[PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

* [PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count
@ 2026-06-24  8:39 Maoyi Xie
  2026-06-24 12:45 ` Andrei Kuchynski
  2026-06-24 18:23 ` Benson Leung
  0 siblings, 2 replies; 3+ messages in thread
From: Maoyi Xie @ 2026-06-24  8:39 UTC (permalink / raw)
  To: Benson Leung, Tzung-Bi Shih
  Cc: Abhishek Pandit-Subedi, Jameson Thies, Andrei Kuchynski,
	Guenter Roeck, Kaixuan Li, chrome-platform, linux-kernel

cros_typec_register_partner_pdos() copies the partner PDOs from the EC
TYPEC_STATUS response into the fixed caps_desc.pdo[PDO_MAX_OBJECTS] array.

	memcpy(caps_desc.pdo, resp->source_cap_pdos,
	       sizeof(u32) * resp->source_cap_count);
	...
	memcpy(caps_desc.pdo, resp->sink_cap_pdos,
	       sizeof(u32) * resp->sink_cap_count);

PDO_MAX_OBJECTS is 7. source_cap_count and sink_cap_count are u8 fields
from the EC, and the only check is that they are not both zero. If either
is larger than 7, the memcpy writes past the end of the array on the stack.
A count of 255 overflows it by about 1 KB.

The ChromeOS EC firmware caps these counts today, so a compliant setup
does not hit this. The kernel should still validate the values from the EC
rather than trust them.

Validate the counts in cros_typec_handle_status() right after the
EC_CMD_TYPEC_STATUS command returns, and return early if either one is
above PDO_MAX_OBJECTS.

Fixes: 348a2e8c93d3 ("platform/chrome: cros_ec_typec: Register partner PDOs")
Suggested-by: Tzung-Bi Shih <tzungbi@kernel.org>
Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 drivers/platform/chrome/cros_ec_typec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
index c0806c562bb9..3ae9b35b7d85 100644
--- a/drivers/platform/chrome/cros_ec_typec.c
+++ b/drivers/platform/chrome/cros_ec_typec.c
@@ -1158,6 +1158,12 @@ static void cros_typec_handle_status(struct cros_typec_data *typec, int port_num
 		return;
 	}
 
+	if (resp.source_cap_count > PDO_MAX_OBJECTS ||
+	    resp.sink_cap_count > PDO_MAX_OBJECTS) {
+		dev_warn(typec->dev, "Invalid PDO count from EC, port: %d\n", port_num);
+		return;
+	}
+
 	/* If we got a hard reset, unregister everything and return. */
 	if (resp.events & PD_STATUS_EVENT_HARD_RESET) {
 		cros_typec_remove_partner(typec, port_num);

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count
  2026-06-24  8:39 [PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count Maoyi Xie
@ 2026-06-24 12:45 ` Andrei Kuchynski
  2026-06-24 18:23 ` Benson Leung
  1 sibling, 0 replies; 3+ messages in thread
From: Andrei Kuchynski @ 2026-06-24 12:45 UTC (permalink / raw)
  To: Maoyi Xie
  Cc: Benson Leung, Tzung-Bi Shih, Abhishek Pandit-Subedi,
	Jameson Thies, Guenter Roeck, Kaixuan Li, chrome-platform,
	linux-kernel

On Wed, Jun 24, 2026 at 10:39 AM Maoyi Xie <maoyixie.tju@gmail.com> wrote:
>
> cros_typec_register_partner_pdos() copies the partner PDOs from the EC
> TYPEC_STATUS response into the fixed caps_desc.pdo[PDO_MAX_OBJECTS] array.
>
>         memcpy(caps_desc.pdo, resp->source_cap_pdos,
>                sizeof(u32) * resp->source_cap_count);
>         ...
>         memcpy(caps_desc.pdo, resp->sink_cap_pdos,
>                sizeof(u32) * resp->sink_cap_count);
>
> PDO_MAX_OBJECTS is 7. source_cap_count and sink_cap_count are u8 fields
> from the EC, and the only check is that they are not both zero. If either
> is larger than 7, the memcpy writes past the end of the array on the stack.
> A count of 255 overflows it by about 1 KB.
>
> The ChromeOS EC firmware caps these counts today, so a compliant setup
> does not hit this. The kernel should still validate the values from the EC
> rather than trust them.
>
> Validate the counts in cros_typec_handle_status() right after the
> EC_CMD_TYPEC_STATUS command returns, and return early if either one is
> above PDO_MAX_OBJECTS.
>
> Fixes: 348a2e8c93d3 ("platform/chrome: cros_ec_typec: Register partner PDOs")
> Suggested-by: Tzung-Bi Shih <tzungbi@kernel.org>
> Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
> ---
>  drivers/platform/chrome/cros_ec_typec.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
> index c0806c562bb9..3ae9b35b7d85 100644
> --- a/drivers/platform/chrome/cros_ec_typec.c
> +++ b/drivers/platform/chrome/cros_ec_typec.c
> @@ -1158,6 +1158,12 @@ static void cros_typec_handle_status(struct cros_typec_data *typec, int port_num
>                 return;
>         }
>
> +       if (resp.source_cap_count > PDO_MAX_OBJECTS ||
> +           resp.sink_cap_count > PDO_MAX_OBJECTS) {
> +               dev_warn(typec->dev, "Invalid PDO count from EC, port: %d\n", port_num);
> +               return;
> +       }
> +

