From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C2DC38C437; Tue, 16 Jun 2026 18:43:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781635436; cv=none; b=XEAF+Ew3wFSIUA/Sv102V5nF3433rw0prP81Tw6jY80QjUfYq64+SX22sKD0G9KjsprLi3Xj2gXz0RWyk3FQcUPdTvfd0q+AYG3Ek4v+8PpwVeJ3war5VB9qjaTa3eJ4EiyHej4qqc32z7nWoKELFSmMSTWcMN0pVB9S5yphPH0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781635436; c=relaxed/simple; bh=Zg+feg560EwiPy8KhBtom5vrCMa8R6UfgGGF6+zd6CA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tr5+P9vpy4W80QEl8qe889IMOoZTMWfyrgjiuNGdPTuM6VWCDizh+8FuLXRntFr96p4AMuGtfHEPYILEqohCeCRD7PJpTrXFJQsi1JGz9L94WczYGA3K+VBnoB9B/MuFy563ghGw47/SpPWFqd5WzuQRJPkG+4zzwuwZ07O8FLg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=rl1yFtTA; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="rl1yFtTA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 182A91F000E9; Tue, 16 Jun 2026 18:43:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781635435; bh=eQejk4cxyuVVNztwm67WUvClvjmXJgC9AG68fsoZMyY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=rl1yFtTAXEGXgiGV6fDy5YZD8yq0EaAdwQ+sRr6Az1Dkrfqaovy2nIgSdWCJNL/4h LFkY9atN2guLOF2UVoFQ1SD6zBgKDvvLOZNBVcqSqTvNuriwNKbVwwwWObQ0D8fMhl 81ydQ5aJAxj8L7AOICPYMvdoYUHvzJrSeXLaSesg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable , Heikki Krogerus Subject: [PATCH 5.10 047/342] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Date: Tue, 16 Jun 2026 20:25:43 +0530 Message-ID: <20260616145050.452043823@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145048.348037099@linuxfoundation.org> References: <20260616145048.348037099@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream. A broken/malicious device can send the incorrect count for a status update VDO, which will cause the kernel to read uninitialized stack data and send it off elsewhere. Fix this up by correctly verifying the count for the update object. Assisted-by: gkh_clanker_t1000 Cc: stable Reviewed-by: Heikki Krogerus Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh Signed-off-by: Greg Kroah-Hartman --- drivers/usb/typec/altmodes/displayport.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/usb/typec/altmodes/displayport.c +++ b/drivers/usb/typec/altmodes/displayport.c @@ -292,6 +292,8 @@ static int dp_altmode_vdm(struct typec_a } break; case DP_CMD_STATUS_UPDATE: + if (count < 2) + break; dp->data.status = *vdo; ret = dp_altmode_status_update(dp); break;