From 846cbf98cbef20376b1a95fa3734c435543f3519 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Sat, 2 Oct 2021 15:02:17 -0400 Subject: USB: EHCI: Improve port index sanitizing Now that Kees Cook has added a definition for HCS_N_PORTS_MAX in commit 72dd1843232c ("USB: EHCI: Add register array bounds to HCS ports"), the code in ehci_hub_control() which sanitizes port index values can be improved a little. The idea behind this change is that it prevents a possible out-of-bounds pointer computation, which the compiler might be able to detect since the port_status[] array now has a fixed length rather than a variable length. Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20211002190217.GA537967@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/ehci-hub.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'drivers/usb/host') diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c index c4f6a2559a98..efe30e3be22f 100644 --- a/drivers/usb/host/ehci-hub.c +++ b/drivers/usb/host/ehci-hub.c @@ -745,12 +745,13 @@ int ehci_hub_control( unsigned selector; /* - * Avoid underflow while calculating (wIndex & 0xff) - 1. - * The compiler might deduce that wIndex can never be 0 and then - * optimize away the tests for !wIndex below. + * Avoid out-of-bounds values while calculating the port index + * from wIndex. The compiler doesn't like pointers to invalid + * addresses, even if they are never used. */ - temp = wIndex & 0xff; - temp -= (temp > 0); + temp = (wIndex - 1) & 0xff; + if (temp >= HCS_N_PORTS_MAX) + temp = 0; status_reg = &ehci->regs->port_status[temp]; hostpc_reg = &ehci->regs->hostpc[temp]; -- cgit v1.2.3