[PATCH 5/8] usb: typec: tcpm: validate VDO count before reading Attention status VDO

Next message: Pierre Gondois: "Re: [PATCH v2 2/2] ACPI: CPPC: Add ospm_nominal_perf support"
Previous message: Satish Kharat: "[PATCH net-next v7 00/10] enic: SR-IOV V2 admin channel and MBOX protocol"
In reply to: Benson Leung: "Re: [PATCH 8/8] usb: typec: ucsi: validate connector number in ucsi_connector_change()"
Next in thread: Badhri Jagan Sridharan: "Re: [PATCH 5/8] usb: typec: tcpm: validate VDO count before reading Attention status VDO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Wed May 13 2026 - 12:03:33 EST

A broken/malicious device can send the incorrect count for an attention
status VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.

Fix this up by correctly verifying the count for the attention object.

Assisted-by: gkh_clanker_t1000
Cc: Badhri Jagan Sridharan <badhri@xxxxxxxxxx>
Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
Cc: stable <stable@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/typec/tcpm/tcpm.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
index 44dab6c32c33..2cab74ed71a7 100644
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -2639,6 +2639,8 @@ static void tcpm_handle_vdm_request(struct tcpm_port *port,
}
break;
case ADEV_ATTENTION:
+ if (cnt < 2)
+ break;
if (typec_altmode_attention(adev, p[1]))
tcpm_log(port, "typec_altmode_attention no port partner altmode");
break;
--
2.54.0