Linux Kernel ALSA USB-Audio Channel Map Function Endless Loop Vulnerability

A vulnerability in the Linux kernel's ALSA USB-Audio subsystem could lead to a potential endless loop in the 'convert_chmap_v3()' function. This issue arises because the function's loop increment is based on 'cs_desc->wLength', which is not properly validated. A malformed descriptor could exploit this oversight, causing the loop to run indefinitely. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could cause a denial of service by creating an endless loop, potentially leading to a hang or unresponsiveness in the application or system processing the audio.

Reproduction

The vulnerability can be reproduced by sending a malformed USB audio descriptor that includes an invalid 'wLength' value. This can be done by creating a USB audio device or stream that does not conform to the expected descriptor format, particularly in the UAC3 cluster segment descriptors. Once the malformed descriptor is processed by the 'convert_chmap_v3()' function, the lack of proper length validation will allow the function to enter an infinite loop, effectively causing a denial of service.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is '4e0ee232ebe3df04874125d7c7f3e6c25ea5483d', which is available in the Linux kernel stable tree.