DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.
CVE-2022-2347
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
In DFU v1.1 specification [1] the DFU_UPLOAD (Short Frame)
is handled only in dfuUPLOADIDLE state:
- Figure A.1 Interface state transition diagram
- the state description in chapter A.2
A.2.3 State 2 dfuIDLE
on Receipt of the DFU_UPLOAD request,and bitCanUpload = 1
the Next State is dfuUPLOADIDLE
A.2.10 State 9 dfuUPLOAD-IDLE
When the length of the data transferred by the device in response
to a DFU_UPLOAD request is less than wLength. (Short frame)
the Next State is dfuIDLE
In current code, when an UPLOAD is completely performed after the first
request (for example with wLength=200 and data read = 9), the DFU state
stay at dfuUPLOADIDLE until receiving a DFU_UPLOAD or a DFU_ABORT request
even it is unnecessary as the previous DFU_UPLOAD request already reached
the EOF.
This patch proposes to finish the DFU uploading (don't go to dfuUPLOADIDLE)
and completes the control-read operation (go to DFU_STATE_dfuIDLE) when
the first UPLOAD response has a short frame as an end of file (EOF)
indicator even if it is not explicitly allowed in the DFU specification
but this seems logical.
[1] https://www.usb.org/sites/default/files/DFU_1.1.pdf
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
In case dfu command is being executed with timeout option,
the timer may expire in the middle of DFU operation. If there
is DFU request coming, we may simple reset timeout value
to prevent aborting of ongoing DFU operation.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Tested-by: Ferry Toth <ftoth@exalondelft.nl>
dfu_prepare_function() allocates N+1 descriptor header structures,
the last one being the "DFU Functional Descriptor".
dfu_unbind() handles de-allocation, but fails to free the final
one (eg. "DFU Functional Descriptor"), leading to memory leak.
Fixed by incrementing counter, as in dfu_prepare_function().
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
We are now using an env_ prefix for environment functions. Rename these
two functions for consistency. Also add function comments in common.h.
Quite a few places use getenv() in a condition context, provoking a
warning from checkpatch. These are fixed up in this patch also.
Suggested-by: Wolfgang Denk <wd@denx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
With this patch, USB Command Verifier is happy with our DFU
implementation on Chapter 9 tests.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
If last packet is short, we shouldn't write req->length bytes to
non-volatile media, we should write only what's available to us, which
is held in req->actual.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
harmonize result with other handle_XXX() functions: return int for size
remove the define RET_STAT_LEN : no more necessary
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay73@gmail.com>
return the correct size for DFU_GETSTATE result (1 byte in DFU 1.1 spec)
to avoid issue in USB protocol and the variable "value" is propagated
to req->lenght as all the in the other request with answer
- DFU_GETSTATUS
- DFU_DNLOAD
- DFU_UPLOAD
Then the buffer is correctly treated in USB driver
NB: it was the only request witch directly change "req->actual"
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay73@gmail.com>
The "DFU descriptor set" must contain the "DFU functional descriptor"
but it is missing today in U-Boot code
(cf: DFU spec 1.1, chapter 4.2 DFU Mode Descriptor Set)
This patch only allocate buffer and copy DFU functional descriptor
after interfaces.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay73@gmail.com>
Reported by Coverity:
Logically dead code (DEADCODE)
dead_error_line: Execution cannot reach this statement:
(f_dfu->strings + --i).s = ....
If calloc failed, i is still 0 and no need to call free,
so discard the dead code.
Signed-off-by: Peng Fan <van.freenix@gmail.com>
Cc: "Łukasz Majewski" <l.majewski@samsung.com>
Cc: Marek Vasut <marex@denx.de>
This patch fixes situation when one would like to write large file into
medium with the file system (fat, ext4, etc).
This change sets file size limitation to the DFU internal buffer size.
Since u-boot is not supporting interrupts and seek on file systems, it
becomes challenging to store large file appropriately.
To reproduce this error - create large file (around 26 MiB) and sent it
to the target board.
