{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T20:08:53.562","vulnerabilities":[{"cve":{"id":"CVE-2021-46980","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-02-28T09:15:37.273","lastModified":"2024-12-31T16:06:11.213","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Retrieve all the PDOs instead of just the first 4\n\ncommit 4dbc6a4ef06d (\"usb: typec: ucsi: save power data objects\nin PD mode\") introduced retrieval of the PDOs when connected to a\nPD-capable source. But only the first 4 PDOs are received since\nthat is the maximum number that can be fetched at a time given the\nMESSAGE_IN length limitation (16 bytes). However, as per the PD spec\na connected source may advertise up to a maximum of 7 PDOs.\n\nIf such a source is connected it's possible the PPM could have\nnegotiated a power contract with one of the PDOs at index greater\nthan 4, and would be reflected in the request data object's (RDO)\nobject position field. This would result in an out-of-bounds access\nwhen the rdo_index() is used to index into the src_pdos array in\nucsi_psy_get_voltage_now().\n\nWith the help of the UBSAN -fsanitize=array-bounds checker enabled\nthis exact issue is revealed when connecting to a PD source adapter\nthat advertise 5 PDOs and the PPM enters a contract having selected\nthe 5th one.\n\n[  151.545106][   T70] Unexpected kernel BRK exception at EL1\n[  151.545112][   T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP\n...\n[  151.545499][   T70] pc : ucsi_psy_get_prop+0x208/0x20c\n[  151.545507][   T70] lr : power_supply_show_property+0xc0/0x328\n...\n[  151.545542][   T70] Call trace:\n[  151.545544][   T70]  ucsi_psy_get_prop+0x208/0x20c\n[  151.545546][   T70]  power_supply_uevent+0x1a4/0x2f0\n[  151.545550][   T70]  dev_uevent+0x200/0x384\n[  151.545555][   T70]  kobject_uevent_env+0x1d4/0x7e8\n[  151.545557][   T70]  power_supply_changed_work+0x174/0x31c\n[  151.545562][   T70]  process_one_work+0x244/0x6f0\n[  151.545564][   T70]  worker_thread+0x3e0/0xa64\n\nWe can resolve this by instead retrieving and storing up to the\nmaximum of 7 PDOs in the con->src_pdos array. This would involve\ntwo calls to the GET_PDOS command."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: ucsi: recupera todos los PDO en lugar de solo los primeros 4 commits 4dbc6a4ef06d (\"usb: typec: ucsi: guarda objetos de datos de energía en modo PD\") introdujo la recuperación de los PDO cuando se conectan a una fuente compatible con PD. Pero solo se reciben los primeros 4 PDO, ya que ese es el número máximo que se puede recuperar a la vez dada la limitación de longitud de MESSAGE_IN (16 bytes). Sin embargo, según las especificaciones de PD, una fuente conectada puede anunciar hasta un máximo de 7 PDO. Si dicha fuente está conectada, es posible que el PPM haya negociado un contrato de energía con uno de los PDO con un índice mayor que 4, y se reflejaría en el campo de posición del objeto del objeto de datos de solicitud (RDO). Esto daría como resultado un acceso fuera de los límites cuando se usa rdo_index() para indexar en la matriz src_pdos en ucsi_psy_get_voltage_now(). Con la ayuda del verificador UBSAN -fsanitize=array-bounds habilitado, este problema exacto se revela cuando se conecta a un adaptador de fuente PD que anuncia 5 PDO y el PPM firma un contrato después de seleccionar el quinto. [ 151.545106][ T70] Excepción inesperada de BRK del kernel en EL1 [ 151.545112][ T70] Error interno: controlador BRK: f2005512 [#1] SMP PREEMPT ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507 ] [ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Rastreo de llamadas: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x 2f0 [151.545550][T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] Process_one_work+0x244/0 x6f0 [ 151.545564][ T70] work_thread+0x3e0/0xa64 Nosotros Puede resolver esto recuperando y almacenando hasta un máximo de 7 PDO en la matriz con->src_pdos. Esto implicaría dos llamadas al comando GET_PDOS."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.10.38","matchCriteriaId":"48EEEAD2-D08A-422C-8830-6CCF86E89E64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.11.22","matchCriteriaId":"83B53E9A-F426-4C03-9A5F-A931FF79827E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.12.5","matchCriteriaId":"0274929A-B36C-4F4C-AB22-30A0DD6B995B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*","matchCriteriaId":"0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}