Re: [PATCH 8/8] usb: typec: ucsi: validate connector number in ucsi_connector_change()

Next message: Boris Brezillon: "Re: [PATCH v11 5/6] drm/panthor: Support sparse mappings"
Previous message: Andy Shevchenko: "[PATCH v1 1/1] ASoC: cs35l56: Drop malformed default N from Kconfig"
In reply to: Greg Kroah-Hartman: "[PATCH 8/8] usb: typec: ucsi: validate connector number in ucsi_connector_change()"
Next in thread: Benson Leung: "Re: [PATCH 8/8] usb: typec: ucsi: validate connector number in ucsi_connector_change()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Abel Vesa

Date: Wed May 13 2026 - 12:26:39 EST

On 26-05-13 17:52:55, Greg Kroah-Hartman wrote:
> The connector number in a UCSI CCI notification is a 7-bit field
> supplied by the PPM. ucsi_connector_change() uses it to index the
> ucsi->connector[] array without checking it against the number of
> connectors the PPM reported at init time, so a buggy or malicious PPM
> (EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 /
> glink transports) can drive schedule_work() on memory past the end of
> the array.
>
> Reject connector numbers that are zero or exceed cap.num_connectors
> before dereferencing the array.
>
> Assisted-by: gkh_clanker_t1000
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: Benson Leung <bleung@xxxxxxxxxxxx>
> Cc: Jameson Thies <jthies@xxxxxxxxxx>
> Cc: Nathan Rebello <nathan.c.rebello@xxxxxxxxx>
> Cc: Johan Hovold <johan@xxxxxxxxxx>
> Cc: Pooja Katiyar <pooja.katiyar@xxxxxxxxx>
> Cc: Hsin-Te Yuan <yuanhsinte@xxxxxxxxxxxx>
> Cc: Abel Vesa <abelvesa@xxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

Reviewed-by: Abel Vesa <abel.vesa@xxxxxxxxxxxxxxxx>