From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marek Vasut <marex@denx.de>
Date: Wed, 16 Dec 2015 11:29:14 +0100
Subject: [U-Boot] [PATCH 1/6] usb: dwc2: avoid out of bounds access
In-Reply-To: <5670D368.6090703@wwwdotorg.org>
References: <1449980278-19881-1-git-send-email-stefan.bruens@rwth-aachen.de>
 <1449980278-19881-2-git-send-email-stefan.bruens@rwth-aachen.de>
 <5670D368.6090703@wwwdotorg.org>
Message-ID: <201512161129.14782.marex@denx.de>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On Wednesday, December 16, 2015 at 03:58:48 AM, Stephen Warren wrote:
> On 12/12/2015 09:17 PM, Stefan Br?ns wrote:
> > flush_dcache_range may access data after priv->aligned_buffer end if
> > len > DWC2_DATA_BUF_SIZE.
> > memcpy may access data after buffer end if done > 0
> 
> Acked-by: Stephen Warren <swarren@wwwdotorg.org>
> 
> Uggh; icky bug:-(
> 
> > @@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct
> > usb_device *dev,
> > 
> >  		       (*pid << DWC2_HCTSIZ_PID_OFFSET),
> >  		       &hc_regs->hctsiz);
> > 
> > -		if (!in) {
> > -			memcpy(priv->aligned_buffer, (char *)buffer + done, 
len);
> > +		if (!in && xfer_len) {
> 
> Do zero-length memcpy or flush_dcache_range actually cause an issue?

I believe they should not, based on how they are implemented.

Best regards,
Marek Vasut