From patchwork Thu Sep 22 04:01:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alison Huffman X-Patchwork-Id: 1681078 X-Patchwork-Delegate: lukma@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256 header.s=20210112 header.b=HxrTmySF; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MYDm03N4Xz1yqW for ; Thu, 22 Sep 2022 22:16:32 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 270DB84D01; Thu, 22 Sep 2022 14:16:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="HxrTmySF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 24F2F84839; Thu, 22 Sep 2022 06:01:43 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE, SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 51A2A84BD2 for ; Thu, 22 Sep 2022 06:01:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3I94rYwUKBq4OZWgbUccUZS.Qcai-PcchZWghg.RSbl.RS@flex--alisn.bounces.google.com Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-34546b03773so67388067b3.9 for ; Wed, 21 Sep 2022 21:01:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date; bh=XMcAzn55SBBsfGdF2AjTAlZuwYGaHKMxNBRm/PRV8Vo=; b=HxrTmySF/1c38C7HQeYtv8tjub9Ipjx4fygcu3JF/1ao3vNEze+WusEWwz9d7i5om4 6890FMQLprKQa2ca9VxVq/n1KNglsDBdQ+qbOgftZqXpHafJi3Ut/qL+1WMEY3yRMhIb VVqK4tYGuQS3i+U3OkgT2PpR7wnNlcI2/PIhfvohZmdUn0txklVzzutrxTTeXzrpy3zF AxdpQbI7pMneqJtm8AlsZ8uS1yTAMZO1aC1XtFu15c2dR2g7GLolZBftTSjguVrtt1o4 vKrvttxJC08wdIevfg1dJMxTz4Shd+wiNZ58/RLovzF/BMkPt72eCC/Tnghv3HadyvJI bZzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date; bh=XMcAzn55SBBsfGdF2AjTAlZuwYGaHKMxNBRm/PRV8Vo=; b=JLSCIrtPfrwhVxvm0wEOHpb6HPOUSWHCHPt3Y2azkdnnf9/e4GevAoHJKBiSQP2rq7 m7a7D8pbTNTqrK/98kBh2clLv3U17Xkx9ySVBKV7xUJpp5Y+SHUCnorW9qIcEKcAG2Oj rzducQc5e+7B1j0/9OgWhylZL5Cba78Uq9EHrx+b5dg0KuPkfT9t0vS8Pxy8CoD3++jX 1xQkk3ZzI7szWD3HZlTSk9VUL+u8cG6CI9pFStBQG9KviUz2ClyqTjKNz6pzNtSE9fDZ rQH5YRAy/FgZGX0n52aCJ0zPVQsP2x/OPJU00VYjsfIgrVPk3TFic7pJc7IEWr5WEsbM xYPw== X-Gm-Message-State: ACrzQf2FVmcsKgKz/G0PEHfhXbBUy0SX3UZuamxfoP5dnwr+6fZtOg69 ZQiRItDIDgjTuqE5v2pKK3Lo4zpkz978i+TOOP2uwLru9GFM812V+V1t30Jcni/XMMUyJzQwUbO 6uLhgNPQaTW0KRczpCmfzokoTQCZm/H0HGeumYraJZtn/LvWxISNwjHvo X-Google-Smtp-Source: AMsMyM72DRiH86Y1hOZ4kGPl6zbwcL0RgRsRoWMvfRPpN5OrKUZl5VpfRh3QoYBtYEyL3en6FChS53ASXw== X-Received: from alisn.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:60a8]) (user=alisn job=sendgmr) by 2002:a5b:c4b:0:b0:6ae:ca4a:59e5 with SMTP id d11-20020a5b0c4b000000b006aeca4a59e5mr1653183ybr.246.1663819299030; Wed, 21 Sep 2022 21:01:39 -0700 (PDT) Date: Thu, 22 Sep 2022 04:01:32 +0000 Mime-Version: 1.0 X-Mailer: git-send-email 2.37.3.968.ga6b4b080e4-goog Message-ID: <20220922040132.3184808-1-alisn@google.com> Subject: [PATCH] Fix out of bound access of ep array. From: Alison Huffman To: u-boot@lists.denx.de Cc: Alison Huffman , Lukasz Majewski , Marek Vasut X-Mailman-Approved-At: Thu, 22 Sep 2022 14:16:26 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access can occur. This is caused by the wIndex field of the usb control packet being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4). Signed-off-by: Alison Huffman --- drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c b/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c index f17009a29e..1c34b75351 100644 --- a/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c +++ b/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c @@ -890,7 +890,7 @@ static int dwc2_ep0_write(struct dwc2_udc *dev) static int dwc2_udc_get_status(struct dwc2_udc *dev, struct usb_ctrlrequest *crq) { - u8 ep_num = crq->wIndex & 0x7F; + u8 ep_num = crq->wIndex & 0x3; u16 g_status = 0; u32 ep_ctrl; @@ -1418,7 +1418,7 @@ static void dwc2_ep0_setup(struct dwc2_udc *dev) break; case USB_REQ_CLEAR_FEATURE: - ep_num = usb_ctrl->wIndex & 0x7f; + ep_num = usb_ctrl->wIndex & 0x3; if (!dwc2_udc_clear_feature(&dev->ep[ep_num].ep)) return; @@ -1426,7 +1426,7 @@ static void dwc2_ep0_setup(struct dwc2_udc *dev) break; case USB_REQ_SET_FEATURE: - ep_num = usb_ctrl->wIndex & 0x7f; + ep_num = usb_ctrl->wIndex & 0x3; if (!dwc2_udc_set_feature(&dev->ep[ep_num].ep)) return;