shithub: riscv

Download patch

ref: 546046b46bd920c9da13e46c87efa08ab0c85bfa
parent: 7722220ff5673036f3d058ebfdd45fe3078057da
author: cinap_lenrek <[email protected]>
date: Fri Sep 22 08:55:26 EDT 2017

xhci: do bounds checking in capability walking, check if controller vanished on init (thunderbolt unplug)

--- a/sys/src/9/pc/usbxhci.c
+++ b/sys/src/9/pc/usbxhci.c
@@ -362,15 +362,20 @@
 static u32int*
 xecp(Ctlr *ctlr, uchar id, u32int *p)
 {
-	u32int x;
+	u32int x, *e;
 
+	e = &ctlr->mmio[ctlr->pcidev->mem[0].size/4];
 	if(p == nil){
 		p = ctlr->mmio;
 		x = ctlr->hccparams>>16;
-	} else
+	} else {
+		assert(p < e);
 		x = (*p>>8) & 255;
+	}
 	while(x != 0){
 		p += x;
+		if(p >= e)
+			break;
 		x = *p;
 		if((x & 255) == id)
 			return p;
@@ -438,6 +443,8 @@
 	int i, j;
 
 	ctlr = hp->aux;
+	if(ctlr->mmio[CAPLENGTH] == -1)
+		error("controller vanished");
 
 	ctlr->opr = &ctlr->mmio[(ctlr->mmio[CAPLENGTH]&0xFF)/4];
 	ctlr->dba = &ctlr->mmio[ctlr->mmio[DBOFF]/4];