[PATCH v1] usb: typec: tcpm: Validate SVID index in svdm_consume

Linux USB
 help / color / mirror / Atom feed

* [PATCH v1] usb: typec: tcpm: Validate SVID index in svdm_consume_modes()
@ 2026-06-22 22:08 Badhri Jagan Sridharan
  2026-06-23 12:12 ` Heikki Krogerus
  0 siblings, 1 reply; 2+ messages in thread
From: Badhri Jagan Sridharan @ 2026-06-22 22:08 UTC (permalink / raw)
  To: heikki.krogerus, gregkh, badhri
  Cc: amitsd, kyletso, rdbabiera, linux-kernel, linux-usb, stable

In svdm_consume_modes(), the SVID value is read from pmdata->svids using
pmdata->svid_index as an array index without bounds validation:

    paltmode->svid = pmdata->svids[pmdata->svid_index];

If pmdata->svid_index is driven beyond SVID_DISCOVERY_MAX (16), it results
in an out-of-bounds read of the pmdata->svids array. Because pd_mode_data
is embedded inside struct tcpm_port, indexing past svids reads into
adjacent fields. In particular:
- At index 16, it reads the altmodes count.
- At index 18 and beyond, it reads into altmode_desc[], which contains
  partner-supplied SVDM Discovery Modes VDOs.

By injecting a chosen SVID into altmode_desc[0].vdo and driving svid_index
to 20, the partner can force paltmode->svid to be loaded with an arbitrary,
partner- chosen SVID, which is then registered via
typec_partner_register_altmode().

Fix this by validating that pmdata->svid_index is non-negative and strictly
less than pmdata->nsvids before accessing the pmdata->svids array inside
svdm_consume_modes().

Assisted-by: Antigravity:gemini-3.5-flash
Fixes: 4ab8c18d4d67 ("usb: typec: Register a device for every mode")
Cc: stable <stable@kernel.org>
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: RD Babiera <rdbabiera@google.com>
---
 drivers/usb/typec/tcpm/tcpm.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
index 7ef746a90a17..bc531923b1ca 100644
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -2000,6 +2000,11 @@ static void svdm_consume_modes(struct tcpm_port *port, const u32 *p, int cnt,
 		return;
 	}
 
+	if (pmdata->svid_index < 0 || pmdata->svid_index >= pmdata->nsvids) {
+		tcpm_log(port, "Invalid SVID index %d", pmdata->svid_index);
+		return;
+	}
+
 	for (i = 1; i < cnt; i++) {
 		if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) {
 			/* Already logged in svdm_consume_svids() */

base-commit: 1c2b66a7d7257d2652aa41f9a860ecb96dde27dd
-- 
2.55.0.rc0.786.g65d90a0328-goog


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v1] usb: typec: tcpm: Validate SVID index in svdm_consume_modes()
  2026-06-22 22:08 [PATCH v1] usb: typec: tcpm: Validate SVID index in svdm_consume_modes() Badhri Jagan Sridharan
@ 2026-06-23 12:12 ` Heikki Krogerus
  0 siblings, 0 replies; 2+ messages in thread
From: Heikki Krogerus @ 2026-06-23 12:12 UTC (permalink / raw)
  To: Badhri Jagan Sridharan
  Cc: gregkh, amitsd, kyletso, rdbabiera, linux-kernel, linux-usb,
	stable

On Mon, Jun 22, 2026 at 10:08:03PM +0000, Badhri Jagan Sridharan wrote:
> In svdm_consume_modes(), the SVID value is read from pmdata->svids using
> pmdata->svid_index as an array index without bounds validation:
> 
>     paltmode->svid = pmdata->svids[pmdata->svid_index];
> 
> If pmdata->svid_index is driven beyond SVID_DISCOVERY_MAX (16), it results
> in an out-of-bounds read of the pmdata->svids array. Because pd_mode_data
> is embedded inside struct tcpm_port, indexing past svids reads into
> adjacent fields. In particular:
> - At index 16, it reads the altmodes count.
> - At index 18 and beyond, it reads into altmode_desc[], which contains
>   partner-supplied SVDM Discovery Modes VDOs.
> 
> By injecting a chosen SVID into altmode_desc[0].vdo and driving svid_index
> to 20, the partner can force paltmode->svid to be loaded with an arbitrary,
> partner- chosen SVID, which is then registered via
> typec_partner_register_altmode().
> 
> Fix this by validating that pmdata->svid_index is non-negative and strictly
> less than pmdata->nsvids before accessing the pmdata->svids array inside
> svdm_consume_modes().
> 
> Assisted-by: Antigravity:gemini-3.5-flash
> Fixes: 4ab8c18d4d67 ("usb: typec: Register a device for every mode")
> Cc: stable <stable@kernel.org>
> Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
> Reviewed-by: RD Babiera <rdbabiera@google.com>

Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>

> ---
>  drivers/usb/typec/tcpm/tcpm.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> index 7ef746a90a17..bc531923b1ca 100644
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -2000,6 +2000,11 @@ static void svdm_consume_modes(struct tcpm_port *port, const u32 *p, int cnt,
>  		return;
>  	}
>  
> +	if (pmdata->svid_index < 0 || pmdata->svid_index >= pmdata->nsvids) {
> +		tcpm_log(port, "Invalid SVID index %d", pmdata->svid_index);
> +		return;
> +	}
> +
>  	for (i = 1; i < cnt; i++) {
>  		if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) {
>  			/* Already logged in svdm_consume_svids() */
> 
> base-commit: 1c2b66a7d7257d2652aa41f9a860ecb96dde27dd
> -- 
> 2.55.0.rc0.786.g65d90a0328-goog

-- 
heikki

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-23 12:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-22 22:08 [PATCH v1] usb: typec: tcpm: Validate SVID index in svdm_consume_modes() Badhri Jagan Sridharan
2026-06-23 12:12 ` Heikki Krogerus

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox