Re: [PATCH 1/8] usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()

[Heikki Krogerus <heikki.krogerus@linux.intel.com>]

On Wed, May 13, 2026 at 05:52:48PM +0200, Greg Kroah-Hartman wrote:
> wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
> struct pd_message with
> 
> 	for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
> 		regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
> 
> which has two problems:
> 
> USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
> is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
> The byte count latched in RXINFO is the number of bytes the port partner
> put on the wire, so a malicious partner that transmits a 31-byte frame
> can drive the loop one byte past the destination if the WCOVE BMC
> receiver does not enforce the PD object-count limit in hardware. The
> existing FIXME flagged this as unverified.
> 
> Independently, regmap_read() takes an unsigned int * and stores a full
> unsigned int at the destination. Passing the byte pointer msg + i means
> each iteration writes four bytes; the high three are zero (val_bits is
> 8) and are normally overwritten by the next iteration, but the final
> iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
> already writes three zero bytes past msg, which sits on the IRQ thread's
> stack in wcove_typec_irq().
> 
> Clamp the loop to sizeof(struct pd_message) and read each register into
> a local before storing only its low byte, so the copy can never exceed
> the destination regardless of what RXINFO reports.
> 
> Assisted-by: gkh_clanker_t1000
> Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> Cc: stable <stable@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>

> ---
>  drivers/usb/typec/tcpm/wcove.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/usb/typec/tcpm/wcove.c b/drivers/usb/typec/tcpm/wcove.c
> index 759c982bb16a..0e5a3e277c3e 100644
> --- a/drivers/usb/typec/tcpm/wcove.c
> +++ b/drivers/usb/typec/tcpm/wcove.c
> @@ -444,9 +444,11 @@ static int wcove_start_toggling(struct tcpc_dev *tcpc,
>  	return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl);
>  }
>  
> -static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
> +static int wcove_read_rx_buffer(struct wcove_typec *wcove,
> +				struct pd_message *msg)
>  {
> -	unsigned int info;
> +	unsigned int info, val, len;
> +	u8 *buf = (u8 *)msg;
>  	int ret;
>  	int i;
>  
> @@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
>  	if (ret)
>  		return ret;
>  
> -	/* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */
> +	len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg));
>  
> -	for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) {
> -		ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
> +	for (i = 0; i < len; i++) {
> +		ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val);
>  		if (ret)
>  			return ret;
> +		buf[i] = val;
>  	}
>  
>  	return regmap_write(wcove->regmap, USBC_RXSTATUS,
> -- 
> 2.54.0

-- 
heikki