{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Retrieve all the PDOs instead of just the first 4\n\ncommit 4dbc6a4ef06d (\"usb: typec: ucsi: save power data objects\nin PD mode\") introduced retrieval of the PDOs when connected to a\nPD-capable source. But only the first 4 PDOs are received since\nthat is the maximum number that can be fetched at a time given the\nMESSAGE_IN length limitation (16 bytes). However, as per the PD spec\na connected source may advertise up to a maximum of 7 PDOs.\n\nIf such a source is connected it's possible the PPM could have\nnegotiated a power contract with one of the PDOs at index greater\nthan 4, and would be reflected in the request data object's (RDO)\nobject position field. This would result in an out-of-bounds access\nwhen the rdo_index() is used to index into the src_pdos array in\nucsi_psy_get_voltage_now().\n\nWith the help of the UBSAN -fsanitize=array-bounds checker enabled\nthis exact issue is revealed when connecting to a PD source adapter\nthat advertise 5 PDOs and the PPM enters a contract having selected\nthe 5th one.\n\n[ 151.545106][ T70] Unexpected kernel BRK exception at EL1\n[ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP\n...\n[ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c\n[ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328\n...\n[ 151.545542][ T70] Call trace:\n[ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c\n[ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0\n[ 151.545550][ T70] dev_uevent+0x200/0x384\n[ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8\n[ 151.545557][ T70] power_supply_changed_work+0x174/0x31c\n[ 151.545562][ T70] process_one_work+0x244/0x6f0\n[ 151.545564][ T70] worker_thread+0x3e0/0xa64\n\nWe can resolve this by instead retrieving and storing up to the\nmaximum of 7 PDOs in the con->src_pdos array. This would involve\ntwo calls to the GET_PDOS command." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/usb/typec/ucsi/ucsi.c", "drivers/usb/typec/ucsi/ucsi.h" ], "versions": [ { "version": "4dbc6a4ef06d", "lessThan": "e5366bea0277", "status": "affected", "versionType": "git" }, { "version": "4dbc6a4ef06d", "lessThan": "a453bfd7ef15", "status": "affected", "versionType": "git" }, { "version": "4dbc6a4ef06d", "lessThan": "5e9c6f58b01e", "status": "affected", "versionType": "git" }, { "version": "4dbc6a4ef06d", "lessThan": "1f4642b72be7", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/usb/typec/ucsi/ucsi.c", "drivers/usb/typec/ucsi/ucsi.h" ], "versions": [ { "version": "5.8", "status": "affected" }, { "version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.38", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.11.22", "lessThanOrEqual": "5.11.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.12.5", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d" }, { "url": "https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911" }, { "url": "https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57" }, { "url": "https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc" } ], "title": "usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2021-46980", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }