Linux Kernel ALSA USB-Audio Excessive Frame Handling Vulnerability

A vulnerability in the Linux kernel's ALSA USB audio subsystem allows for out-of-bounds memory access. This issue arises when a user sends audio data with parameters that exceed the allocated buffer size for USB data transfer. Specifically, the vulnerability occurs with a maximum packet size of 40, a sample rate of 22050, and a payload size distribution that leads to a calculated frame count exceeding the available buffer. The out-of-bounds access was reported by syzbot and has been addressed by adding a check to prevent such frame count excesses.

Impact

Exploitation of this vulnerability leads to a slab-out-of-bounds memory write, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, configure an ALSA PCM playback stream over USB audio with a maximum packet size of 40. Set the sample rate to 22050 and the packets per second to 1000. Use a payload size distribution that results in a total frame count of 264, exceeding the allocated USB buffer size of 240. This can be done by sending audio data that aligns with these parameters, which will trigger the out-of-bounds memory write.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux kernel Git repository.