From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
To: Nathan Rebello <nathan.c.rebello@gmail.com>
Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org,
kyungtae.kim@dartmouth.edu, stable@vger.kernel.org
Subject: Re: [PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common()
Date: Fri, 13 Mar 2026 10:53:04 +0200 [thread overview]
Message-ID: <abPQcFxlSntTv-1t@kuha> (raw)
In-Reply-To: <20260312211503.1915-1-nathan.c.rebello@gmail.com>
Thu, Mar 12, 2026 at 05:15:03PM -0400, Nathan Rebello wrote:
> The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a
> 7-bit field (0-127) that is used to index into the connector array in
> ucsi_connector_change(). However, the array is only allocated for the
> number of connectors reported by the device (typically 2-4 entries).
>
> A malicious or malfunctioning device could report an out-of-range
> connector number in the CCI, causing an out-of-bounds array access in
> ucsi_connector_change().
>
> Add a bounds check in ucsi_notify_common(), the central point where CCI
> is parsed after arriving from hardware, so that bogus connector numbers
> are rejected before they propagate further.
>
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>
Did you see this happening on an actual device?
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> ---
> v4:
> - Moved bounds check to ucsi_notify_common(), the single point where
> CCI is parsed after read_cci(), so bogus connector numbers never
> propagate to ucsi_connector_change() (Greg KH)
> - Changed dev_warn to dev_err
> v3:
> - Added changelog (Greg's bot)
> v2:
> - Kept bounds check in ucsi_connector_change() rather than moving it
> to ucsi_notify_common() (Greg KH)
>
> drivers/usb/typec/ucsi/ucsi.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index a7b388dc7fa0..10261992f020 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -42,8 +42,13 @@ void ucsi_notify_common(struct ucsi *ucsi, u32 cci)
> if (cci & UCSI_CCI_BUSY)
> return;
>
> - if (UCSI_CCI_CONNECTOR(cci))
> - ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
> + if (UCSI_CCI_CONNECTOR(cci)) {
> + if (UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors)
> + ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
> + else
> + dev_err(ucsi->dev, "bogus connector number in CCI: %u\n",
> + UCSI_CCI_CONNECTOR(cci));
> + }
>
> if (cci & UCSI_CCI_ACK_COMPLETE &&
> test_and_clear_bit(ACK_PENDING, &ucsi->flags))
> --
> 2.43.0.windows.1
--
heikki
next prev parent reply other threads:[~2026-03-13 8:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 21:15 [PATCH v4] usb: typec: ucsi: validate connector number in ucsi_notify_common() Nathan Rebello
2026-03-13 8:53 ` Heikki Krogerus [this message]
2026-03-13 22:30 ` Nathan Rebello
2026-03-13 17:37 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abPQcFxlSntTv-1t@kuha \
--to=heikki.krogerus@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=kyungtae.kim@dartmouth.edu \
--cc=linux-usb@vger.kernel.org \
--cc=nathan.c.rebello@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox