usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

JIRA: https://issues.redhat.com/browse/RHEL-72346
CVE: CVE-2024-53203

commit e56aac6
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date: Mon, 11 Nov 2024 14:08:06 +0300

  The "command" variable can be controlled by the user via debugfs.  The
  worry is that if con_index is zero then "&uc->ucsi->connector[con_index
  - 1]" would be an array underflow.

  Fixes: 170a672 ("usb: typec: ucsi: add support for separate DP altmode devices")
  Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
  Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
  Link: https://lore.kernel.org/r/c69ef0b3-61b0-4dde-98dd-97b97f81d912@stanley.mountain
  Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Desnes Nunes <desnesn@redhat.com>

Author: Desnes Nunes

drivers/usb/typec/ucsi/ucsi_ccg.c

@@ -644,13 +644,18 @@ static int ucsi_ccg_sync_control(struct ucsi *ucsi, u64 command)
 	    uc->has_multiple_dp) {
 		con_index = (uc->last_cmd_sent >> 16) &
 			UCSI_CMD_CONNECTOR_MASK;
+		if (con_index == 0) {
+			ret = -EINVAL;
+			goto unlock;
+		}
 		con = &uc->ucsi->connector[con_index - 1];
 		ucsi_ccg_update_set_new_cam_cmd(uc, con, &command);
 	}
 
 	ret = ucsi_sync_control_common(ucsi, command);
 
 	pm_runtime_put_sync(uc->dev);
+unlock:
 	mutex_unlock(&uc->lock);
 
 	return ret;