Re: [PATCH 4/8] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
From: Badhri Jagan Sridharan
Date: Fri May 15 2026 - 01:14:22 EST
On Wed, May 13, 2026 at 8:52 AM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> Properly validate the count passed from a device when calling
> svdm_consume_identity() or svdm_consume_identity_sop_prime() as the
> device-controlled value could index off of the static arrays, which
> could leak data.
>
> Assisted-by: gkh_clanker_t1000
> Cc: Badhri Jagan Sridharan <badhri@xxxxxxxxxx>
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Badhri Jagan Sridharan <badhri@xxxxxxxxxx>
> ---
> drivers/usb/typec/tcpm/tcpm.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> index 55fee96d3342..44dab6c32c33 100644
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -1855,6 +1855,9 @@ static void svdm_consume_identity(struct tcpm_port *port, const u32 *p, int cnt)
> u32 vdo = p[VDO_INDEX_IDH];
> u32 product = p[VDO_INDEX_PRODUCT];
>
> + if (cnt <= VDO_INDEX_PRODUCT)
> + return;
> +
> memset(&port->mode_data, 0, sizeof(port->mode_data));
>
> port->partner_ident.id_header = vdo;
> @@ -1875,6 +1878,9 @@ static void svdm_consume_identity_sop_prime(struct tcpm_port *port, const u32 *p
> u32 product = p[VDO_INDEX_PRODUCT];
> int svdm_version;
>
> + if (cnt <= VDO_INDEX_CABLE_1)
> + return;
> +
> /*
> * Attempt to consume identity only if cable currently is not set
> */
> @@ -1898,7 +1904,7 @@ static void svdm_consume_identity_sop_prime(struct tcpm_port *port, const u32 *p
> switch (port->negotiated_rev_prime) {
> case PD_REV30:
> port->cable_desc.pd_revision = 0x0300;
> - if (port->cable_desc.active)
> + if (port->cable_desc.active && cnt > VDO_INDEX_CABLE_2)
> port->cable_ident.vdo[1] = p[VDO_INDEX_CABLE_2];
> break;
> case PD_REV20:
> --
> 2.54.0
>