cve/published/2024/CVE-2024-26995.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26995: usb: typec: tcpm: Correct the PDO counting in pd_set

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: typec: tcpm: Correct the PDO counting in pd_set

 Off-by-one errors happen because nr_snk_pdo and nr_src_pdo are
 incorrectly added one. The index of the loop is equal to the number of
 PDOs to be updated when leaving the loop and it doesn't need to be added
 one.

 When doing the power negotiation, TCPM relies on the "nr_snk_pdo" as
 the size of the local sink PDO array to match the Source capabilities
 of the partner port. If the off-by-one overflow occurs, a wrong RDO
 might be sent and unexpected power transfer might happen such as over
 voltage or over current (than expected).

 "nr_src_pdo" is used to set the Rp level when the port is in Source
 role. It is also the array size of the local Source capabilities when
 filling up the buffer which will be sent as the Source PDOs (such as
 in Power Negotiation). If the off-by-one overflow occurs, a wrong Rp
 level might be set and wrong Source PDOs will be sent to the partner
 port. This could potentially cause over current or port resets.

 The Linux kernel CVE team has assigned CVE-2024-26995 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit cd099cde4ed264403b434d8344994f97ac2a4349 and fixed in 6.8.8 with commit f3da3192cdd3fefe213390e976eec424a8e270b5
 	Issue introduced in 6.8 with commit cd099cde4ed264403b434d8344994f97ac2a4349 and fixed in 6.9 with commit c4128304c2169b4664ed6fb6200f228cead2ab70

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26995
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/typec/tcpm/tcpm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f3da3192cdd3fefe213390e976eec424a8e270b5
 	https://git.kernel.org/stable/c/c4128304c2169b4664ed6fb6200f228cead2ab70
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26995: usb: typec: tcpm: Correct the PDO counting in pd_set

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: typec: tcpm: Correct the PDO counting in pd_set

	Off-by-one errors happen because nr_snk_pdo and nr_src_pdo are
	incorrectly added one. The index of the loop is equal to the number of
	PDOs to be updated when leaving the loop and it doesn't need to be added
	one.

	When doing the power negotiation, TCPM relies on the "nr_snk_pdo" as
	the size of the local sink PDO array to match the Source capabilities
	of the partner port. If the off-by-one overflow occurs, a wrong RDO
	might be sent and unexpected power transfer might happen such as over
	voltage or over current (than expected).

	"nr_src_pdo" is used to set the Rp level when the port is in Source
	role. It is also the array size of the local Source capabilities when
	filling up the buffer which will be sent as the Source PDOs (such as
	in Power Negotiation). If the off-by-one overflow occurs, a wrong Rp
	level might be set and wrong Source PDOs will be sent to the partner
	port. This could potentially cause over current or port resets.

	The Linux kernel CVE team has assigned CVE-2024-26995 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit cd099cde4ed264403b434d8344994f97ac2a4349 and fixed in 6.8.8 with commit f3da3192cdd3fefe213390e976eec424a8e270b5
	Issue introduced in 6.8 with commit cd099cde4ed264403b434d8344994f97ac2a4349 and fixed in 6.9 with commit c4128304c2169b4664ed6fb6200f228cead2ab70

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26995
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/typec/tcpm/tcpm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f3da3192cdd3fefe213390e976eec424a8e270b5
	https://git.kernel.org/stable/c/c4128304c2169b4664ed6fb6200f228cead2ab70