lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251226223054.5565-1-ivan.orlov0322@gmail.com>
Date: Fri, 26 Dec 2025 22:30:53 +0000
From: Ivan Orlov <ivan.orlov0322@...il.com>
To: heikki.krogerus@...ux.intel.com,
	gregkh@...uxfoundation.org
Cc: Ivan Orlov <ivan.orlov0322@...il.com>,
	linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	pooja.katiyar@...el.com
Subject: [PATCH] usb: ucsi: Fix null pointer dereference in ucsi_sync_control_common

Before 'ucsi_acknowledge' calls 'ucsi_sync_control_common', it sets
'message_in_size' to 0. However, if 'ucsi_register_device_pdos' was
called after 'message_in_size' was set to 0, but before

  if (!ret && ucsi->message_in_size > 0 && *cci & ...)

condition is evaluated, 'ucsi_sync_control_common' ends up dereferencing
'cci' which points to NULL. This is precisely what I'm observing on my
Framework 16 laptop on the latest mainline kernel build.

I don't see any synchronization primitives used to protect 'ucsi', so
I presume just checking that 'cci' is not null here should fix the
problem. It seems like prior to commit 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields"),
'data' argument was checked in this condition, and it was always set to
NULL from 'ucsi_acknowledge'. Thus, this problem did not exist.

Fixes: 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields")
Signed-off-by: Ivan Orlov <ivan.orlov0322@...il.com>
---
 drivers/usb/typec/ucsi/ucsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index 9b3df776137a..7d1f2a702d90 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -98,7 +98,7 @@ int ucsi_sync_control_common(struct ucsi *ucsi, u64 command, u32 *cci)
 		ret = ucsi->ops->read_cci(ucsi, cci);
 
 	if (!ret && ucsi->message_in_size > 0 &&
-	    (*cci & UCSI_CCI_COMMAND_COMPLETE))
+	    cci && (*cci & UCSI_CCI_COMMAND_COMPLETE))
 		ret = ucsi->ops->read_message_in(ucsi, ucsi->message_in,
 						 ucsi->message_in_size);
 
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