[PATCH] platform/chrome: cros_ec_typec: reject out-of-bounds PD cap count

From: Maoyi Xie

Date: Wed Jun 24 2026 - 04:39:44 EST


cros_typec_register_partner_pdos() copies the partner PDOs from the EC
TYPEC_STATUS response into the fixed caps_desc.pdo[PDO_MAX_OBJECTS] array.

memcpy(caps_desc.pdo, resp->source_cap_pdos,
sizeof(u32) * resp->source_cap_count);
...
memcpy(caps_desc.pdo, resp->sink_cap_pdos,
sizeof(u32) * resp->sink_cap_count);

PDO_MAX_OBJECTS is 7. source_cap_count and sink_cap_count are u8 fields
from the EC, and the only check is that they are not both zero. If either
is larger than 7, the memcpy writes past the end of the array on the stack.
A count of 255 overflows it by about 1 KB.

The ChromeOS EC firmware caps these counts today, so a compliant setup
does not hit this. The kernel should still validate the values from the EC
rather than trust them.

Validate the counts in cros_typec_handle_status() right after the
EC_CMD_TYPEC_STATUS command returns, and return early if either one is
above PDO_MAX_OBJECTS.

Fixes: 348a2e8c93d3 ("platform/chrome: cros_ec_typec: Register partner PDOs")
Suggested-by: Tzung-Bi Shih <tzungbi@xxxxxxxxxx>
Co-developed-by: Kaixuan Li <kaixuan.li@xxxxxxxxxx>
Signed-off-by: Kaixuan Li <kaixuan.li@xxxxxxxxxx>
Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>
---
drivers/platform/chrome/cros_ec_typec.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
index c0806c562bb9..3ae9b35b7d85 100644
--- a/drivers/platform/chrome/cros_ec_typec.c
+++ b/drivers/platform/chrome/cros_ec_typec.c
@@ -1158,6 +1158,12 @@ static void cros_typec_handle_status(struct cros_typec_data *typec, int port_num
return;
}

+ if (resp.source_cap_count > PDO_MAX_OBJECTS ||
+ resp.sink_cap_count > PDO_MAX_OBJECTS) {
+ dev_warn(typec->dev, "Invalid PDO count from EC, port: %d\n", port_num);
+ return;
+ }
+
/* If we got a hard reset, unregister everything and return. */
if (resp.events & PD_STATUS_EVENT_HARD_RESET) {
cros_typec_remove_partner(typec, port_num);