[U-Boot] [PATCH 1/6] usb: dwc2: avoid out of bounds access
Stephen Warren
swarren at wwwdotorg.org
Wed Dec 16 03:58:48 CET 2015
On 12/12/2015 09:17 PM, Stefan Brüns wrote:
> flush_dcache_range may access data after priv->aligned_buffer end if
> len > DWC2_DATA_BUF_SIZE.
> memcpy may access data after buffer end if done > 0
Acked-by: Stephen Warren <swarren at wwwdotorg.org>
Uggh; icky bug:-(
> @@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
> (*pid << DWC2_HCTSIZ_PID_OFFSET),
> &hc_regs->hctsiz);
>
> - if (!in) {
> - memcpy(priv->aligned_buffer, (char *)buffer + done, len);
> + if (!in && xfer_len) {
Do zero-length memcpy or flush_dcache_range actually cause an issue?
More information about the U-Boot
mailing list