USB: EHCI: Improve port index sanitizing

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Now that Kees Cook has added a definition for HCS_N_PORTS_MAX in
commit 72dd1843232c ("USB: EHCI: Add register array bounds to HCS
ports"), the code in ehci_hub_control() which sanitizes port index
values can be improved a little.

The idea behind this change is that it prevents a possible
out-of-bounds pointer computation, which the compiler might be able to
detect since the port_status[] array now has a fixed length rather
than a variable length.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20211002190217.GA537967@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Alan Stern and committed by

Greg Kroah-Hartman 4 years ago 846cbf98 ef53d3db

+6 -5

1 changed file

expand all

drivers

usb

host

ehci-hub.c

+6 -5

drivers/usb/host/ehci-hub.c

··· 745 745 unsigned selector; 746 746 747 747 /* 748 - * Avoid underflow while calculating (wIndex & 0xff) - 1. 749 - * The compiler might deduce that wIndex can never be 0 and then 750 - * optimize away the tests for !wIndex below. 748 + * Avoid out-of-bounds values while calculating the port index 749 + * from wIndex. The compiler doesn't like pointers to invalid 750 + * addresses, even if they are never used. 751 751 */ 752 - temp = wIndex & 0xff; 753 - temp -= (temp > 0); 752 + temp = (wIndex - 1) & 0xff; 753 + if (temp >= HCS_N_PORTS_MAX) 754 + temp = 0; 754 755 status_reg = &ehci->regs->port_status[temp]; 755 756 hostpc_reg = &ehci->regs->hostpc[temp]; 756 757