From: Nathan Rebello <nathan.c.rebello@gmail.com>
To: linux-usb@vger.kernel.org
Cc: heikki.krogerus@linux.intel.com, gregkh@linuxfoundation.org,
Nathan Rebello <nathan.c.rebello@gmail.com>
Subject: [PATCH 0/2] usb: typec: ucsi: fix input validation in UCSI core
Date: Thu, 19 Feb 2026 11:49:22 -0500 [thread overview]
Message-ID: <20260219164925.3249-1-nathan.c.rebello@gmail.com> (raw)
Two input validation fixes for the UCSI core driver:
Patch 1 adds a bounds check on the connector number in
ucsi_connector_change(). The connector number is extracted from the CCI
register (7-bit field, range 1-127) but is used to index the connector
array without validation. A malicious or malfunctioning PPM could cause
an out-of-bounds access.
Patch 2 clamps the return value of ucsi_run_command() to the caller's
buffer size. The current code returns UCSI_CCI_LENGTH() directly from
the CCI register, which may exceed the buffer provided by the caller,
leading to out-of-bounds reads in callers like ucsi_register_altmodes().
Both issues were found via static analysis and confirmed with
libFuzzer and AddressSanitizer.
Nathan Rebello (2):
usb: typec: ucsi: validate connector number in ucsi_connector_change()
usb: typec: ucsi: clamp returned length in ucsi_run_command()
drivers/usb/typec/ucsi/ucsi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--
2.43.0.windows.1
next reply other threads:[~2026-02-19 16:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-19 16:49 Nathan Rebello [this message]
2026-02-19 16:49 ` [PATCH 1/2] usb: typec: ucsi: validate connector number in ucsi_connector_change() Nathan Rebello
2026-02-20 6:09 ` Greg KH
2026-02-20 6:34 ` Nathan Rebello
2026-02-20 6:53 ` Greg KH
2026-03-11 13:10 ` Greg KH
2026-03-11 21:49 ` Nathan Rebello
2026-03-12 5:03 ` Greg KH
2026-03-12 5:44 ` Nathan Rebello
2026-02-19 16:49 ` [PATCH 2/2] usb: typec: ucsi: clamp returned length in ucsi_run_command() Nathan Rebello
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260219164925.3249-1-nathan.c.rebello@gmail.com \
--to=nathan.c.rebello@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=heikki.krogerus@linux.intel.com \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.