{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2021-46980", "ASSIGNER": "cve@kernel.org", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Retrieve all the PDOs instead of just the first 4\n\ncommit 4dbc6a4ef06d (\"usb: typec: ucsi: save power data objects\nin PD mode\") introduced retrieval of the PDOs when connected to a\nPD-capable source. But only the first 4 PDOs are received since\nthat is the maximum number that can be fetched at a time given the\nMESSAGE_IN length limitation (16 bytes). However, as per the PD spec\na connected source may advertise up to a maximum of 7 PDOs.\n\nIf such a source is connected it's possible the PPM could have\nnegotiated a power contract with one of the PDOs at index greater\nthan 4, and would be reflected in the request data object's (RDO)\nobject position field. This would result in an out-of-bounds access\nwhen the rdo_index() is used to index into the src_pdos array in\nucsi_psy_get_voltage_now().\n\nWith the help of the UBSAN -fsanitize=array-bounds checker enabled\nthis exact issue is revealed when connecting to a PD source adapter\nthat advertise 5 PDOs and the PPM enters a contract having selected\nthe 5th one.\n\n[ 151.545106][ T70] Unexpected kernel BRK exception at EL1\n[ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP\n...\n[ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c\n[ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328\n...\n[ 151.545542][ T70] Call trace:\n[ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c\n[ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0\n[ 151.545550][ T70] dev_uevent+0x200/0x384\n[ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8\n[ 151.545557][ T70] power_supply_changed_work+0x174/0x31c\n[ 151.545562][ T70] process_one_work+0x244/0x6f0\n[ 151.545564][ T70] worker_thread+0x3e0/0xa64\n\nWe can resolve this by instead retrieving and storing up to the\nmaximum of 7 PDOs in the con->src_pdos array. This would involve\ntwo calls to the GET_PDOS command." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Linux", "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "<", "version_name": "4dbc6a4ef06d", "version_value": "e5366bea0277" }, { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "version": "5.8", "status": "affected" }, { "version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.38", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.11.22", "lessThanOrEqual": "5.11.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.12.5", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ], "defaultStatus": "affected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d" }, { "url": "https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911" }, { "url": "https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57" }, { "url": "https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc" } ] }, "generator": { "engine": "bippy-a5840b7849dd" } }