 2025
c8c2886
ALSA: usb-audio: Fix size validation in convert_chmap_v3()
PlaidCat Oct 31, 2025
0b1eeaf
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
PlaidCat Oct 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
ALSA: usb-audio: Validate UAC3 cluster segment descriptors 
jira VULN-152934
jira VULN-152933
cve CVE-2025-39757
commit-author Takashi Iwai <tiwai@suse.de>
commit ecfd411

UAC3 class segment descriptors need to be verified whether their sizes
match with the declared lengths and whether they fit with the
allocated buffer sizes, too.  Otherwise malicious firmware may lead to
the unexpected OOB accesses.

Fixes: 11785ef ("ALSA: usb-audio: Initial Power Domain support")
Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
	Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit ecfd411)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
  • Loading branch information
@PlaidCat
PlaidCat committed Oct 31, 2025
commit f7af68d74e78af0ec157c9d27c367178547b46b4
25 changes: 22 additions & 3 deletions sound/usb/stream.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -336,20 +336,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor

len = le16_to_cpu(cluster->wLength);
c = 0;
p += sizeof(struct uac3_cluster_header_descriptor);
p += sizeof(*cluster);
len -= sizeof(*cluster);

while (((p - (void *)cluster) < len) && (c < channels)) {
while (len > 0 && (c < channels)) {
struct uac3_cluster_segment_descriptor *cs_desc = p;
u16 cs_len;
u8 cs_type;

if (len < sizeof(*p))
break;
cs_len = le16_to_cpu(cs_desc->wLength);
if (len < cs_len)
break;
cs_type = cs_desc->bSegmentType;

if (cs_type == UAC3_CHANNEL_INFORMATION) {
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;

if (cs_len < sizeof(*is))
break;

/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
Expand Down Expand Up @@ -451,6 +459,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
chmap->map[c++] = map;
}
p += cs_len;
len -= cs_len;
}

if (channels < c)
Expand Down Expand Up @@ -871,7 +880,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
u64 badd_formats = 0;
unsigned int num_channels;
struct audioformat *fp;
u16 cluster_id, wLength;
u16 cluster_id, wLength, cluster_wLength;
int clock = 0;
int err;

Expand Down Expand Up @@ -998,6 +1007,16 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
return ERR_PTR(-EIO);
}

cluster_wLength = le16_to_cpu(cluster->wLength);
if (cluster_wLength < sizeof(*cluster) ||
cluster_wLength > wLength) {
dev_err(&dev->dev,
"%u:%d : invalid Cluster Descriptor size\n",
iface_no, altno);
kfree(cluster);
return ERR_PTR(-EIO);
}

num_channels = cluster->bNrChannels;
chmap = convert_chmap_v3(cluster);
kfree(cluster);
Expand Down