Re: [PATCH 5/8] usb: typec: tcpm: validate VDO count before reading Attention status VDO
From: Badhri Jagan Sridharan
Date: Thu May 14 2026 - 17:58:22 EST
On Wed, May 13, 2026 at 8:53 AM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> A broken/malicious device can send the incorrect count for an attention
> status VDO, which will cause the kernel to read uninitialized stack data
> and send it off elsewhere.
>
> Fix this up by correctly verifying the count for the attention object.
>
> Assisted-by: gkh_clanker_t1000
> Cc: Badhri Jagan Sridharan <badhri@xxxxxxxxxx>
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/usb/typec/tcpm/tcpm.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> index 44dab6c32c33..2cab74ed71a7 100644
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -2639,6 +2639,8 @@ static void tcpm_handle_vdm_request(struct tcpm_port *port,
> }
> break;
> case ADEV_ATTENTION:
> + if (cnt < 2)
> + break;
> if (typec_altmode_attention(adev, p[1]))
> tcpm_log(port, "typec_altmode_attention no port partner altmode");
> break;
> --
Hi Greg,
While the `cnt` check helps fix this specific case, I do see multiple
other instances in the same function where the validity of p[0] and
p[1] seems to be assumed (for instance calls to
typec_altmode_vdm(adev, p[0], &p[1], cnt)). To make the patch more
complete and robust, shouldn't p also be initialized to 0? This will
prevent leaking uninitialized stack data in those instances too.
> 2.54.0
>