Lets examine the flow of USB transactions:
0. DFU uses EP0 with 64B MPS [Max Packet Size]
1. Send file - OUT (PC->target) - dat_26MiB.img is sent with 4096 B transactions
2. Get status - OUT (PC->target) - wait for DFU_STATE_dfuDNLOAD_IDLE (0x05) sent
from target board - IN transaction
(target->PC)
3. The whole file content is sent to target - OUT (PC->target) with ZLP [Zero
Length Packet]
Now the interesting part starts:
4. OUT (PC->target) Setup transaction (request to share DFU state)
5. IN (target->PC) - reply the current DFU state
- In the UDC driver the req->completion (with dfu_flush) is called
after successful IN transfer.
- The dfu_flush() (called from req->completion callback) saves the
whole file at once (u-boot doesn't support seek on fs).
Such operation takes considerable time. When the file
is large - e.g. 26MiB - this time may be more than 5 seconds.
6. OUT (PC->target) - ZLP, is send in the same time when dfu_flush()
writes data to eMMC memory.
The dfu-util application has hard coded timeout on USB transaction
completion set to 5 seconds (it uses libusb calls).
When the file to store is large (e.g. 26 MiB) the time needed to write it
may excess the dfu-util timeout and following error message will be displayed:
"unable to read DFU status" on the HOST PC console.
This change is supposed to leverage DFU's part responsible for storing files
on file systems. Other DFU operations - i.e. raw/partition write to NAND and
eMMC should work as before.
The only functional change is the error reporting. When dfu_flush() fails
the u-boot prompt will exit with error information and dfu-util application
exits afterwards as well.
Test HW:
- Odroid XU3 (Exynos5433) - test with large file
- Trats (Exynos4210) - test for regression - eMMC, raw,
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Reported-by: Alex Gdalevich <agdalevich@axion-biosystems.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Heiko Schocher <hs@denx.de>
Without this function the USB compliance test (USB 2.0 Command Verifier) will
fail in the "Interface Descriptor Test" with this error message:
FAIL
(1.2.51) A successful GetInterface request must return the alternate setting
set by a prior call to SetInterface.
Lets add this function to read back the value so that the DFU device fully
passes the USB compliance test.
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Roger Meier <r.meier@siemens.com>
Cc: Samuel Egli <samuel.egli@siemens.com>
Cc: Enrico Leto <enrico.leto@siemens.com>
Acked-by: Heiko Schocher <hs@denx.de>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Marek Vasut <marex@denx.de>
In order to add detach functions for fastboot, make the DFU detach related
functions common so they can be shared.
Signed-off-by: Rob Herring <robh@kernel.org>
Tested-by: Lukasz Majewski <l.majewski@samsung.com>
[TestHW: Exynos4412-Trats2]
DFU now can use also fullspeed.
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Liu Bin <b-liu@ti.com>
Cc: Lukas Stockmann <lukas.stockmann@siemens.com>
This commit provides distinction between DFU device detach and reset.
The -R behavior is preserved with proper handling of the dfu-util's -e
switch, which detach the DFU device.
By running dfu-util -e; one can force device to finish the execution of
dfu command on target and execute some other scripted commands.
Moreover, some naming has been changed - the dfu_reset() method now is known
as dfu_detach(). New name better reflects the purpose of the code.
It was also necessary to increase the number of usb_gadget_handle_interrupts()
calls since we also must wait for detection of the USB reset event.
Example usage:
1. -e (detach) switch
dfu-util -a0 -D file1.bin;dfu-util -a3 -D uImage;dfu-util -e
access to u-boot prompt.
2. -R (reset) switch
dfu-util -a0 -D file1.bin;dfu-util -R -a3 -D uImage
target board reset
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Reviewed-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
Fix calls to dfu_write() and dfu_flush() to detect errors in the I/O
itself. This could happen due to problems with the storage medium, or
simply when trying to write a FAT/ext file that is larger than the buffer
dfu_mmc.c maintains for this purpose.
Signal the error by switching the DFU state/status. This will be picked
up by the DFU client when it sends the next DFU request. Note that errors
can't simply be returned from e.g. dnload_request_complete(), since that
function has no way to pass errors back to the DFU client; a call to
dnload_request_complete() simply means that a USB OUT completed.
