Re: [PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count

[Benson Leung <bleung@google.com>]

[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]

On Wed, Jun 24, 2026 at 04:39:31PM +0800, Maoyi Xie wrote:
> cros_typec_register_partner_pdos() copies the partner PDOs from the EC
> TYPEC_STATUS response into the fixed caps_desc.pdo[PDO_MAX_OBJECTS] array.
> 
> 	memcpy(caps_desc.pdo, resp->source_cap_pdos,
> 	       sizeof(u32) * resp->source_cap_count);
> 	...
> 	memcpy(caps_desc.pdo, resp->sink_cap_pdos,
> 	       sizeof(u32) * resp->sink_cap_count);
> 
> PDO_MAX_OBJECTS is 7. source_cap_count and sink_cap_count are u8 fields
> from the EC, and the only check is that they are not both zero. If either
> is larger than 7, the memcpy writes past the end of the array on the stack.
> A count of 255 overflows it by about 1 KB.
> 
> The ChromeOS EC firmware caps these counts today, so a compliant setup
> does not hit this. The kernel should still validate the values from the EC
> rather than trust them.
> 
> Validate the counts in cros_typec_handle_status() right after the
> EC_CMD_TYPEC_STATUS command returns, and return early if either one is
> above PDO_MAX_OBJECTS.
> 
> Fixes: 348a2e8c93d3 ("platform/chrome: cros_ec_typec: Register partner PDOs")
> Suggested-by: Tzung-Bi Shih <tzungbi@kernel.org>
> Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>

Reviewed-by: Benson Leung <bleung@chromium.org>


> ---
>  drivers/platform/chrome/cros_ec_typec.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
> index c0806c562bb9..3ae9b35b7d85 100644
> --- a/drivers/platform/chrome/cros_ec_typec.c
> +++ b/drivers/platform/chrome/cros_ec_typec.c
> @@ -1158,6 +1158,12 @@ static void cros_typec_handle_status(struct cros_typec_data *typec, int port_num
>  		return;
>  	}
>  
> +	if (resp.source_cap_count > PDO_MAX_OBJECTS ||
> +	    resp.sink_cap_count > PDO_MAX_OBJECTS) {
> +		dev_warn(typec->dev, "Invalid PDO count from EC, port: %d\n", port_num);
> +		return;
> +	}
> +
>  	/* If we got a hard reset, unregister everything and return. */
>  	if (resp.events & PD_STATUS_EVENT_HARD_RESET) {
>  		cros_typec_remove_partner(typec, port_num);

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]