From 789db4852686518ce9937a9f9acac6712bd9686c Mon Sep 17 00:00:00 2001 From: Vijayavardhan Vennapusa <vvreddy@qti.qualcomm.com> Date: Thu, 5 May 2016 14:37:08 +0530 Subject: [PATCH] USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num() User can pass arguments as part of write to requests and endpoint number will be calculated based on the arguments. There is a chance that driver can access ep structue that is not allocated due to invalid arguments passed by user. Hence fix the issue by having check and return error in case of invalid arguments. Bug: 28172322 Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1 Signed-off-by: Vijayavardhan Vennapusa <vvreddy@qti.qualcomm.com> --- drivers/usb/dwc3/debugfs.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c index d4a7c9140bb4..be9d7eaf839e 100644 --- a/drivers/usb/dwc3/debugfs.c +++ b/drivers/usb/dwc3/debugfs.c @@ -647,7 +647,7 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf, struct seq_file *s = file->private_data; struct dwc3 *dwc = s->private; char kbuf[10]; - unsigned int num, dir; + unsigned int num, dir, temp; unsigned long flags; memset(kbuf, 0, 10); @@ -658,8 +658,16 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf, if (sscanf(kbuf, "%u %u", &num, &dir) != 2) return -EINVAL; + if (dir != 0 && dir != 1) + return -EINVAL; + + temp = (num << 1) + dir; + if (temp >= (dwc->num_in_eps + dwc->num_out_eps) || + temp >= DWC3_ENDPOINTS_NUM) + return -EINVAL; + spin_lock_irqsave(&dwc->lock, flags); - ep_num = (num << 1) + dir; + ep_num = temp; spin_unlock_irqrestore(&dwc->lock, flags); return count; -- GitLab