Hi Maoyi,

Thanks for the patch.
Are we only rejecting `out-of-bounds PD cap count` here?

>         /* If we got a hard reset, unregister everything and return. */
>         if (resp.events & PD_STATUS_EVENT_HARD_RESET) {
>                 cros_typec_remove_partner(typec, port_num);

Thanks,
Andrei

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count
  2026-06-24  8:39 [PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count Maoyi Xie
  2026-06-24 12:45 ` Andrei Kuchynski
@ 2026-06-24 18:23 ` Benson Leung
  1 sibling, 0 replies; 3+ messages in thread
From: Benson Leung @ 2026-06-24 18:23 UTC (permalink / raw)
  To: Maoyi Xie
  Cc: Benson Leung, Tzung-Bi Shih, Abhishek Pandit-Subedi,
	Jameson Thies, Andrei Kuchynski, Guenter Roeck, Kaixuan Li,
	chrome-platform, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]

On Wed, Jun 24, 2026 at 04:39:31PM +0800, Maoyi Xie wrote:
> cros_typec_register_partner_pdos() copies the partner PDOs from the EC
> TYPEC_STATUS response into the fixed caps_desc.pdo[PDO_MAX_OBJECTS] array.
> 
> 	memcpy(caps_desc.pdo, resp->source_cap_pdos,
> 	       sizeof(u32) * resp->source_cap_count);
> 	...
> 	memcpy(caps_desc.pdo, resp->sink_cap_pdos,
> 	       sizeof(u32) * resp->sink_cap_count);
> 
> PDO_MAX_OBJECTS is 7. source_cap_count and sink_cap_count are u8 fields
> from the EC, and the only check is that they are not both zero. If either
> is larger than 7, the memcpy writes past the end of the array on the stack.
> A count of 255 overflows it by about 1 KB.
> 
> The ChromeOS EC firmware caps these counts today, so a compliant setup
> does not hit this. The kernel should still validate the values from the EC
> rather than trust them.
> 
> Validate the counts in cros_typec_handle_status() right after the
> EC_CMD_TYPEC_STATUS command returns, and return early if either one is
> above PDO_MAX_OBJECTS.
> 
> Fixes: 348a2e8c93d3 ("platform/chrome: cros_ec_typec: Register partner PDOs")
> Suggested-by: Tzung-Bi Shih <tzungbi@kernel.org>
> Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>

Reviewed-by: Benson Leung <bleung@chromium.org>


> ---
>  drivers/platform/chrome/cros_ec_typec.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
> index c0806c562bb9..3ae9b35b7d85 100644
> --- a/drivers/platform/chrome/cros_ec_typec.c
> +++ b/drivers/platform/chrome/cros_ec_typec.c
> @@ -1158,6 +1158,12 @@ static void cros_typec_handle_status(struct cros_typec_data *typec, int port_num
>  		return;
>  	}
>  
> +	if (resp.source_cap_count > PDO_MAX_OBJECTS ||
> +	    resp.sink_cap_count > PDO_MAX_OBJECTS) {
> +		dev_warn(typec->dev, "Invalid PDO count from EC, port: %d\n", port_num);
> +		return;
> +	}
> +
>  	/* If we got a hard reset, unregister everything and return. */
>  	if (resp.events & PD_STATUS_EVENT_HARD_RESET) {
>  		cros_typec_remove_partner(typec, port_num);

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-24 18:23 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24  8:39 [PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count Maoyi Xie
2026-06-24 12:45 ` Andrei Kuchynski
2026-06-24 18:23 ` Benson Leung

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox