ALSA: usb-audio: Validate UAC3 power domain descriptors, too

UAC3 power domain descriptors need to be verified with its variable
bLength for avoiding the unexpected OOB accesses by malicious
firmware, too.

Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/usb/validate.c b/sound/usb/validate.c
index 6fe206f6e91105c05b09b190fc1dfe15b51352dc..4f4e8e87a14cd03735369d130a3a1a0bfae61f8e 100644 (file)
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(const void *p,
        return d->bLength >= sizeof(*d) + 4 + 2;
 }
 
+static bool validate_uac3_power_domain_unit(const void *p,
+                                           const struct usb_desc_validator *v)
+{
+       const struct uac3_power_domain_descriptor *d = p;
+
+       if (d->bLength < sizeof(*d))
+               return false;
+       /* baEntities[] + wPDomainDescrStr */
+       return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
+}
+
 static bool validate_midi_out_jack(const void *p,
                                   const struct usb_desc_validator *v)
 {
@@ -285,6 +296,7 @@ static const struct usb_desc_validator audio_validators[] = {
              struct uac3_clock_multiplier_descriptor),
        /* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
        /* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
+       FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
        { } /* terminator */
 };