u-boot.git/drivers/usb, branch v2023.01 Unnamed repository; edit this file 'description' to name the repository. usb: gadget: rndis: Prevent InformationBufferOffset manipulation 2022-12-08T13:30:39+00:00 Szymon Heidrich szymon.heidrich@gmail.com 2022-12-05T09:28:23+00:00 51a0e215ec8ce9cc88f928373e9ce8303db1829b Prevent access to arbitrary memory locations in gen_ndis_set_resp via manipulation of buf->InformationBufferOffset. Original implementation permits manipulation of InformationBufferOffset to exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents within a 32byte offset as the devices packet filter. The packet filter value may be next retrieved using gen_ndis_query_resp so it is possible to extract specific memory regions two bytes a time. The rndis_query_response was not modified as neither the buffer offset nor length passed to gen_ndis_query_resp is used. Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> 
Prevent access to arbitrary memory locations in gen_ndis_set_resp
via manipulation of buf->InformationBufferOffset. Original
implementation permits manipulation of InformationBufferOffset to
exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
within a 32byte offset as the devices packet filter. The packet filter
value may be next retrieved using gen_ndis_query_resp so it is possible
to extract specific memory regions two bytes a time.

The rndis_query_response was not modified as neither the buffer offset
nor length passed to gen_ndis_query_resp is used.

Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
usb: gadget: dfu: Fix check of transfer direction 2022-12-08T13:30:39+00:00 Hugo SIMELIERE hsimeliere.opensource@witekio.com 2022-11-30T08:29:16+00:00 14dc0ab138988a8e45ffa086444ec8db48b3f103 Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 blocks DFU usb requests. The verification of the transfer direction was done by an equality but it is a bit mask. Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Reviewed-by: Fabio Estevam <festevam@denx.de> Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com> Reviewed-by: Marek Vasut <marex@denx.de> Tested-by: Marek Vasut <marex@denx.de> 
Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347
blocks DFU usb requests.
The verification of the transfer direction was done by an equality
but it is a bit mask.

Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Tested-by: Marek Vasut <marex@denx.de>
usb: dwc3: Drop support for "snps, ref-clock-period-ns" DT property 2022-11-27T14:34:56+00:00 Marek Vasut marex@denx.de 2022-11-27T14:31:56+00:00 db5bace4f6cb37251a5863efe4c0c1547d1334bd Drop support for quickly deprecated DT property "snps,ref-clock-period-ns" to prevent its proliferation. Reviewed-by: Sean Anderson <seanga2@gmail.com> Signed-off-by: Marek Vasut <marex@denx.de> 
Drop support for quickly deprecated DT property "snps,ref-clock-period-ns"
to prevent its proliferation.

Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
usb: dwc3: Program GFLADJ 2022-11-27T14:34:56+00:00 Sean Anderson sean.anderson@seco.com 2022-11-27T14:31:55+00:00 c55ac51a550c8d2f8485abe94cb80c15b81d08fa GUCTL.REFCLKPER can only account for clock frequencies with integer periods. To address this, program REFCLK_FLADJ with the relative error caused by period truncation. The formula given in the register reference has been rearranged to allow calculation based on rate (instead of period), and to allow for fixed-point arithmetic. Additionally, calculate a value for 240MHZDECR. This configures a simulated 240Mhz clock using a counter with one fractional bit (PLS1). This register is programmed only for versions >= 2.50a, since this is the check also used by commit db2be4e9e30c ("usb: dwc3: Add frame length adjustment quirk"). [ marek: Ported from Linux kernel commit 596c87856e08d ("usb: dwc3: Program GFLADJ") ] Reviewed-by: Sean Anderson <seanga2@gmail.com> Signed-off-by: Sean Anderson <sean.anderson@seco.com> Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux 
GUCTL.REFCLKPER can only account for clock frequencies with integer
periods. To address this, program REFCLK_FLADJ with the relative error
caused by period truncation. The formula given in the register reference
has been rearranged to allow calculation based on rate (instead of
period), and to allow for fixed-point arithmetic.

Additionally, calculate a value for 240MHZDECR. This configures a
simulated 240Mhz clock using a counter with one fractional bit (PLS1).

This register is programmed only for versions >= 2.50a, since this is
the check also used by commit db2be4e9e30c ("usb: dwc3: Add frame length
adjustment quirk").

[ marek: Ported from Linux kernel commit
         596c87856e08d ("usb: dwc3: Program GFLADJ") ]

Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
usb: dwc3: Calculate REFCLKPER based on reference clock 2022-11-27T14:34:56+00:00 Sean Anderson sean.anderson@seco.com 2022-11-27T14:31:54+00:00 6bae0eb5b8bd7f7f87c7bf106acea869da187b66 Instead of using a special property to determine the reference clock period, use the rate of the reference clock. When we have a legacy snps,ref-clock-period-ns property and no reference clock, use it instead. Fractional clocks are not currently supported, and will be dealt with in the next commit. [ marek: Ported from Linux kernel commit 5114c3ee24875 ("usb: dwc3: Calculate REFCLKPER based on reference clock") ] Reviewed-by: Sean Anderson <seanga2@gmail.com> Signed-off-by: Sean Anderson <sean.anderson@seco.com> Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux 
Instead of using a special property to determine the reference clock
period, use the rate of the reference clock. When we have a legacy
snps,ref-clock-period-ns property and no reference clock, use it
instead. Fractional clocks are not currently supported, and will be
dealt with in the next commit.

