From: Sean Anderson Date: Wed, 23 Mar 2022 22:24:38 +0000 (-0400) Subject: sandbox: usb: Fix out-of-bounds read when fd=-1 X-Git-Tag: v2025.01-rc5-pxa1908~1353^2~2^2~31 X-Git-Url: http://git.dujemihanovic.xyz/contact?a=commitdiff_plain;h=24057fe0a8f70ae872da0a8f4889fe7b8cfa09db;p=u-boot.git sandbox: usb: Fix out-of-bounds read when fd=-1 sandbox_flash_bulk uses priv->read_len to determine if priv->buff contains the response data (such as from SCSI_INQUIRY). However, if priv->fd=-1 in handle_read, then priv->read_len is not set even though we are going to PHASE_DATA. This causes sandbox_flash_bulk to try and read len bytes from priv->buff, which likely goes past the end of the buffer. Fix this by always setting priv->read_len even if we aren't going to read anything. Fixes: f4f715360c ("dm: usb: sandbox: Add an emulator for USB flash devices") Signed-off-by: Sean Anderson Reviewed-by: Simon Glass --- diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c index cc80f67133..01b2b41cce 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -228,9 +228,9 @@ static void handle_read(struct sandbox_flash_priv *priv, ulong lba, ulong transfer_len) { debug("%s: lba=%lx, transfer_len=%lx\n", __func__, lba, transfer_len); + priv->read_len = transfer_len; if (priv->fd != -1) { os_lseek(priv->fd, lba * SANDBOX_FLASH_BLOCK_LEN, OS_SEEK_SET); - priv->read_len = transfer_len; setup_response(priv, priv->buff, transfer_len * SANDBOX_FLASH_BLOCK_LEN); } else { @@ -336,6 +336,9 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev, if (priv->read_len) { ulong bytes_read; + if (priv->fd == -1) + return -EIO; + bytes_read = os_read(priv->fd, buff, len); if (bytes_read != len) return -EIO;