Now that Kees Cook has added a definition for HCS_N_PORTS_MAX in
commit 72dd1843232c ("USB: EHCI: Add register array bounds to HCS
ports"), the code in ehci_hub_control() which sanitizes port index
values can be improved a little.
The idea behind this change is that it prevents a possible
out-of-bounds pointer computation, which the compiler might be able to
detect since the port_status[] array now has a fixed length rather
than a variable length.
Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
---
[as1965]
drivers/usb/host/ehci-hub.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Index: usb-devel/drivers/usb/host/ehci-hub.c
===================================================================
--- usb-devel.orig/drivers/usb/host/ehci-hub.c
+++ usb-devel/drivers/usb/host/ehci-hub.c
@@ -745,12 +745,13 @@ int ehci_hub_control(
unsigned selector;
/*
- * Avoid underflow while calculating (wIndex & 0xff) - 1.
- * The compiler might deduce that wIndex can never be 0 and then
- * optimize away the tests for !wIndex below.
+ * Avoid out-of-bounds values while calculating the port index
+ * from wIndex. The compiler doesn't like pointers to invalid
+ * addresses, even if they are never used.
*/
- temp = wIndex & 0xff;
- temp -= (temp > 0);
+ temp = (wIndex - 1) & 0xff;
+ if (temp >= HCS_N_PORTS_MAX)
+ temp = 0;
status_reg = &ehci->regs->port_status[temp];
hostpc_reg = &ehci->regs->hostpc[temp];
