[U-Boot] [PATCH 1/6] usb: dwc2: avoid out of bounds access

Stephen Warren swarren at wwwdotorg.org
Wed Dec 16 03:58:48 CET 2015


On 12/12/2015 09:17 PM, Stefan Brüns wrote:
> flush_dcache_range may access data after priv->aligned_buffer end if
> len > DWC2_DATA_BUF_SIZE.
> memcpy may access data after buffer end if done > 0

Acked-by: Stephen Warren <swarren at wwwdotorg.org>

Uggh; icky bug:-(

> @@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
>  		       (*pid << DWC2_HCTSIZ_PID_OFFSET),
>  		       &hc_regs->hctsiz);
>  
> -		if (!in) {
> -			memcpy(priv->aligned_buffer, (char *)buffer + done, len);
> +		if (!in && xfer_len) {

Do zero-length memcpy or flush_dcache_range actually cause an issue?


More information about the U-Boot mailing list