Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3384655pxb; Mon, 17 Jan 2022 19:14:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRmqM3V35l8Q5FqT4812BsMeAXuZO7yvnCxHNvmM4MeF1onTJsxN2xdo8OezuQt7d/CblX X-Received: by 2002:a63:6987:: with SMTP id e129mr12145311pgc.37.1642475678884; Mon, 17 Jan 2022 19:14:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642475678; cv=none; d=google.com; s=arc-20160816; b=xf/wSWJ+eL3gsIxmJg2qYVBFNa5e/Jub6bdiqf+C8kzTZT8EamffEIm81Xlay9jTmr pbsJMc/5FP26EMqMJ5/YykocJnDKIwphJeDxxKA3t7iS9RA6rtKk8xj0lKHFGfcfh7my iM0GH5ib0e1La9yJ/E6WZaAs5H8gOhGrZRkLV3mgz4p2QAHh+Oe8Z4OaiqQpKEn5ukN1 PkrjDFSy4FQ/R99WZjds7/RuuJvnbcvxBiOx5efXy3wBySsqxndzPbG3S2CrfHpb8etR uKiMkA56ZNyFOIv2hst5PWNCEAepxtuF+RKpzMg/hhRa2KQZpSU++jhwxED2y6jzWcBr gFLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=zdeErvBCNyUsFzoN7+sz675X0U1lc4MEILt69ZoYpPU=; b=g8N5xVPJjqwgEh6gNfFchCtuJ5z0ZgrdZKZc1GIkbLtoElidQJPSiHvyyG50ertYmq hDYO5nO3QTxcmaN3nK43cngklB7xNHLr+2UeOq9ToXa3UH4rKshOVS7ZGw/9bgXfGfrP esa+VIlHRq9Vr93/PX5ZsNYHTgwdXUWo9b/9twDKs0FMDzzGHQeOJQSELB+fuaoxxP2g Ui95+VeLjnLDNqufRocSv3UHycxIhVfS/WwjbBrVV26pacAHShA+a2ALUp4aSpdOE/Dq Nyt6ZCrlof33/nuHUpHD2O4agZu+usZZ67boF+eiyURuejp+mV6avGkRCDYxgcAMbc69 lyeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Xt9m11UX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o1si1176144pjs.68.2022.01.17.19.14.16; Mon, 17 Jan 2022 19:14:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Xt9m11UX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245331AbiARCXj (ORCPT + 99 others); Mon, 17 Jan 2022 21:23:39 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:35802 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244570AbiARCVb (ORCPT ); Mon, 17 Jan 2022 21:21:31 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B791BB81232; Tue, 18 Jan 2022 02:21:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 98699C36AF4; Tue, 18 Jan 2022 02:21:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642472488; bh=K/eWSfljgcMu7/mLCM+m/uhl8K632G9yFcOz1ichPVw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Xt9m11UXPoYhu765reNUtr7M/72l0NfdWcumSarS0873xTC8PNiHxMi3xujSlNcgM 5sJt2ty1MJViHn/J7OfiP9xGjiFyLs1m86uzNEjvwMH1iV+hnUSU9E8pl+9LWe/JjD PgjEk2Jx0RCWJQArSvVLHfwiL2ueLgoS0VY8oQ8mfHBl+FrsbWcluLWULRcUlq3PbW gqrL/61+KtsfZU//Ng3gShy3WYTWSz5Tefxt5tf2e7o5mZhOqhaA6SJVyn/tvL++sv gc2edF6kIn6x3LQ5Ny+0PHA0wksoaQY6Tf1Pmnlrt17ycErzvS59ACnOemGsRTaEnC sXFzH9p5UiA8Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Haimin Zhang , TCS Robot , Alan Stern , Greg Kroah-Hartman , Sasha Levin , alcooperx@gmail.com, linux-usb@vger.kernel.org, bcm-kernel-feedback-list@broadcom.com Subject: [PATCH AUTOSEL 5.16 030/217] USB: ehci_brcm_hub_control: Improve port index sanitizing Date: Mon, 17 Jan 2022 21:16:33 -0500 Message-Id: <20220118021940.1942199-30-sashal@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220118021940.1942199-1-sashal@kernel.org> References: <20220118021940.1942199-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haimin Zhang [ Upstream commit 9933698f6119886c110750e67c10ac66f12b730f ] Due to (wIndex & 0xff) - 1 can get an integer greater than 15, this can cause array index to be out of bounds since the size of array port_status is 15. This change prevents a possible out-of-bounds pointer computation by forcing the use of a valid port number. Reported-by: TCS Robot Signed-off-by: Haimin Zhang Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20211113165320.GA59686@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/host/ehci-brcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/ehci-brcm.c b/drivers/usb/host/ehci-brcm.c index d3626bfa966b4..6a0f64c9e5e88 100644 --- a/drivers/usb/host/ehci-brcm.c +++ b/drivers/usb/host/ehci-brcm.c @@ -62,8 +62,12 @@ static int ehci_brcm_hub_control( u32 __iomem *status_reg; unsigned long flags; int retval, irq_disabled = 0; + u32 temp; - status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1]; + temp = (wIndex & 0xff) - 1; + if (temp >= HCS_N_PORTS_MAX) /* Avoid index-out-of-bounds warning */ + temp = 0; + status_reg = &ehci->regs->port_status[temp]; /* * RESUME is cleared when GetPortStatus() is called 20ms after start -- 2.34.1