From 789db4852686518ce9937a9f9acac6712bd9686c Mon Sep 17 00:00:00 2001
From: Vijayavardhan Vennapusa <vvreddy@qti.qualcomm.com>
Date: Thu, 5 May 2016 14:37:08 +0530
Subject: [PATCH] USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num()

User can pass arguments as part of write to requests and endpoint number
will be calculated based on the arguments. There is a chance that driver
can access ep structue that is not allocated due to invalid arguments
passed by user. Hence fix the issue by having check and return error in
case of invalid arguments.

Bug: 28172322

Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@qti.qualcomm.com>
---
 drivers/usb/dwc3/debugfs.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c
index d4a7c9140bb4..be9d7eaf839e 100644
--- a/drivers/usb/dwc3/debugfs.c
+++ b/drivers/usb/dwc3/debugfs.c
@@ -647,7 +647,7 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
 	struct seq_file		*s = file->private_data;
 	struct dwc3		*dwc = s->private;
 	char			kbuf[10];
-	unsigned int		num, dir;
+	unsigned int		num, dir, temp;
 	unsigned long		flags;
 
 	memset(kbuf, 0, 10);
@@ -658,8 +658,16 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
 	if (sscanf(kbuf, "%u %u", &num, &dir) != 2)
 		return -EINVAL;
 
+	if (dir != 0 && dir != 1)
+		return -EINVAL;
+
+	temp = (num << 1) + dir;
+	if (temp >= (dwc->num_in_eps + dwc->num_out_eps) ||
+					temp >= DWC3_ENDPOINTS_NUM)
+		return -EINVAL;
+
 	spin_lock_irqsave(&dwc->lock, flags);
-	ep_num = (num << 1) + dir;
+	ep_num = temp;
 	spin_unlock_irqrestore(&dwc->lock, flags);
 
 	return count;
-- 
GitLab