[PATCH] usb: host: ehci-sched: Fix potential out-of-bounds access of bandwidth[]

[PATCH] usb: host: ehci-sched: Fix potential out-of-bounds access of bandwidth[]

[gerben]

From: Denis Rastyogin <gerben@altlinux.org>

The microframe index used to access the bandwidth array is not
properly bounded. Although it is masked to a limited range, subsequent
loop iterations can advance it beyond the end of the array, leading to
an out-of-bounds access.

This can happen when sitd_slot_ok() is called from iso_stream_schedule()
with period = stream->uperiod = 1024. In that case, the loop may reach
sitd_slot_ok() with start = 1981, resulting in uframe = 61. After three
iterations, the index exceeds the array bounds.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d0ce5c6b9208 ("USB: EHCI: use a bandwidth-allocation table")
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 drivers/usb/host/ehci-sched.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
index a241337c9af8..d2bace03b8c9 100644
--- a/drivers/usb/host/ehci-sched.c
+++ b/drivers/usb/host/ehci-sched.c
@@ -1429,6 +1429,8 @@ sitd_slot_ok(
 		uf = uframe;
 		max_used = ehci->uframe_periodic_max - stream->ps.usecs;
 		for (tmp = stream->ps.cs_mask & 0xff; tmp; tmp >>= 1, uf++) {
+			if (uf >= EHCI_BANDWIDTH_SIZE)
+				return 0;
 			if (ehci->bandwidth[uf] > max_used)
 				return 0;
 		}
-- 
2.42.2

Re: [PATCH] usb: host: ehci-sched: Fix potential out-of-bounds access of bandwidth[]

[Alan Stern]

On Mon, May 04, 2026 at 02:43:40PM +0300, gerben@altlinux.org wrote:
> From: Denis Rastyogin <gerben@altlinux.org>
> 
> The microframe index used to access the bandwidth array is not
> properly bounded. Although it is masked to a limited range, subsequent
> loop iterations can advance it beyond the end of the array, leading to
> an out-of-bounds access.

I don't think so.

> This can happen when sitd_slot_ok() is called from iso_stream_schedule()
> with period = stream->uperiod = 1024. In that case, the loop may reach
> sitd_slot_ok() with start = 1981, resulting in uframe = 61. After three
> iterations, the index exceeds the array bounds.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: d0ce5c6b9208 ("USB: EHCI: use a bandwidth-allocation table")
> Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
> ---
>  drivers/usb/host/ehci-sched.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
> index a241337c9af8..d2bace03b8c9 100644
> --- a/drivers/usb/host/ehci-sched.c
> +++ b/drivers/usb/host/ehci-sched.c
> @@ -1429,6 +1429,8 @@ sitd_slot_ok(
>  		uf = uframe;
>  		max_used = ehci->uframe_periodic_max - stream->ps.usecs;
>  		for (tmp = stream->ps.cs_mask & 0xff; tmp; tmp >>= 1, uf++) {

You (and SVACE) missed the fact that the loop will end when tmp becomes 
0.  And thanks to this test earlier in the function:

	/* for OUT, don't wrap SSPLIT into H-microframe 7 */
	if (((stream->ps.cs_mask & 0xff) << (uframe & 7)) >= (1 << 7))
		return 0;

tmp will become 0 at or before the fourth iteration.

Alan Stern

> +			if (uf >= EHCI_BANDWIDTH_SIZE)
> +				return 0;
>  			if (ehci->bandwidth[uf] > max_used)
>  				return 0;
>  		}
> -- 
> 2.42.2