Re: [PATCH 2/8] usb: typec: altmodes/displayport: validate count before reading Status Update VDO

Next message: Greg Kroah-Hartman: "Re: [PATCH v5 4/4] driver core: platform: set mod_name in driver registration"
Previous message: Ajit Singh: "[PATCH v1 0/3] arm64: dts: qcom: Add Vicharak Axon Mini"
Next in thread: Abhishek Pandit-Subedi: "Re: [PATCH 2/8] usb: typec: altmodes/displayport: validate count before reading Status Update VDO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Heikki Krogerus

Date: Mon May 18 2026 - 07:08:03 EST

On Wed, May 13, 2026 at 05:52:49PM +0200, Greg Kroah-Hartman wrote:
> A broken/malicious device can send the incorrect count for a status
> update VDO, which will cause the kernel to read uninitialized stack data
> and send it off elsewhere.
>
> Fix this up by correctly verifying the count for the update object.
>
> Assisted-by: gkh_clanker_t1000
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

Reviewed-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>

> ---
> drivers/usb/typec/altmodes/displayport.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c
> index 35d9c3086990..263a89c5f324 100644
> --- a/drivers/usb/typec/altmodes/displayport.c
> +++ b/drivers/usb/typec/altmodes/displayport.c
> @@ -405,6 +405,8 @@ static int dp_altmode_vdm(struct typec_altmode *alt,
> dp->state = DP_STATE_EXIT_PRIME;
> break;
> case DP_CMD_STATUS_UPDATE:
> + if (count < 2)
> + break;
> dp->data.status = *vdo;
> ret = dp_altmode_status_update(dp);
> break;
> --
> 2.54.0

--
heikki