From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B026732C302; Tue, 16 Jun 2026 16:46:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781628392; cv=none; b=GCwjyHb7HDp35yIXFYtE+VmvD1poOwyd3WK5ODnkpi/ZWRUBVmbCbRKT9Gq3InuQ6UKqRDT/Wp66fxkYB1Auv0DYS50HFFCfZP0cIb4VJeIax2dSFJJ/8nurXcv/1Rd52GNPbyUXXhghMn1yclzJUjJYBe65DoMR8n3kUXFJRQE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781628392; c=relaxed/simple; bh=OqApRGEQcRTYy9vkYvldrvokMwGtBt3x8qpuhv8Dh/A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=bYLRCd4uvGGkgEVgN1D4M7cSbydg1OLpHAZ2MMO659IK7CCRrWUsmP+hJhA7GHL3ZxOgJvZE0jE35lzvbCYJ3EHvIo19tKy3aw5713ji0xHmDWZovkIQ+t9cgDAW/sS8dnUWzYjwz8jmBEd0go8rqYhRhDYl/y3hf5KyAmihviE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=MFWVKCnA; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="MFWVKCnA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B7CEA1F000E9; Tue, 16 Jun 2026 16:46:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781628391; bh=09/y65FGHyqtscc6E3KrnLGmJijU9UpcPCHrzBwi8EQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=MFWVKCnAfVPFRDdDEJFSX/rx8HbGfCJF3OA4wWaDB/EPfT15JvybNb8+SRjqv6Cwo 9Ckwaq1JMLJo6n/ljQKOXq8PK7HQlxwfdRuFn+wCAAe2POrIwKh+UspbrP77b2YDPY WJ0MDqILN7wZAZ//Ba1e3Pm/MibHpeiYvNwWYYwc= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Heikki Krogerus , =?UTF-8?q?Andr=C3=A9=20Draszik?= , Badhri Jagan Sridharan , Amit Sunil Dhamne , stable Subject: [PATCH 6.6 087/452] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT Date: Tue, 16 Jun 2026 20:25:14 +0530 Message-ID: <20260616145122.421406406@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145117.796205997@linuxfoundation.org> References: <20260616145117.796205997@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman commit aa2f716327be1818e1cb156da8a2844804aaec2f upstream. A broken/malicious port can transmit a CRC-valid frame whose header advertises up to seven data objects but whose body carries fewer than that. Check for this, and rightfully reject the message, instead of reading from uninitialized stack memory. Assisted-by: gkh_clanker_t1000 Cc: Heikki Krogerus Cc: "André Draszik" Cc: Badhri Jagan Sridharan Cc: Amit Sunil Dhamne Cc: stable Link: https://patch.msgid.link/2026051350-sitter-canopener-9045@gregkh Signed-off-by: Greg Kroah-Hartman --- drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c +++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c @@ -165,6 +165,15 @@ static void process_rx(struct max_tcpci_ rx_buf_ptr = rx_buf + TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET; msg.header = cpu_to_le16(*(u16 *)rx_buf_ptr); rx_buf_ptr = rx_buf_ptr + sizeof(msg.header); + + if (count < TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET + sizeof(msg.header) + + pd_header_cnt_le(msg.header) * sizeof(msg.payload[0])) { + max_tcpci_write16(chip, TCPC_ALERT, TCPC_ALERT_RX_STATUS); + dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d for header cnt %d\n", + count, pd_header_cnt_le(msg.header)); + return; + } + for (payload_index = 0; payload_index < pd_header_cnt_le(msg.header); payload_index++, rx_buf_ptr += sizeof(msg.payload[0])) msg.payload[payload_index] = cpu_to_le32(*(u32 *)rx_buf_ptr);