CVE-2021-46980

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4<br /> <br /> commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects<br /> in PD mode") introduced retrieval of the PDOs when connected to a<br /> PD-capable source. But only the first 4 PDOs are received since<br /> that is the maximum number that can be fetched at a time given the<br /> MESSAGE_IN length limitation (16 bytes). However, as per the PD spec<br /> a connected source may advertise up to a maximum of 7 PDOs.<br /> <br /> If such a source is connected it&amp;#39;s possible the PPM could have<br /> negotiated a power contract with one of the PDOs at index greater<br /> than 4, and would be reflected in the request data object&amp;#39;s (RDO)<br /> object position field. This would result in an out-of-bounds access<br /> when the rdo_index() is used to index into the src_pdos array in<br /> ucsi_psy_get_voltage_now().<br /> <br /> With the help of the UBSAN -fsanitize=array-bounds checker enabled<br /> this exact issue is revealed when connecting to a PD source adapter<br /> that advertise 5 PDOs and the PPM enters a contract having selected<br /> the 5th one.<br /> <br /> [ 151.545106][ T70] Unexpected kernel BRK exception at EL1<br /> [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP<br /> ...<br /> [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c<br /> [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328<br /> ...<br /> [ 151.545542][ T70] Call trace:<br /> [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c<br /> [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0<br /> [ 151.545550][ T70] dev_uevent+0x200/0x384<br /> [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8<br /> [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c<br /> [ 151.545562][ T70] process_one_work+0x244/0x6f0<br /> [ 151.545564][ T70] worker_thread+0x3e0/0xa64<br /> <br /> We can resolve this by instead retrieving and storing up to the<br /> maximum of 7 PDOs in the con-&gt;src_pdos array. This would involve<br /> two calls to the GET_PDOS command.