CVE-2024-26995

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tcpm: Correct the PDO counting in pd_set<br /> <br /> Off-by-one errors happen because nr_snk_pdo and nr_src_pdo are<br /> incorrectly added one. The index of the loop is equal to the number of<br /> PDOs to be updated when leaving the loop and it doesn&amp;#39;t need to be added<br /> one.<br /> <br /> When doing the power negotiation, TCPM relies on the "nr_snk_pdo" as<br /> the size of the local sink PDO array to match the Source capabilities<br /> of the partner port. If the off-by-one overflow occurs, a wrong RDO<br /> might be sent and unexpected power transfer might happen such as over<br /> voltage or over current (than expected).<br /> <br /> "nr_src_pdo" is used to set the Rp level when the port is in Source<br /> role. It is also the array size of the local Source capabilities when<br /> filling up the buffer which will be sent as the Source PDOs (such as<br /> in Power Negotiation). If the off-by-one overflow occurs, a wrong Rp<br /> level might be set and wrong Source PDOs will be sent to the partner<br /> port. This could potentially cause over current or port resets.