usb: typec: altmodes/displayport: validate count before reading Status Update VDO

A broken/malicious device can send the incorrect count for a status
update VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.

Fix this up by correctly verifying the count for the update object.

Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c
index 35d9c3086990036d1f43eae71bfd6e618e964b94..263a89c5f32433d64c32405f2787d89b1dd5a02a 100644 (file)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -405,6 +405,8 @@ static int dp_altmode_vdm(struct typec_altmode *alt,
                                dp->state = DP_STATE_EXIT_PRIME;
                        break;
                case DP_CMD_STATUS_UPDATE:
+                       if (count < 2)
+                               break;
                        dp->data.status = *vdo;
                        ret = dp_altmode_status_update(dp);
                        break;