usb: typec: ucsi: validate connector number in ucsi_notify_common()

The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a
7-bit field (0-127) that is used to index into the connector array in
ucsi_connector_change(). However, the array is only allocated for the
number of connectors reported by the device (typically 2-4 entries).

A malicious or malfunctioning device could report an out-of-range
connector number in the CCI, causing an out-of-bounds array access in
ucsi_connector_change().

Add a bounds check in ucsi_notify_common(), the central point where CCI
is parsed after arriving from hardware, so that bogus connector numbers
are rejected before they propagate further.

Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>
Link: https://patch.msgid.link/20260313222453.123-1-nathan.c.rebello@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index f38a4d7ebc4243c92027bafccfe11f8341c228ff..8333bdaf55668de45021c50edbe09ae5884dcb92 100644 (file)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -43,8 +43,13 @@ void ucsi_notify_common(struct ucsi *ucsi, u32 cci)
        if (cci & UCSI_CCI_BUSY)
                return;
 
-       if (UCSI_CCI_CONNECTOR(cci))
-               ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
+       if (UCSI_CCI_CONNECTOR(cci)) {
+               if (UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors)
+                       ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
+               else
+                       dev_err(ucsi->dev, "bogus connector number in CCI: %lu\n",
+                               UCSI_CCI_CONNECTOR(cci));
+       }
 
        if (cci & UCSI_CCI_ACK_COMPLETE &&
            test_and_clear_bit(ACK_PENDING, &ucsi->flags))