Re: [PATCH 2/8] usb: typec: altmodes/displayport: validate count before reading Status Update VDO

Next message: Andrew Jones: "Re: [PATCH 1/2] riscv: track effective hardware PTE A/D updates"
Previous message: Simon Horman: "Re: [PATCH net v2] idpf: handle NULL adev in idpf_idc_vdev_mtu_event"
In reply to: Heikki Krogerus: "Re: [PATCH 2/8] usb: typec: altmodes/displayport: validate count before reading Status Update VDO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Abhishek Pandit-Subedi

Date: Tue May 19 2026 - 16:02:59 EST

On Wed, May 13, 2026 at 9:14 AM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> A broken/malicious device can send the incorrect count for a status
> update VDO, which will cause the kernel to read uninitialized stack data
> and send it off elsewhere.
>
> Fix this up by correctly verifying the count for the update object.
>
> Assisted-by: gkh_clanker_t1000
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@xxxxxxxxxxxx>

> ---
> drivers/usb/typec/altmodes/displayport.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c
> index 35d9c3086990..263a89c5f324 100644
> --- a/drivers/usb/typec/altmodes/displayport.c
> +++ b/drivers/usb/typec/altmodes/displayport.c
> @@ -405,6 +405,8 @@ static int dp_altmode_vdm(struct typec_altmode *alt,
> dp->state = DP_STATE_EXIT_PRIME;
> break;
> case DP_CMD_STATUS_UPDATE:
> + if (count < 2)
> + break;
> dp->data.status = *vdo;
> ret = dp_altmode_status_update(dp);
> break;
> --
> 2.54.0
>
>