[PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common()

[PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common()

[Nathan Rebello]

The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a
7-bit field (0-127) that is used to index into the connector array in
ucsi_connector_change(). However, the array is only allocated for the
number of connectors reported by the device (typically 2-4 entries).

A malicious or malfunctioning device could report an out-of-range
connector number in the CCI, causing an out-of-bounds array access in
ucsi_connector_change().

Add a bounds check in ucsi_notify_common(), the central point where CCI
is parsed after arriving from hardware, so that bogus connector numbers
are rejected before they propagate further.

Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
Cc: stable@vger.kernel.org
Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>
---
v4:
 - Moved bounds check to ucsi_notify_common(), the single point where
   CCI is parsed after read_cci(), so bogus connector numbers never
   propagate to ucsi_connector_change() (Greg KH)
 - Changed dev_warn to dev_err
v3:
 - Added changelog (Greg's bot)
v2:
 - Kept bounds check in ucsi_connector_change() rather than moving it
   to ucsi_notify_common() (Greg KH)

 drivers/usb/typec/ucsi/ucsi.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index a7b388dc7fa0..10261992f020 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -42,8 +42,13 @@ void ucsi_notify_common(struct ucsi *ucsi, u32 cci)
 	if (cci & UCSI_CCI_BUSY)
 		return;
 
-	if (UCSI_CCI_CONNECTOR(cci))
-		ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
+	if (UCSI_CCI_CONNECTOR(cci)) {
+		if (UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors)
+			ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
+		else
+			dev_err(ucsi->dev, "bogus connector number in CCI: %u\n",
+				UCSI_CCI_CONNECTOR(cci));
+	}
 
 	if (cci & UCSI_CCI_ACK_COMPLETE &&
 	    test_and_clear_bit(ACK_PENDING, &ucsi->flags))
-- 
2.43.0.windows.1

Re: [PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common()

[Heikki Krogerus]

Thu, Mar 12, 2026 at 05:15:03PM -0400, Nathan Rebello wrote:
> The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a
> 7-bit field (0-127) that is used to index into the connector array in
> ucsi_connector_change(). However, the array is only allocated for the
> number of connectors reported by the device (typically 2-4 entries).
> 
> A malicious or malfunctioning device could report an out-of-range
> connector number in the CCI, causing an out-of-bounds array access in
> ucsi_connector_change().
> 
> Add a bounds check in ucsi_notify_common(), the central point where CCI
> is parsed after arriving from hardware, so that bogus connector numbers
> are rejected before they propagate further.
> 
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>

Did you see this happening on an actual device?

Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>

> ---
> v4:
>  - Moved bounds check to ucsi_notify_common(), the single point where
>    CCI is parsed after read_cci(), so bogus connector numbers never
>    propagate to ucsi_connector_change() (Greg KH)
>  - Changed dev_warn to dev_err
> v3:
>  - Added changelog (Greg's bot)
> v2:
>  - Kept bounds check in ucsi_connector_change() rather than moving it
>    to ucsi_notify_common() (Greg KH)
> 
>  drivers/usb/typec/ucsi/ucsi.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index a7b388dc7fa0..10261992f020 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -42,8 +42,13 @@ void ucsi_notify_common(struct ucsi *ucsi, u32 cci)
>  	if (cci & UCSI_CCI_BUSY)
>  		return;
>  
> -	if (UCSI_CCI_CONNECTOR(cci))
> -		ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
> +	if (UCSI_CCI_CONNECTOR(cci)) {
> +		if (UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors)
> +			ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
> +		else
> +			dev_err(ucsi->dev, "bogus connector number in CCI: %u\n",
> +				UCSI_CCI_CONNECTOR(cci));
> +	}
>  
>  	if (cci & UCSI_CCI_ACK_COMPLETE &&
>  	    test_and_clear_bit(ACK_PENDING, &ucsi->flags))
> -- 
> 2.43.0.windows.1