[ marek: Ported from Linux kernel commit
         5114c3ee24875 ("usb: dwc3: Calculate REFCLKPER based on reference clock") ]

Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
usb: dwc3: reference clock period configuration 2022-11-27T14:34:56+00:00 Balaji Prakash J bjagadee@codeaurora.org 2022-11-27T14:31:53+00:00 57548e8bc7cb6eb1c1a0206579c2a84737a70650 Set reference clock period when it differs from dwc3 default hardware set. We could calculate clock period based on reference clock frequency. But this information is not always available. This is the case of PCI bus attached USB host. For that reason we use a custom property. Tested (USB2 only) on IPQ6010 SoC based board with 24 MHz reference clock while hardware default is 19.2 MHz. [ baruch: rewrite commit message; drop GFLADJ code; remove 'quirk-' from property name; mention tested hardware ] [ marek: Ported from Linux kernel commit 7bee318838890 ("usb: dwc3: reference clock period configuration") ] Reviewed-by: Sean Anderson <seanga2@gmail.com> Signed-off-by: Balaji Prakash J <bjagadee@codeaurora.org> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux 
Set reference clock period when it differs from dwc3 default hardware
set.

We could calculate clock period based on reference clock frequency. But
this information is not always available. This is the case of PCI bus
attached USB host. For that reason we use a custom property.

Tested (USB2 only) on IPQ6010 SoC based board with 24 MHz reference
clock while hardware default is 19.2 MHz.

[ baruch: rewrite commit message; drop GFLADJ code; remove 'quirk-' from
  property name; mention tested hardware ]

[ marek: Ported from Linux kernel commit
         7bee318838890 ("usb: dwc3: reference clock period configuration") ]

Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Balaji Prakash J <bjagadee@codeaurora.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
usb: dwc3: Cache ref_clk pointer in struct dwc3 2022-11-27T14:34:56+00:00 Marek Vasut marex@denx.de 2022-11-27T14:31:52+00:00 8ae84e64530e81f23066d86417b9225388ba96ae Cache ref_clk clock pointer in struct dwc3 . This is a preparatory patch for subsequent backports from Linux kernel which configure GFLADJ register content based on the ref_clk rate and therefore need access to the ref_clk pointer. It is possible to extract the clock pointer from existing clk_bulk list of already claimed clock, no need to call clk_get*() again. Reviewed-by: Sean Anderson <seanga2@gmail.com> Signed-off-by: Marek Vasut <marex@denx.de> 
Cache ref_clk clock pointer in struct dwc3 . This is a preparatory
patch for subsequent backports from Linux kernel which configure
GFLADJ register content based on the ref_clk rate and therefore need
access to the ref_clk pointer.

It is possible to extract the clock pointer from existing clk_bulk
list of already claimed clock, no need to call clk_get*() again.

Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
usb: Expand buffer size in usb_find_and_bind_driver() 2022-11-27T11:04:36+00:00 Marek Vasut marex@denx.de 2022-11-26T12:57:53+00:00 55a95f8f58cf5c884edfe8714bf681cd17ef7242 The "generic_bus_%x_dev_%x" string which is printed into this buffer can be up to 34 characters long ("generic_bus_12345678_dev_12345678"). The buffer would be clipped by snprintf() if both %x were at maximum range. Make sure the buffer is long enough to cover such possibility. Signed-off-by: Marek Vasut <marex@denx.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
The "generic_bus_%x_dev_%x" string which is printed into this buffer
can be up to 34 characters long ("generic_bus_12345678_dev_12345678").
The buffer would be clipped by snprintf() if both %x were at maximum
range. Make sure the buffer is long enough to cover such possibility.

Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
sandbox: check lseek return value in handle_ufi_command 2022-11-22T22:13:35+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-11-10T07:40:30+00:00 b3a680a47abfdd5fa4086bab53891f3a4e798d74 Invoking lseek() may result in an error. Handle it. Addresses-Coverity-ID: 376212 ("Error handling issues (CHECKED_RETURN)") Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
Invoking lseek() may result in an error. Handle it.

Addresses-Coverity-ID: 376212 ("Error handling issues  (CHECKED_RETURN)")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
usb: gadget: dfu: Fix the unchecked length field 2022-11-21T14:23:00+00:00 Venkatesh Yadav Abbarapu venkatesh.abbarapu@amd.com 2022-11-03T04:07:48+00:00 fbce985e28eaca3af82afecc11961aadaf971a7e DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction. Fixing the length and transfer direction. CVE-2022-2347 Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com> Reviewed-by: Marek Vasut <marex@denx.de> 
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.

CVE-2022-2347

Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>