This error state/status needs to be cleared when the next DFU client
connects. While there is a DFU_CLRSTATUS request, no DFU client seems to
send this. Hence, clear this when selecting the USB alternate setting on
the USB interface.
Finally, dfu.c relies on a call to dfu_flush() to clear up the internal
state of the write transaction. Now that errors in dfu_write() are
detected, dfu_flush() may no longer be called for every transaction.
Separate out the cleanup code into a new function, and call it whenever
dfu_write() fails, as well as from any call to dfu_flush().
Signed-off-by: Stephen Warren <swarren@nvidia.com>
add a possibility to add a medium specific polltimeout
function. So it is possible to define different
poll timeouts.
Used on nand medium, for setting the DFU_MANIFEST_POLL_TIMEOUT
only on nand ubi partitions, which is currently the only
usecase.
Change-Id: If1db5f49b32d93fefa7481e8dfe5b7ccc0e65af4
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <panto@antoniou-consulting.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Acked-by: Lukasz Majewski <l.majewski@samsung.com>
Preprocessor definitions and hardcoded implementation selection in
g_dnl core were replaced by a linker list made of (usb_function_name,
bind_callback) pairs.
Signed-off-by: Mateusz Zalega <m.zalega@samsung.com>
Acked-by: Lukasz Majewski <l.majewski@samsung.com>
Acked-by: Marek Vasut <marex@denx.de>
on nand flash using ubi, after the download of the new image into
the flash, the "rest" of the nand sectors get erased while flushing
the medium. With current u-boot version dfu-util may show:
Starting download: [##################################################] finished!
state(7) = dfuMANIFEST, status(0) = No error condition is present
unable to read DFU status
as get_status is not answered while erasing sectors, if erasing
needs some time.
So do the following changes to prevent this:
- introduce dfuManifest state
According to dfu specification
( http://www.usb.org/developers/devclass_docs/usbdfu10.pdf ) section 7:
"the device enters the dfuMANIFEST-SYNC state and awaits the solicitation
of the status report by the host. Upon receipt of the anticipated
DFU_GETSTATUS, the device enters the dfuMANIFEST state, where it
completes its reprogramming operations."
- when stepping into dfuManifest state, sending a PollTimeout
DFU_MANIFEST_POLL_TIMEOUT in ms, to the host, so the host
(dfu-util) waits the PollTimeout before sending a get_status again.
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <panto@antoniou-consulting.com>
It is necessary to deter the host from sending subsequent DFU_GETSTATUS
request in the case of e.g. writing the buffer to medium.
Here the timeout is increased when we fill up the whole buffer. This delay
allows eMMC memory to perform its internal operations.
Otherwise we end up with HOST's error regarding GET_STATUS receive timeout.
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
This patch extends dfu code to support transmission with -R switch
specified at dfu-util.
When -R is specified, the extra USB_REQ_DFU_DETACH request is sent after
successful data transmission. Then dfu resources are released and reset
command is issued.
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
The DFU's state machine original implementation author and copyright were
missing.
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
This subtle change fix problem with too small amount of allocated
memory to store DFU function pointers.
One needs to allocate extra space for sentinel NULL pointer in this array
of function pointers.
With the previous code, the NULL value overwrites malloc internal data
and afterwards free(f_dfu->function) crashes.
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
- set in to_dfu_mode() f_dfu->dfu_state = DFU_STATE_dfuIDLE
as after every to_dfu_mode call this is done, so move
this into to_dfu_mode
- switch in dfu_bind() into dfu mode:
This fixes wrong "dfu-util -l" output, when calling
"dfu-util -l" after a board reset, without doing a
download before. See also discussion here:
http://lists.denx.de/pipermail/u-boot/2013-June/157272.html
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Pantelis Antoniou <panto@antoniou-consulting.com>
Cc: Tom Rini <trini@ti.com>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Samuel Egli <samuel.egli@siemens.com>
Acked-by: Lukasz Majewski <l.majewski@samsung.com>
Tested-by: Lukasz Majewski <l.majewski@samsung.com>
Zero out timeout value; letting it filled with undefined values
ends up with the dfu host hanging.
Signed-off-by: Pantelis Antoniou <panto@antoniou-consulting.com>
Support for f_dfu USB function.
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>