-- 
heikki

Re: [PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common()

[kernel test robot]

Hi Nathan,

kernel test robot noticed the following build warnings:

[auto build test WARNING on usb/usb-testing]
[also build test WARNING on usb/usb-next usb/usb-linus westeri-thunderbolt/next linus/master v7.0-rc3 next-20260313]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Nathan-Rebello/usb-typec-ucsi-validate-connector-number-in-ucsi_notify_common/20260313-200729
base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
patch link:    https://lore.kernel.org/r/20260312211503.1915-1-nathan.c.rebello%40gmail.com
patch subject: [PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common()
config: x86_64-rhel-9.4 (https://download.01.org/0day-ci/archive/20260313/202603131813.ofOSyCrk-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260313/202603131813.ofOSyCrk-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603131813.ofOSyCrk-lkp@intel.com/

All warnings (new ones prefixed by >>):

   In file included from include/linux/device.h:15,
                    from drivers/usb/typec/ucsi/ucsi.c:11:
   drivers/usb/typec/ucsi/ucsi.c: In function 'ucsi_notify_common':
>> drivers/usb/typec/ucsi/ucsi.c:50:44: warning: format '%u' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=]
      50 |                         dev_err(ucsi->dev, "bogus connector number in CCI: %u\n",
         |                                            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/dev_printk.h:110:30: note: in definition of macro 'dev_printk_index_wrap'
     110 |                 _p_func(dev, fmt, ##__VA_ARGS__);                       \
         |                              ^~~
   include/linux/dev_printk.h:154:56: note: in expansion of macro 'dev_fmt'
     154 |         dev_printk_index_wrap(_dev_err, KERN_ERR, dev, dev_fmt(fmt), ##__VA_ARGS__)
         |                                                        ^~~~~~~
   drivers/usb/typec/ucsi/ucsi.c:50:25: note: in expansion of macro 'dev_err'
      50 |                         dev_err(ucsi->dev, "bogus connector number in CCI: %u\n",
         |                         ^~~~~~~
   drivers/usb/typec/ucsi/ucsi.c:50:77: note: format string is defined here
      50 |                         dev_err(ucsi->dev, "bogus connector number in CCI: %u\n",
         |                                                                            ~^
         |                                                                             |
         |                                                                             unsigned int
         |                                                                            %lu


vim +50 drivers/usb/typec/ucsi/ucsi.c

    39	
    40	void ucsi_notify_common(struct ucsi *ucsi, u32 cci)
    41	{
    42		/* Ignore bogus data in CCI if busy indicator is set. */
    43		if (cci & UCSI_CCI_BUSY)
    44			return;
    45	
    46		if (UCSI_CCI_CONNECTOR(cci)) {
    47			if (UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors)
    48				ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
    49			else
  > 50				dev_err(ucsi->dev, "bogus connector number in CCI: %u\n",
    51					UCSI_CCI_CONNECTOR(cci));
    52		}
    53	
    54		if (cci & UCSI_CCI_ACK_COMPLETE &&
    55		    test_and_clear_bit(ACK_PENDING, &ucsi->flags))
    56			complete(&ucsi->complete);
    57	
    58		if (cci & UCSI_CCI_COMMAND_COMPLETE &&
    59		    test_and_clear_bit(COMMAND_PENDING, &ucsi->flags))
    60			complete(&ucsi->complete);
    61	}
    62	EXPORT_SYMBOL_GPL(ucsi_notify_common);
    63	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common()

[Nathan Rebello]

On Fri, 13 Mar 2026 at 10:53:04 +0200, Heikki Krogerus wrote:
> Did you see this happening on an actual device?

No, this was found through code review while auditing how CCI data
flows through the UCSI core. The connector number from
UCSI_CCI_CONNECTOR() is a 7-bit field that gets used as an array index
without bounds checking, so a malfunctioning device could trigger an
out-of-bounds access.

Thank you,
Nathan Rebello