Re: [PATCH 7/8] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
From: Heikki Krogerus
Date: Mon May 18 2026 - 07:32:20 EST
Wed, May 13, 2026 at 05:52:54PM +0200, Greg Kroah-Hartman kirjoitti:
> ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
> payload VDO from data[], but unlike the equivalent handler in
> altmodes/displayport.c it does not check that count covers a VDO beyond
> the header. A header-only Configure VDM (count == 1) would read one u32
> past the caller's array.
>
> In the normal UCSI path the caller controls count, so this is hardening
> for non-standard delivery paths. NAK and bail when no configuration VDO
> is present, matching the generic DP altmode driver's existing guard.
>
> Assisted-by: gkh_clanker_t1000
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: Pooja Katiyar <pooja.katiyar@xxxxxxxxx>
> Cc: Johan Hovold <johan@xxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> ---
> drivers/usb/typec/ucsi/displayport.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/usb/typec/ucsi/displayport.c b/drivers/usb/typec/ucsi/displayport.c
> index 8aae80b457d7..67a0991a7b76 100644
> --- a/drivers/usb/typec/ucsi/displayport.c
> +++ b/drivers/usb/typec/ucsi/displayport.c
> @@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct typec_altmode *alt,
> dp->header |= VDO_CMDT(CMDT_RSP_ACK);
> break;
> case DP_CMD_CONFIGURE:
> + if (count < 2) {
> + dp->header |= VDO_CMDT(CMDT_RSP_NAK);
> + break;
> + }
> dp->data.conf = *data;
> if (ucsi_displayport_configure(dp)) {
> dp->header |= VDO_CMDT(CMDT_RSP_NAK);
> --
> 2.54.0
--
heikki