CVE-2025-40269

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Fix potential overflow of PCM transfer buffer<br /> <br /> The PCM stream data in USB-audio driver is transferred over USB URB<br /> packet buffers, and each packet size is determined dynamically. The<br /> packet sizes are limited by some factors such as wMaxPacketSize USB<br /> descriptor. OTOH, in the current code, the actually used packet sizes<br /> are determined only by the rate and the PPS, which may be bigger than<br /> the size limit above. This results in a buffer overflow, as reported<br /> by syzbot.<br /> <br /> Basically when the limit is smaller than the calculated packet size,<br /> it implies that something is wrong, most likely a weird USB<br /> descriptor. So the best option would be just to return an error at<br /> the parameter setup time before doing any further operations.<br /> <br /> This patch introduces such a sanity check, and returns -EINVAL when<br /> the packet size is greater than maxpacksize. The comparison with<br /> ep-&gt;packsize[1] alone should suffice since it&amp;#39;s always equal or<br /> greater than ep-&gt;packsize[0].