Skip to content
Snippets Groups Projects
Commit 5253aded authored by Stefan Brüns's avatar Stefan Brüns Committed by Marek Vasut
Browse files

usb: dwc2: avoid out of bounds access 


flush_dcache_range may access data after priv->aligned_buffer end if
len > DWC2_DATA_BUF_SIZE.
memcpy may access data after buffer end if done > 0

Signed-off-by: default avatarStefan Brüns <stefan.bruens@rwth-aachen.de>
Acked-by: default avatarMarek Vasut <marex@denx.de>
Acked-by: default avatarStephen Warren <swarren@wwwdotorg.org>
parent c75f57fb
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 3 deletions
drivers/usb/host/dwc2.c
+ 4
3
View file @ 5253aded
...@@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev, ...@@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
(*pid << DWC2_HCTSIZ_PID_OFFSET), (*pid << DWC2_HCTSIZ_PID_OFFSET),
&hc_regs->hctsiz); &hc_regs->hctsiz);
if (!in) { if (!in && xfer_len) {
memcpy(priv->aligned_buffer, (char *)buffer + done, len); memcpy(priv->aligned_buffer, (char *)buffer + done,
xfer_len);
flush_dcache_range((unsigned long)priv->aligned_buffer, flush_dcache_range((unsigned long)priv->aligned_buffer,
(unsigned long)((void *)priv->aligned_buffer + (unsigned long)((void *)priv->aligned_buffer +
roundup(len, ARCH_DMA_MINALIGN))); roundup(xfer_len, ARCH_DMA_MINALIGN)));
} }
writel(phys_to_bus((unsigned long)priv->aligned_buffer), writel(phys_to_bus((unsigned long)priv->aligned_buffer),
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Imprint & Privacy Policy