usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO

ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
payload VDO from data[], but unlike the equivalent handler in
altmodes/displayport.c it does not check that count covers a VDO beyond
the header.  A header-only Configure VDM (count == 1) would read one u32
past the caller's array.

In the normal UCSI path the caller controls count, so this is hardening
for non-standard delivery paths.  NAK and bail when no configuration VDO
is present, matching the generic DP altmode driver's existing guard.

Assisted-by: gkh_clanker_t1000
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/typec/ucsi/displayport.c b/drivers/usb/typec/ucsi/displayport.c
index 8aae80b457d74dce41e3ec1d1e2e92a5ee3bd575..67a0991a7b76907aa483c4ce0e811af0a762f7ea 100644 (file)
--- a/drivers/usb/typec/ucsi/displayport.c
+++ b/drivers/usb/typec/ucsi/displayport.c
@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct typec_altmode *alt,
                                dp->header |= VDO_CMDT(CMDT_RSP_ACK);
                        break;
                case DP_CMD_CONFIGURE:
+                       if (count < 2) {
+                               dp->header |= VDO_CMDT(CMDT_RSP_NAK);
+                               break;
+                       }
                        dp->data.conf = *data;
                        if (ucsi_displayport_configure(dp)) {
                                dp->header |= VDO_CMDT(CMDT_RSP_NAK);