[U-Boot] [PATCH v2] usb: dwc2: avoid out of bounds access
flush_dcache_range may access data after priv->aligned_buffer end if len > DWC2_DATA_BUF_SIZE. memcpy may access data after buffer end if done > 0
Signed-off-by: Stefan Brüns stefan.bruens@rwth-aachen.de Acked-by: Marek Vasut marex@denx.de Acked-by: Stephen Warren swarren@wwwdotorg.org --- v2: Added Acked-by: ...
drivers/usb/host/dwc2.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/host/dwc2.c b/drivers/usb/host/dwc2.c index 541c0f9..5ef6deb 100644 --- a/drivers/usb/host/dwc2.c +++ b/drivers/usb/host/dwc2.c @@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev, (*pid << DWC2_HCTSIZ_PID_OFFSET), &hc_regs->hctsiz);
- if (!in) { - memcpy(priv->aligned_buffer, (char *)buffer + done, len); + if (!in && xfer_len) { + memcpy(priv->aligned_buffer, (char *)buffer + done, + xfer_len);
flush_dcache_range((unsigned long)priv->aligned_buffer, (unsigned long)((void *)priv->aligned_buffer + - roundup(len, ARCH_DMA_MINALIGN))); + roundup(xfer_len, ARCH_DMA_MINALIGN))); }
writel(phys_to_bus((unsigned long)priv->aligned_buffer),
On Tuesday, December 22, 2015 at 01:21:48 AM, Stefan Brüns wrote:
flush_dcache_range may access data after priv->aligned_buffer end if len > DWC2_DATA_BUF_SIZE. memcpy may access data after buffer end if done > 0
Signed-off-by: Stefan Brüns stefan.bruens@rwth-aachen.de Acked-by: Marek Vasut marex@denx.de Acked-by: Stephen Warren swarren@wwwdotorg.org
Applied, thanks.
Best regards, Marek Vasut
participants (2)
-
Marek Vasut -
Stefan Brüns