From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9C9328CF4A; Sun, 7 Jun 2026 10:29:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780828153; cv=none; b=qUCKPPINJCVStttIJwm5JlSeF9iwWex3vnU4RBxQiqfsqVOAQAQwKiLRWqdqKrUqH8nBKNWRqHAd8odi9Kv+oOnCqMNAfDMZ3yMKwCALh4GmqnipmsikHsAdwgK7nZQX0mMyk0QUM5bhd8WinuOuVwdwZVqRVmQ0Bejbn1NHHCU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780828153; c=relaxed/simple; bh=0Aflvr9vVyOuNCz79YWfVtKaM/voD+V4Vv6H74OFa5c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TMqqVaF++LQXUdorcDCUkZc5z/TDgLN5LvS0ShaYyO26DO5PEHMfd8AsB5RthyoO3hvrPx1O3KkPZO4oaNHTog0xbWwQ0MG/f+DkGbXYTU+vVmcES6ih84McqvGmyxpz0gZOoz3Gp4WQm8/bKWCUrPGJ/CKkgvDQqH+PNseeHws= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=DWusDhMi; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="DWusDhMi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F8291F00893; Sun, 7 Jun 2026 10:29:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780828152; bh=vGfG63eFNUKkl9bAxATWG2wkyw1NVSEw9oScTYUpKXM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=DWusDhMiO/oWNj1sgHn6PL0VNP5ZOmh4Htf1YrtmyynZ5Rageb7v86ntqhSne1z7R L7/Iq7vXLhrzOnDRyxPKJvv++jBa9svW5tUf41FBf94CuW1SuZDxUcsRHKHhp3tlSB tfa2zt9Sp5puAmKl1RLcnLxQD1sfF9KbAOhLyLOc= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Heikki Krogerus , stable , Badhri Jagan Sridharan Subject: [PATCH 6.18 108/315] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers Date: Sun, 7 Jun 2026 11:58:15 +0200 Message-ID: <20260607095731.614388809@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260607095727.528828913@linuxfoundation.org> References: <20260607095727.528828913@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman commit 8fbc349e8383125dd2d8de1c1e926279d398ab17 upstream. Properly validate the count passed from a device when calling svdm_consume_identity() or svdm_consume_identity_sop_prime() as the device-controlled value could index off of the static arrays, which could leak data. Assisted-by: gkh_clanker_t1000 Cc: Heikki Krogerus Cc: stable Reviewed-by: Badhri Jagan Sridharan Link: https://patch.msgid.link/2026051350-plated-salute-0efe@gregkh Signed-off-by: Greg Kroah-Hartman --- drivers/usb/typec/tcpm/tcpm.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -1695,6 +1695,9 @@ static void svdm_consume_identity(struct u32 vdo = p[VDO_INDEX_IDH]; u32 product = p[VDO_INDEX_PRODUCT]; + if (cnt <= VDO_INDEX_PRODUCT) + return; + memset(&port->mode_data, 0, sizeof(port->mode_data)); port->partner_ident.id_header = vdo; @@ -1715,6 +1718,9 @@ static void svdm_consume_identity_sop_pr u32 product = p[VDO_INDEX_PRODUCT]; int svdm_version; + if (cnt <= VDO_INDEX_CABLE_1) + return; + /* * Attempt to consume identity only if cable currently is not set */ @@ -1738,7 +1744,7 @@ static void svdm_consume_identity_sop_pr switch (port->negotiated_rev_prime) { case PD_REV30: port->cable_desc.pd_revision = 0x0300; - if (port->cable_desc.active) + if (port->cable_desc.active && cnt > VDO_INDEX_CABLE_2) port->cable_ident.vdo[1] = p[VDO_INDEX_CABLE_2]; break; case PD_REV20: