[PATCH v4] usb: gadget: g_dnl: Fix NULLPTR dereference when serial# is unset
The current behaviour of this function will dereference a null pointer if the serial# environment variable is unset. This was discovered on a board where U-Boot did not have access to the first 256MB of ram, resulting in a board crash. In the event that U-Boot has full access to memory, it will still read from address 0, which is probably not optimal. This simple check is enough to fix it
Signed-off-by: Michael Ferolito michaelsunn101@gmail.com Cc: Marek Vasut marex@denx.de Cc: Heiko Schocher hs@denx.de Cc: Kyungmin Park kyungmin.park@samsung.com --- drivers/usb/gadget/g_dnl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/g_dnl.c b/drivers/usb/gadget/g_dnl.c index 631969b340..f2540eb6de 100644 --- a/drivers/usb/gadget/g_dnl.c +++ b/drivers/usb/gadget/g_dnl.c @@ -207,7 +207,8 @@ void g_dnl_clear_detach(void) static int on_serialno(const char *name, const char *value, enum env_op op, int flags) { - g_dnl_set_serialnumber((char *)value); + if (value) + g_dnl_set_serialnumber((char *)value); return 0; } U_BOOT_ENV_CALLBACK(serialno, on_serialno);
Hi Michael,
On 28.01.25 04:09, Michael Ferolito wrote:
The current behaviour of this function will dereference a null pointer if the serial# environment variable is unset. This was discovered on a board where U-Boot did not have access to the first 256MB of ram, resulting in a board crash. In the event that U-Boot has full access to memory, it will still read from address 0, which is probably not optimal. This simple check is enough to fix it
Signed-off-by: Michael Ferolito michaelsunn101@gmail.com Cc: Marek Vasut marex@denx.de Cc: Heiko Schocher hs@denx.de Cc: Kyungmin Park kyungmin.park@samsung.com
drivers/usb/gadget/g_dnl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Nitpick: A changelog would be nice to get an idea what has changed from version to version ...
diff --git a/drivers/usb/gadget/g_dnl.c b/drivers/usb/gadget/g_dnl.c index 631969b340..f2540eb6de 100644 --- a/drivers/usb/gadget/g_dnl.c +++ b/drivers/usb/gadget/g_dnl.c @@ -207,7 +207,8 @@ void g_dnl_clear_detach(void) static int on_serialno(const char *name, const char *value, enum env_op op, int flags) {
- g_dnl_set_serialnumber((char *)value);
- if (value)
g_dnl_set_serialnumber((char *)value);
Good catch!
Reviewed-by: Heiko Schocher hs@denx.de
bye, Heiko
Hi Michael,
Thank you for the patch.
On lun., janv. 27, 2025 at 21:09, Michael Ferolito michaelsunn101@gmail.com wrote:
The current behaviour of this function will dereference a null pointer if the serial# environment variable is unset. This was discovered on a board where U-Boot did not have access to the first 256MB of ram, resulting in a board crash. In the event that U-Boot has full access to memory, it will still read from address 0, which is probably not optimal. This simple check is enough to fix it
Signed-off-by: Michael Ferolito michaelsunn101@gmail.com Cc: Marek Vasut marex@denx.de Cc: Heiko Schocher hs@denx.de Cc: Kyungmin Park kyungmin.park@samsung.com
Reviewed-by: Mattijs Korpershoek mkorpershoek@baylibre.com
drivers/usb/gadget/g_dnl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/g_dnl.c b/drivers/usb/gadget/g_dnl.c index 631969b340..f2540eb6de 100644 --- a/drivers/usb/gadget/g_dnl.c +++ b/drivers/usb/gadget/g_dnl.c @@ -207,7 +207,8 @@ void g_dnl_clear_detach(void) static int on_serialno(const char *name, const char *value, enum env_op op, int flags) {
- g_dnl_set_serialnumber((char *)value);
- if (value)
g_dnl_set_serialnumber((char *)value);} U_BOOT_ENV_CALLBACK(serialno, on_serialno); -- 2.48.1
Are there any other action items I should take care of?
On Tue, Jan 28, 2025 at 3:40 AM Mattijs Korpershoek mkorpershoek@baylibre.com wrote:
Hi Michael,
Thank you for the patch.
On lun., janv. 27, 2025 at 21:09, Michael Ferolito michaelsunn101@gmail.com wrote:
The current behaviour of this function will dereference a null pointer if the serial# environment variable is unset. This was discovered on a board where U-Boot did not have access to the first 256MB of ram, resulting in a board crash. In the event that U-Boot has full access to memory, it will still read from address 0, which is probably not optimal. This simple check is enough to fix it
Signed-off-by: Michael Ferolito michaelsunn101@gmail.com Cc: Marek Vasut marex@denx.de Cc: Heiko Schocher hs@denx.de Cc: Kyungmin Park kyungmin.park@samsung.com
Reviewed-by: Mattijs Korpershoek mkorpershoek@baylibre.com
drivers/usb/gadget/g_dnl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/g_dnl.c b/drivers/usb/gadget/g_dnl.c index 631969b340..f2540eb6de 100644 --- a/drivers/usb/gadget/g_dnl.c +++ b/drivers/usb/gadget/g_dnl.c @@ -207,7 +207,8 @@ void g_dnl_clear_detach(void) static int on_serialno(const char *name, const char *value, enum env_op op, int flags) {
g_dnl_set_serialnumber((char *)value);
if (value)g_dnl_set_serialnumber((char *)value); return 0;} U_BOOT_ENV_CALLBACK(serialno, on_serialno); -- 2.48.1
participants (4)
-
Heiko Schocher -
Mattijs Korpershoek -
Michael -
Michael Ferolito