usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT

A broken/malicious port can transmit a CRC-valid frame whose header
advertises up to seven data objects but whose body carries fewer than
that.  Check for this, and rightfully reject the message, instead of
reading from uninitialized stack memory.

Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: "André Draszik" <andre.draszik@linaro.org>
Cc: Badhri Jagan Sridharan <badhri@google.com>
Cc: Amit Sunil Dhamne <amitsd@google.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026051350-sitter-canopener-9045@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/typec/tcpm/tcpci_maxim_core.c b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
index c0ee7e6959edf9666e499a6fa085fbca9f2b07f3..7324139d51c8e1f10fbd754e3f8f4470bf47e0f1 100644 (file)
--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
+++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
@@ -181,6 +181,15 @@ static void process_rx(struct max_tcpci_chip *chip, u16 status)
        rx_buf_ptr = rx_buf + TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET;
        msg.header = cpu_to_le16(*(u16 *)rx_buf_ptr);
        rx_buf_ptr = rx_buf_ptr + sizeof(msg.header);
+
+       if (count < TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET + sizeof(msg.header) +
+                   pd_header_cnt_le(msg.header) * sizeof(msg.payload[0])) {
+               max_tcpci_write16(chip, TCPC_ALERT, TCPC_ALERT_RX_STATUS);
+               dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d for header cnt %d\n",
+                       count, pd_header_cnt_le(msg.header));
+               return;
+       }
+
        for (payload_index = 0; payload_index < pd_header_cnt_le(msg.header); payload_index++,
             rx_buf_ptr += sizeof(msg.payload[0]))
                msg.payload[payload_index] = cpu_to_le32(*(u32 *)rx_buf_ptr);