lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aVerkZPY-z-NjPPk@hovoldconsulting.com>
Date: Fri, 2 Jan 2026 12:27:13 +0100
From: Johan Hovold <johan@...nel.org>
To: Ivan Orlov <ivan.orlov0322@...il.com>
Cc: heikki.krogerus@...ux.intel.com, gregkh@...uxfoundation.org,
	linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
	pooja.katiyar@...el.com
Subject: Re: [PATCH] usb: ucsi: Fix null pointer dereference in
 ucsi_sync_control_common

On Fri, Dec 26, 2025 at 10:30:53PM +0000, Ivan Orlov wrote:
> Before 'ucsi_acknowledge' calls 'ucsi_sync_control_common', it sets
> 'message_in_size' to 0. However, if 'ucsi_register_device_pdos' was
> called after 'message_in_size' was set to 0, but before
> 
>   if (!ret && ucsi->message_in_size > 0 && *cci & ...)
> 
> condition is evaluated, 'ucsi_sync_control_common' ends up dereferencing
> 'cci' which points to NULL. This is precisely what I'm observing on my
> Framework 16 laptop on the latest mainline kernel build.
> 
> I don't see any synchronization primitives used to protect 'ucsi', so
> I presume just checking that 'cci' is not null here should fix the
> problem. It seems like prior to commit 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields"),
> 'data' argument was checked in this condition, and it was always set to
> NULL from 'ucsi_acknowledge'. Thus, this problem did not exist.
> 
> Fixes: 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields")
> Signed-off-by: Ivan Orlov <ivan.orlov0322@...il.com>

This has been fixed in rc3 by reverting the offending commit:

	https://lore.kernel.org/lkml/20251222152204.2846-1-johan@kernel.org/

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