mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-10 23:24:38 +00:00
usb: dwc2: avoid out of bounds access
flush_dcache_range may access data after priv->aligned_buffer end if len > DWC2_DATA_BUF_SIZE. memcpy may access data after buffer end if done > 0 Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de> Acked-by: Marek Vasut <marex@denx.de> Acked-by: Stephen Warren <swarren@wwwdotorg.org>
This commit is contained in:
parent
c75f57fba4
commit
5253aded46
1 changed files with 4 additions and 3 deletions
|
@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
|
|||
(*pid << DWC2_HCTSIZ_PID_OFFSET),
|
||||
&hc_regs->hctsiz);
|
||||
|
||||
if (!in) {
|
||||
memcpy(priv->aligned_buffer, (char *)buffer + done, len);
|
||||
if (!in && xfer_len) {
|
||||
memcpy(priv->aligned_buffer, (char *)buffer + done,
|
||||
xfer_len);
|
||||
|
||||
flush_dcache_range((unsigned long)priv->aligned_buffer,
|
||||
(unsigned long)((void *)priv->aligned_buffer +
|
||||
roundup(len, ARCH_DMA_MINALIGN)));
|
||||
roundup(xfer_len, ARCH_DMA_MINALIGN)));
|
||||
}
|
||||
|
||||
writel(phys_to_bus((unsigned long)priv->aligned_buffer),
|
||||
|
|
Loading…
Reference in a new issue