Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type.
Product status
ac34df733d2dfe3b553897a1e9e1a44414f09834 (git) before d5e80d1f97ae55bcea1426f551e4419245b41b9c
ac34df733d2dfe3b553897a1e9e1a44414f09834 (git) before 51049f6e3f05d70660e2458ad3bb302a3721b751
ac34df733d2dfe3b553897a1e9e1a44414f09834 (git) before 91a756d22f0482eac5bedb113c8922f90b254449
ac34df733d2dfe3b553897a1e9e1a44414f09834 (git) before 27049f50be9f5ae3a62d272128ce0b381cb26a24
ac34df733d2dfe3b553897a1e9e1a44414f09834 (git) before 31a3eba5c265a763260976674a22851e83128f6d
ac34df733d2dfe3b553897a1e9e1a44414f09834 (git) before 6f5c69f72e50d51be3a8c028ae7eda42c82902cb
5.14
Any version before 5.14
5.15.199 (semver)
6.1.162 (semver)
6.6.122 (semver)
6.12.68 (semver)
6.18.8 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/d5e80d1f97ae55bcea1426f551e4419245b41b9c
git.kernel.org/...c/51049f6e3f05d70660e2458ad3bb302a3721b751
git.kernel.org/...c/91a756d22f0482eac5bedb113c8922f90b254449
git.kernel.org/...c/27049f50be9f5ae3a62d272128ce0b381cb26a24
git.kernel.org/...c/31a3eba5c265a763260976674a22851e83128f6d
git.kernel.org/...c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb