From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 13 May 2026 15:52:49 +0000 (+0200)
Subject: usb: typec: altmodes/displayport: validate count before reading Status Update VDO
X-Git-Tag: v7.1-rc6~9^2~32
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=8a18f896e667df491331371b55d4ad644dc51d60;p=thirdparty%2Flinux.git

usb: typec: altmodes/displayport: validate count before reading Status Update VDO

A broken/malicious device can send the incorrect count for a status
update VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.

Fix this up by correctly verifying the count for the update object.

Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c
index 35d9c3086990..263a89c5f324 100644
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -405,6 +405,8 @@ static int dp_altmode_vdm(struct typec_altmode *alt,
 				dp->state = DP_STATE_EXIT_PRIME;
 			break;
 		case DP_CMD_STATUS_UPDATE:
+			if (count < 2)
+				break;
 			dp->data.status = *vdo;
 			ret = dp_altmode_status_update(dp);
 			break;