Linux Kernel UCSI Connector Number Validation Vulnerability

A vulnerability in the Linux kernel's USB Type-C UCSI (USB Type-C Connector Interface) implementation allows for out-of-bounds array access. This issue arises because the connector number, a 7-bit field used to index into a connector array, can be reported by a malicious or malfunctioning device. The array is only allocated for the number of connectors the device reports, typically 2-4 entries. The vulnerability has been addressed by adding a bounds check to validate connector numbers before they are processed, preventing improper values from causing array access violations.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing a denial-of-service condition or allowing for arbitrary memory manipulation.

Reproduction

The vulnerability can be reproduced by simulating a device that reports an out-of-range connector number through the UCSI Connector Change Indicator (CCI). This will cause the UCSI notification handler to attempt to access an invalid index in the connector array, leading to an out-of-bounds access.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree.