CVE-2021-46980 Information

Feb 29, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4

commit 4dbc6a4ef06d (�sb: typec: ucsi: save power data objects in PD mode) introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However as per the PD spec a connected source may advertise up to a maximum of 7 PDOs.

If such a source is connected it’s possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4 and would be reflected in the request data object’s (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now().

With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one.

[ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [1] PREEMPT SMP … [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 … [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64

We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command.

Reference

https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911 https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57 https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc

Share on: