[PATCH] thunderbolt: bound the DROM dual link port number before indexing sw->ports

[PATCH] thunderbolt: bound the DROM dual link port number before indexing sw->ports

[Bryam Vargas via B4 Relay]

From: Bryam Vargas <hexlabsecurity@proton.me>

tb_drom_parse_entry_port() validates the device-supplied header->index
against sw->config.max_port_number before indexing sw->ports[], but the
sibling field entry->dual_link_port_nr -- a 6-bit value also read from
the DROM -- indexes the same array with no such check. A malicious or
malformed Thunderbolt device can set dual_link_port_nr beyond the
allocated sw->ports[] (max_port_number + 1 entries), producing an
out-of-bounds tb_port pointer that is stored and later dereferenced.

Reject a port entry whose dual_link_port_nr exceeds max_port_number,
the same bound already applied to header->index.

Fixes: cd22e73bdf5e ("thunderbolt: Read port configuration from eeprom.")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
Reachable only from the device side -- a malicious or malformed DROM, read at
enumeration -- so this hardens against an untrusted Thunderbolt device, not a
remote attacker.

I have no Thunderbolt hardware, so this is by source inspection plus an
out-of-tree KASAN module mirroring the &sw->ports[dual_link_port_nr] indexing:
with dual_link_port_nr = 63 on an 8-port switch the unpatched arithmetic
reports a slab-out-of-bounds read 1864 bytes past the kmalloc'd ports[]
object, while the bound and an in-range control run clean. Reproducer on
request.
---
 drivers/thunderbolt/eeprom.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/thunderbolt/eeprom.c b/drivers/thunderbolt/eeprom.c
index 5681c17f82ec..2a13fa6888ba 100644
--- a/drivers/thunderbolt/eeprom.c
+++ b/drivers/thunderbolt/eeprom.c
@@ -394,9 +394,16 @@ static int tb_drom_parse_entry_port(struct tb_switch *sw,
 			return -EIO;
 		}
 		port->link_nr = entry->link_nr;
-		if (entry->has_dual_link_port)
+		if (entry->has_dual_link_port) {
+			if (entry->dual_link_port_nr > sw->config.max_port_number) {
+				tb_sw_warn(sw,
+					"port entry has invalid dual link port number %u\n",
+					entry->dual_link_port_nr);
+				return -EIO;
+			}
 			port->dual_link_port =
 				&port->sw->ports[entry->dual_link_port_nr];
+		}
 	}
 	return 0;
 }

---
base-commit: 502d801f0ab03e4f32f9a33d203154ce84887921
change-id: 20260625-b4-disp-9f8d8a2d-aae0ecad10e7

Best regards,
-- 
Bryam Vargas <hexlabsecurity@proton.me>

Re: [PATCH] thunderbolt: bound the DROM dual link port number before indexing sw->ports

[Mika Westerberg]

Hi,

On Thu, Jun 25, 2026 at 06:54:09AM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@proton.me>
> 
> tb_drom_parse_entry_port() validates the device-supplied header->index
> against sw->config.max_port_number before indexing sw->ports[], but the
> sibling field entry->dual_link_port_nr -- a 6-bit value also read from
> the DROM -- indexes the same array with no such check. A malicious or
> malformed Thunderbolt device can set dual_link_port_nr beyond the
> allocated sw->ports[] (max_port_number + 1 entries), producing an
> out-of-bounds tb_port pointer that is stored and later dereferenced.
> 
> Reject a port entry whose dual_link_port_nr exceeds max_port_number,
> the same bound already applied to header->index.
> 
> Fixes: cd22e73bdf5e ("thunderbolt: Read port configuration from eeprom.")
> Cc: stable@vger.kernel.org
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>

Applied to thunderbolt.git/fixes, thanks!