From: Dan Carpenter <dan.carpenter@linaro.org> mainline inclusion from mainline-v6.13-rc1 commit e56aac6e5a25630645607b6856d4b2a17b2311a5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFV CVE: CVE-2024-53203 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The "command" variable can be controlled by the user via debugfs. The worry is that if con_index is zero then "&uc->ucsi->connector[con_index - 1]" would be an array underflow. Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Link: https://lore.kernel.org/r/c69ef0b3-61b0-4dde-98dd-97b97f81d912@stanley.mount... Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/usb/typec/ucsi/ucsi_ccg.c [It comes from two reasons: 1. the lack of commit 13f2ec3115c8, which refactors ucsi_ccg_sync_write() to ucsi_ccg_sync_control(); 2. a possible error within the original upstream patch, causing the imbalance of pm_runtime_{get,put}_sync().] Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com> --- drivers/usb/typec/ucsi/ucsi_ccg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/typec/ucsi/ucsi_ccg.c b/drivers/usb/typec/ucsi/ucsi_ccg.c index 6db7c8ddd51c..2f2cb3fc8581 100644 --- a/drivers/usb/typec/ucsi/ucsi_ccg.c +++ b/drivers/usb/typec/ucsi/ucsi_ccg.c @@ -571,6 +571,10 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, uc->has_multiple_dp) { con_index = (uc->last_cmd_sent >> 16) & UCSI_CMD_CONNECTOR_MASK; + if (con_index == 0) { + ret = -EINVAL; + goto err_clear_bit; + } con = &uc->ucsi->connector[con_index - 1]; ucsi_ccg_update_set_new_cam_cmd(uc, con, (u64 *)val); } -- 2.25.1