{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-46980","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-27T18:42:55.945Z","datePublished":"2024-02-28T08:13:10.357Z","dateUpdated":"2025-05-04T07:01:39.641Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:01:39.641Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Retrieve all the PDOs instead of just the first 4\n\ncommit 4dbc6a4ef06d (\"usb: typec: ucsi: save power data objects\nin PD mode\") introduced retrieval of the PDOs when connected to a\nPD-capable source. But only the first 4 PDOs are received since\nthat is the maximum number that can be fetched at a time given the\nMESSAGE_IN length limitation (16 bytes). However, as per the PD spec\na connected source may advertise up to a maximum of 7 PDOs.\n\nIf such a source is connected it's possible the PPM could have\nnegotiated a power contract with one of the PDOs at index greater\nthan 4, and would be reflected in the request data object's (RDO)\nobject position field. This would result in an out-of-bounds access\nwhen the rdo_index() is used to index into the src_pdos array in\nucsi_psy_get_voltage_now().\n\nWith the help of the UBSAN -fsanitize=array-bounds checker enabled\nthis exact issue is revealed when connecting to a PD source adapter\nthat advertise 5 PDOs and the PPM enters a contract having selected\nthe 5th one.\n\n[  151.545106][   T70] Unexpected kernel BRK exception at EL1\n[  151.545112][   T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP\n...\n[  151.545499][   T70] pc : ucsi_psy_get_prop+0x208/0x20c\n[  151.545507][   T70] lr : power_supply_show_property+0xc0/0x328\n...\n[  151.545542][   T70] Call trace:\n[  151.545544][   T70]  ucsi_psy_get_prop+0x208/0x20c\n[  151.545546][   T70]  power_supply_uevent+0x1a4/0x2f0\n[  151.545550][   T70]  dev_uevent+0x200/0x384\n[  151.545555][   T70]  kobject_uevent_env+0x1d4/0x7e8\n[  151.545557][   T70]  power_supply_changed_work+0x174/0x31c\n[  151.545562][   T70]  process_one_work+0x244/0x6f0\n[  151.545564][   T70]  worker_thread+0x3e0/0xa64\n\nWe can resolve this by instead retrieving and storing up to the\nmaximum of 7 PDOs in the con->src_pdos array. This would involve\ntwo calls to the GET_PDOS command."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/typec/ucsi/ucsi.c","drivers/usb/typec/ucsi/ucsi.h"],"versions":[{"version":"4dbc6a4ef06d6a79ff91be6fc2e90f8660031ce0","lessThan":"e5366bea0277425e1868ba20eeb27c879d5a6e2d","status":"affected","versionType":"git"},{"version":"4dbc6a4ef06d6a79ff91be6fc2e90f8660031ce0","lessThan":"a453bfd7ef15fd9d524004d3ca7b05353a302911","status":"affected","versionType":"git"},{"version":"4dbc6a4ef06d6a79ff91be6fc2e90f8660031ce0","lessThan":"5e9c6f58b01e6fdfbc740390c01f542a35c97e57","status":"affected","versionType":"git"},{"version":"4dbc6a4ef06d6a79ff91be6fc2e90f8660031ce0","lessThan":"1f4642b72be79757f050924a9b9673b6a02034bc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/typec/ucsi/ucsi.c","drivers/usb/typec/ucsi/ucsi.h"],"versions":[{"version":"5.8","status":"affected"},{"version":"0","lessThan":"5.8","status":"unaffected","versionType":"semver"},{"version":"5.10.38","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.11.22","lessThanOrEqual":"5.11.*","status":"unaffected","versionType":"semver"},{"version":"5.12.5","lessThanOrEqual":"5.12.*","status":"unaffected","versionType":"semver"},{"version":"5.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.10.38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.11.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.12.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d"},{"url":"https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911"},{"url":"https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57"},{"url":"https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc"}],"title":"usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-46980","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-02-28T20:37:53.449326Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:13:09.787Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:24:37.898Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc","tags":["x_transferred"]}]}]}}