From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72011C43331 for ; Tue, 24 Mar 2020 13:23:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 47F60206F6 for ; Tue, 24 Mar 2020 13:23:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585056201; bh=Zh6Q81xz4S7Uy/uL5Zghtt2qm145iElh7QjBAawbpiU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=cofikDdau5+lEVVWjHml2yW2kRfgi6L9pdilV94IqNHYdjb25NOaRIt5MwR9rR1X6 9nX8YcnOpsHlaW2/4BGoAV5ULcYzoxmgm42xwab87NMj0du5SDbdKdTAZWNHdgyDyf R9ekHL5emdWKJjLJsqtg7Oo5QD1qqebPlKoc17xc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729130AbgCXNXT (ORCPT ); Tue, 24 Mar 2020 09:23:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:46308 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729267AbgCXNXR (ORCPT ); Tue, 24 Mar 2020 09:23:17 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3B9DE206F6; Tue, 24 Mar 2020 13:23:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585056196; bh=Zh6Q81xz4S7Uy/uL5Zghtt2qm145iElh7QjBAawbpiU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2o7DBriDfwwCbjzA/saf2aNRFw6gpX1fW93cYCRwWnQQIK9C1fPQjlxHuamb1kqnI JVHoaUENWMZ+6OvPhv7aiCcAIWNa8aui7pBEVVmduqnQH3cuWYgSrJEI6jwlWblnua aOBAPJXOnEfmQYnaBmRz1r2njIMOymar36w7Jst0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+cce32521ee0a824c21f7@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 5.5 053/119] ALSA: line6: Fix endless MIDI read loop Date: Tue, 24 Mar 2020 14:10:38 +0100 Message-Id: <20200324130813.545459545@linuxfoundation.org> X-Mailer: git-send-email 2.25.2 In-Reply-To: <20200324130808.041360967@linuxfoundation.org> References: <20200324130808.041360967@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit d683469b3c93d7e2afd39e6e1970f24700eb7a68 upstream. The MIDI input event parser of the LINE6 driver may enter into an endless loop when the unexpected data sequence is given, as it tries to continue the secondary bytes without termination. Also, when the input data is too short, the parser returns a negative error, while the caller doesn't handle it properly. This would lead to the unexpected behavior as well. This patch addresses those issues by checking the return value correctly and handling the one-byte event in the parser properly. The bug was reported by syzkaller. Reported-by: syzbot+cce32521ee0a824c21f7@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/000000000000033087059f8f8fa3@google.com Link: https://lore.kernel.org/r/20200309095922.30269-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/line6/driver.c | 2 +- sound/usb/line6/midibuf.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -305,7 +305,7 @@ static void line6_data_received(struct u line6_midibuf_read(mb, line6->buffer_message, LINE6_MIDI_MESSAGE_MAXLEN); - if (done == 0) + if (done <= 0) break; line6->message_length = done; --- a/sound/usb/line6/midibuf.c +++ b/sound/usb/line6/midibuf.c @@ -159,7 +159,7 @@ int line6_midibuf_read(struct midi_buffe int midi_length_prev = midibuf_message_length(this->command_prev); - if (midi_length_prev > 0) { + if (midi_length_prev > 1) { midi_length = midi_length_prev - 1; repeat = 1; } else