Commit 7c113a98 authored Feb 14, 2025 by Dan Carpenter Committed by Xia Fukun Feb 14, 2025

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

mainline inclusion
from mainline-v6.12-rc7
commit 7dd08a0b4193087976db6b3ee7807de7e8316f96
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AV7
CVE: CVE-2024-50268

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7dd08a0b4193087976db6b3ee7807de7e8316f96



--------------------------------

The "*cmd" variable can be controlled by the user via debugfs.  That means
"new_cam" can be as high as 255 while the size of the uc->updated[] array
is UCSI_MAX_ALTMODES (30).

The call tree is:
ucsi_cmd() // val comes from simple_attr_write_xsigned()
-> ucsi_send_command()
   -> ucsi_send_command_common()
      -> ucsi_run_command() // calls ucsi->ops->sync_control()
         -> ucsi_ccg_sync_control()

Fixes: 170a6726 ("usb: typec: ucsi: add support for separate DP altmode devices")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/325102b3-eaa8-4918-a947-22aca1146586@stanley.mountain


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Xia Fukun <xiafukun@huawei.com>

parent 83b361e2

drivers/usb/typec/ucsi/ucsi_ccg.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -436,6 +436,8 @@ static void ucsi_ccg_update_set_new_cam_cmd(struct ucsi_ccg *uc,

		port = uc->orig;
		new_cam = UCSI_SET_NEW_CAM_GET_AM(*cmd);
		if (new_cam >= ARRAY_SIZE(uc->updated))
		return;
		new_port = &uc->updated[new_cam];
		cam = new_port->linked_idx;
		enter_new_mode = UCSI_SET_NEW_CAM_ENTER(*cmd);