From: Tzung-Bi Shih <tzungbi@kernel.org>
To: Maoyi Xie <maoyixie.tju@gmail.com>
Cc: Benson Leung <bleung@chromium.org>,
Abhishek Pandit-Subedi <abhishekpandit@chromium.org>,
Jameson Thies <jthies@google.com>,
chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: platform/chrome: cros_ec_typec: unbounded PD cap count in cros_typec_register_partner_pdos()
Date: Wed, 24 Jun 2026 08:21:22 +0000 [thread overview]
Message-ID: <ajuTgiZvOdbZF8B-@google.com> (raw)
In-Reply-To: <CAHPEe=FUvt7-C1UZVntUFR5y7rk+=dSOK96UGqK4wOTKTdYoRg@mail.gmail.com>
On Wed, Jun 24, 2026 at 03:00:48PM +0800, Maoyi Xie wrote:
> > How did you reproduce the overflow? Was this by modifying the EC firmware
> > to send larger counts, or can this be triggered by a non-compliant USB-C
> > partner device?
>
> I did not modify the EC firmware and I did not have a real partner. I do
> not have cros_ec hardware. I ran the same copy in a small standalone test,
> a u32 pdo[7] on the stack with a count above 7, and it tripped the stack
> protector. So this is a source review plus that test, not a hardware repro.
>
> I also cannot confirm that a non-compliant partner can push the count past
> 7. That depends on whether the EC already caps it, which I cannot see. It
> may well need buggy or compromised EC firmware. I assumed the partner path
> in my mail and I should not have stated it so firmly.
FWIW: the ChromeOS EC firmware caps the counts[1].
[1] https://chromium.googlesource.com/chromiumos/platform/ec/+/refs/heads/main/common/usb_pd_host_cmd_common.c#301
prev parent reply other threads:[~2026-06-24 8:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 16:31 platform/chrome: cros_ec_typec: unbounded PD cap count in cros_typec_register_partner_pdos() Maoyi Xie
2026-06-24 5:50 ` Tzung-Bi Shih
2026-06-24 7:00 ` Maoyi Xie
2026-06-24 8:21 ` Tzung-Bi Shih [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajuTgiZvOdbZF8B-@google.com \
--to=tzungbi@kernel.org \
--cc=abhishekpandit@chromium.org \
--cc=bleung@chromium.org \
--cc=chrome-platform@lists.linux.dev \
--cc=jthies@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maoyixie.tju@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.