Re: platform/chrome: cros_ec_typec: unbounded PD cap count in cros_typec_register_partner_pdos()

Next message: Haoxiang Li: "[PATCH net v2] net: ipa: fix SMEM state handle leaks in SMP2P init"
Previous message: Harendra Gautam: "Re: [PATCH 2/13] dt-bindings: sound: Add Qualcomm QAIF binding"
In reply to: Tzung-Bi Shih: "Re: platform/chrome: cros_ec_typec: unbounded PD cap count in cros_typec_register_partner_pdos()"
Next in thread: Tzung-Bi Shih: "Re: platform/chrome: cros_ec_typec: unbounded PD cap count in cros_typec_register_partner_pdos()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maoyi Xie

Date: Wed Jun 24 2026 - 03:01:08 EST

Hi Tzung-Bi,

Thanks for confirming it.

> How did you reproduce the overflow? Was this by modifying the EC firmware
> to send larger counts, or can this be triggered by a non-compliant USB-C
> partner device?

I did not modify the EC firmware and I did not have a real partner. I do
not have cros_ec hardware. I ran the same copy in a small standalone test,
a u32 pdo[7] on the stack with a count above 7, and it tripped the stack
protector. So this is a source review plus that test, not a hardware repro.

I also cannot confirm that a non-compliant partner can push the count past
7. That depends on whether the EC already caps it, which I cannot see. It
may well need buggy or compromised EC firmware. I assumed the partner path
in my mail and I should not have stated it so firmly.

> Generally, the `resp` should be validated immediately after the
> EC_CMD_TYPEC_STATUS command returns in cros_typec_handle_status() and exit
> earlier if the counts are out of bounds.

Makes sense. I will send a patch that does that, with a Fixes tag and Cc
stable.

Thanks,
Maoyi