From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
To: Badhri Jagan Sridharan <badhri@google.com>
Cc: gregkh@linuxfoundation.org, amitsd@google.com,
kyletso@google.com, rdbabiera@google.com,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
stable <stable@kernel.org>
Subject: Re: [PATCH v1] usb: typec: tcpm: Validate SVID index in svdm_consume_modes()
Date: Tue, 23 Jun 2026 15:12:07 +0300 [thread overview]
Message-ID: <ajp4F-xwmRnwb8BE@kuha> (raw)
In-Reply-To: <20260622220803.305750-1-badhri@google.com>
On Mon, Jun 22, 2026 at 10:08:03PM +0000, Badhri Jagan Sridharan wrote:
> In svdm_consume_modes(), the SVID value is read from pmdata->svids using
> pmdata->svid_index as an array index without bounds validation:
>
> paltmode->svid = pmdata->svids[pmdata->svid_index];
>
> If pmdata->svid_index is driven beyond SVID_DISCOVERY_MAX (16), it results
> in an out-of-bounds read of the pmdata->svids array. Because pd_mode_data
> is embedded inside struct tcpm_port, indexing past svids reads into
> adjacent fields. In particular:
> - At index 16, it reads the altmodes count.
> - At index 18 and beyond, it reads into altmode_desc[], which contains
> partner-supplied SVDM Discovery Modes VDOs.
>
> By injecting a chosen SVID into altmode_desc[0].vdo and driving svid_index
> to 20, the partner can force paltmode->svid to be loaded with an arbitrary,
> partner- chosen SVID, which is then registered via
> typec_partner_register_altmode().
>
> Fix this by validating that pmdata->svid_index is non-negative and strictly
> less than pmdata->nsvids before accessing the pmdata->svids array inside
> svdm_consume_modes().
>
> Assisted-by: Antigravity:gemini-3.5-flash
> Fixes: 4ab8c18d4d67 ("usb: typec: Register a device for every mode")
> Cc: stable <stable@kernel.org>
> Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
> Reviewed-by: RD Babiera <rdbabiera@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> ---
> drivers/usb/typec/tcpm/tcpm.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> index 7ef746a90a17..bc531923b1ca 100644
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -2000,6 +2000,11 @@ static void svdm_consume_modes(struct tcpm_port *port, const u32 *p, int cnt,
> return;
> }
>
> + if (pmdata->svid_index < 0 || pmdata->svid_index >= pmdata->nsvids) {
> + tcpm_log(port, "Invalid SVID index %d", pmdata->svid_index);
> + return;
> + }
> +
> for (i = 1; i < cnt; i++) {
> if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) {
> /* Already logged in svdm_consume_svids() */
>
> base-commit: 1c2b66a7d7257d2652aa41f9a860ecb96dde27dd
> --
> 2.55.0.rc0.786.g65d90a0328-goog
--
heikki
prev parent reply other threads:[~2026-06-23 12:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 22:08 [PATCH v1] usb: typec: tcpm: Validate SVID index in svdm_consume_modes() Badhri Jagan Sridharan
2026-06-23 12:12 ` Heikki Krogerus [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajp4F-xwmRnwb8BE@kuha \
--to=heikki.krogerus@linux.intel.com \
--cc=amitsd@google.com \
--cc=badhri@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=kyletso@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=rdbabiera@google.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox