Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e9e1f133 authored by Jack Pham's avatar Jack Pham
Browse files

usb: pd: avoid out-of-bounds access when reading PDOs 



Most often a source will send fewer than the maximum number
of PDOs (7). Since the rx_msg buffer is now allocated up to
the size of the actual data, honor the rx_msg->data_len when
copying to pd->received_pdos rather than always 28 bytes.
This fixes out-of-bounds read access as reported by KASAN.

Change-Id: I5f98f7ccba027c1ab436ccf6fc822e2a319bafa1
Signed-off-by: default avatarJack Pham <jackp@codeaurora.org>
parent e3950ebc

drivers/usb/pd/policy_engine.c

+8 −2
Original line number Diff line number Diff line
@@ -2302,8 +2302,11 @@ static void usbpd_sm(struct work_struct *w) 
					&val);



			/* save the PDOs so userspace can further evaluate */

			memcpy(&pd->received_pdos, rx_msg->payload,

			memset(&pd->received_pdos, 0,

					sizeof(pd->received_pdos));

			memcpy(&pd->received_pdos, rx_msg->payload,

					min_t(size_t, rx_msg->data_len,

						sizeof(pd->received_pdos)));

			pd->src_cap_id++;



			usbpd_set_state(pd, PE_SNK_EVALUATE_CAPABILITY);
@@ -2411,8 +2414,11 @@ static void usbpd_sm(struct work_struct *w) 
	case PE_SNK_READY:

		if (IS_DATA(rx_msg, MSG_SOURCE_CAPABILITIES)) {

			/* save the PDOs so userspace can further evaluate */

			memcpy(&pd->received_pdos, rx_msg->payload,

			memset(&pd->received_pdos, 0,

					sizeof(pd->received_pdos));

			memcpy(&pd->received_pdos, rx_msg->payload,

					min_t(size_t, rx_msg->data_len,

						sizeof(pd->received_pdos)));

			pd->src_cap_id++;



			usbpd_set_state(pd, PE_SNK_EVALUATE_CAPABILITY);