Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp853134pja; Wed, 1 Apr 2020 09:52:23 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvq/cnL8Zd/g5mmGGFHPdr9T5zg9YDgomQpsem1A02oMwxdSm62MO9rpyv7heMnQqbuRctk X-Received: by 2002:a05:6820:319:: with SMTP id l25mr17657021ooe.88.1585759943657; Wed, 01 Apr 2020 09:52:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585759943; cv=none; d=google.com; s=arc-20160816; b=oJdizqm6UggaaG+Iq3RkWRd4bwNOAooXGAjkRZ3wnMaxQLew4umO3K+m/vFFex5MPW skSNLqkqvqy1MMNLv4OtxZ6yXTzLmshjz9N73LMsr6WOSSr0xWBgb2wBSDLMicqOl3G/ D8kTEZSnBxumtAiL1l/b3ZPHg75CdQlTuj+gzlAxTtarbg4zNmDlzSMC3zSW3r3Ks1e+ dNGGxeqZb29cjHd+Kpu1qzsZTPvNl2T4lzzqUMxHGBB9rBHMbMUJpfwP4nAzANs0sp5X gEbrezFacVIVR9Y3oBlp9M9CQgT+XM2B0UGMDImBGQfi6dKExGIWg7lwQI5FJ13+Qu04 JCVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AMvpWm6DJlxAEYaisPPzFEhX/1+MifGNPaQgKd+nbz8=; b=JzdNPhvsddPoY37oA9KCxFAbqSyy4ard9yrkotQZPede67MA6Gqz5/6m12z5D/ksnn HED+DUHQ73+vIkOovs8E6e3nOtLWRNy6shPO2znm5nVuc8MWiPhbk6nJn1DrwEVyIX7M ZpKsqazsUsiJNCJHBQ2PmZCcc34ME2gxumrQcn/CLDOBYiyu1zeEhkDtVWHYbxIJJMB8 e575biSRruyoPT6j1Lk6QUBErV8ZTr0+gb41lkxlPC7eKf/lx9nEeVmvI4LZQtP1Y+4y aI3XiPc/HpqJsHHz93nGvyy8b21anKyUNtEhUdlaSbwGDInrYopnYqfceD0K0qgxqLQ/ Yjww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=J9EAaZFc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b14si1027638otj.154.2020.04.01.09.52.10; Wed, 01 Apr 2020 09:52:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=J9EAaZFc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389366AbgDAQkx (ORCPT + 99 others); Wed, 1 Apr 2020 12:40:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:41102 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389363AbgDAQku (ORCPT ); Wed, 1 Apr 2020 12:40:50 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EF122206F8; Wed, 1 Apr 2020 16:40:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585759250; bh=ajjAGpsLaJz1GYRmdmBv7oFJ16dgb31logoJ+OLNDd8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J9EAaZFcQ54rc6T+LhgwTlQM+TBN98WFFN//VZKVBX2NyHSzlaOHkS/7WrBvKsTBB Mray3RLMVAjdPFxyM44noeheIC5X6zLwyPkJuJwX1SEB6UEMbrhritATUpdW//upwz C01sOXS9SX4i0fU4K8tODsNM3wWFUFHr7MnQZ0Rc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+cce32521ee0a824c21f7@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.14 021/148] ALSA: line6: Fix endless MIDI read loop Date: Wed, 1 Apr 2020 18:16:53 +0200 Message-Id: <20200401161554.480454901@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200401161552.245876366@linuxfoundation.org> References: <20200401161552.245876366@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit d683469b3c93d7e2afd39e6e1970f24700eb7a68 upstream. The MIDI input event parser of the LINE6 driver may enter into an endless loop when the unexpected data sequence is given, as it tries to continue the secondary bytes without termination. Also, when the input data is too short, the parser returns a negative error, while the caller doesn't handle it properly. This would lead to the unexpected behavior as well. This patch addresses those issues by checking the return value correctly and handling the one-byte event in the parser properly. The bug was reported by syzkaller. Reported-by: syzbot+cce32521ee0a824c21f7@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/000000000000033087059f8f8fa3@google.com Link: https://lore.kernel.org/r/20200309095922.30269-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/line6/driver.c | 2 +- sound/usb/line6/midibuf.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -313,7 +313,7 @@ static void line6_data_received(struct u line6_midibuf_read(mb, line6->buffer_message, LINE6_MIDI_MESSAGE_MAXLEN); - if (done == 0) + if (done <= 0) break; line6->message_length = done; --- a/sound/usb/line6/midibuf.c +++ b/sound/usb/line6/midibuf.c @@ -163,7 +163,7 @@ int line6_midibuf_read(struct midi_buffe int midi_length_prev = midibuf_message_length(this->command_prev); - if (midi_length_prev > 0) { + if (midi_length_prev > 1) { midi_length = midi_length_prev - 1; repeat = 1; } else