usb: chipidea: host: Improve port index sanitizing

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Coverity from Synopsys complains "Illegal address computation (OVERRUN)"
on status_reg.

After below code executed,

port_index = wIndex & 0xff;
port_index -= (port_index > 0);

the static analysis tool see the value of port_index is now between 0 and
254 (inclusive).

However, ehci_def.h define port_status as below:

#define HCS_N_PORTS_MAX 15
u32 port_status[HCS_N_PORTS_MAX];

So the tool think illegal array pointer may be obtained.

status_reg = &ehci->regs->port_status[port_index];

This will follow "846cbf98cbef USB: EHCI: Improve port index sanitizing" to
improve port index sanitizing.

Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20241202083453.704533-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Xu Yang and committed by

Greg Kroah-Hartman 1 year ago 990c2a26 04d5b4c2

+8 -2

1 changed file

expand all

drivers

usb

chipidea

host.c

+8 -2

drivers/usb/chipidea/host.c

··· 256 256 struct device *dev = hcd->self.controller; 257 257 struct ci_hdrc *ci = dev_get_drvdata(dev); 258 258 259 - port_index = wIndex & 0xff; 260 - port_index -= (port_index > 0); 259 + /* 260 + * Avoid out-of-bounds values while calculating the port index 261 + * from wIndex. The compiler doesn't like pointers to invalid 262 + * addresses, even if they are never used. 263 + */ 264 + port_index = (wIndex - 1) & 0xff; 265 + if (port_index >= HCS_N_PORTS_MAX) 266 + port_index = 0; 261 267 status_reg = &ehci->regs->port_status[port_index]; 262 268 263 269 spin_lock_irqsave(&ehci->lock, flags);