1
linux/drivers/usb/typec
Dan Carpenter 7dd08a0b41 usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
The "*cmd" variable can be controlled by the user via debugfs.  That means
"new_cam" can be as high as 255 while the size of the uc->updated[] array
is UCSI_MAX_ALTMODES (30).

The call tree is:
ucsi_cmd() // val comes from simple_attr_write_xsigned()
-> ucsi_send_command()
   -> ucsi_send_command_common()
      -> ucsi_run_command() // calls ucsi->ops->sync_control()
         -> ucsi_ccg_sync_control()

Fixes: 170a6726d0 ("usb: typec: ucsi: add support for separate DP altmode devices")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/325102b3-eaa8-4918-a947-22aca1146586@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-05 13:55:19 +01:00
..
altmodes usb: typec: Update sysfs when setting ops 2024-06-04 15:44:27 +02:00
mux platform/x86: intel_scu_ipc: Move intel_scu_ipc.h out of arch/x86/include/asm 2024-09-11 14:26:03 +02:00
tcpm usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier 2024-11-05 13:54:54 +01:00
tipd USB/Thunderbolt update for 6.12-rc1 2024-09-26 09:45:36 -07:00
ucsi usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() 2024-11-05 13:55:19 +01:00
anx7411.c USB/Thunderbolt update for 6.12-rc1 2024-09-26 09:45:36 -07:00
bus.c driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
bus.h
class.c usb: typec: use cleanup facility for 'altmodes_node' 2024-10-29 04:28:51 +01:00
class.h
hd3ss3220.c
Kconfig
Makefile
mux.c
mux.h
pd.c
pd.h
port-mapper.c
retimer.c
retimer.h
rt1719.c power: supply: Change usb_types from an array into a bitmask 2024-09-03 23:20:28 +02:00
stusb160x.c
wusb3801.c