Re: function ehci_hub_control in ehci-hub.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 1 Apr 2016, Navin P.S wrote:

> Hi,
> 
> I was looking at the bug https://bugzilla.kernel.org/show_bug.cgi?id=112171
> which says
> 
> Feb 08 22:58:56 x kernel: UBSAN: Undefined behaviour in
> drivers/usb/host/ehci-hub.c:873:47
> Feb 08 22:58:56 x kernel: index -1 is out of range for type 'u32 [1]'
> 
> 
> 
> I'm suspective the ehci-tegra function ehci-tegra.c:291 calling with
> wIndex as 0 .
> 
> I'm not sure if that is even possible .So i ask in this list ? Can
> someone give pointers ?

Yes, it is possible.  tegra_ehci_hub_control() needs to verify that 
wIndex > 0 before using status_reg.  Would you like to write a patch to 
fix this?

Alan Stern


> In the below function we are supposed to assume that wIndex is > 0 and
> less than or equal to 0xff.
> 
> If you look at ehci_hub_control function there are only 3 callers two
> in ehci-hub.c and ehci-tegra.c
> 
> Look at the while(port--) lop in ehci-hub.c i assume that port cannot
> be 0xff since we do HCS_N_PORTS which can be maximum 0xf and it cannot
> call wIndex with value 0 since in that case port would be 0 and the
> while wouldn't enter.
> 
> 
> ehci-hub.c:96: ehci_hub_control(hcd, SetPortFeature,
> ehci-hub.c-97- USB_PORT_FEAT_RESET, port + 1,
> ehci-hub.c-98- NULL, 0);
> --
> ehci-hub.c:114: ehci_hub_control(hcd, GetPortStatus,
> ehci-hub.c-115- 0, port + 1,
> ehci-hub.c-116- (char *) &buf, sizeof(buf));
> --
> ehci-hub.c:865:int ehci_hub_control(
> ehci-hub.c-866- struct usb_hcd *hcd,
> ehci-hub.c-867- u16 typeReq,
> --
> ehci-tegra.c:184:static int tegra_ehci_hub_control(
> ehci-tegra.c-185- struct usb_hcd *hcd,
> ehci-tegra.c-186- u16 typeReq,
> --
> ehci-tegra.c:291: return ehci_hub_control(hcd, typeReq, wValue,
> wIndex, buf, wLength);
> ehci-tegra.c-292-
> ehci-tegra.c-293-done:
> 
> 
> Regards,
> Navin
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux