mirror of https://github.com/acidanthera/audk.git
acebdf14c9
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=973 HUB descriptor has variable length. But the code uses stack (HubDesc in UsbHubInit) with fixed length sizeof(EFI_USB_HUB_DESCRIPTOR) to hold HUB descriptor data. It uses hard code length value (32 that is greater than sizeof(EFI_USB_HUB_DESCRIPTOR)) for SuperSpeed path, then there will be stack overflow when IOMMU is enabled because the Unmap operation will copy the data from device buffer to host buffer. And it uses HubDesc->Length for none SuperSpeed path, then there will be stack overflow when HubDesc->Length is greater than sizeof(EFI_USB_HUB_DESCRIPTOR). The patch updates the code to use a big enough buffer to hold the descriptor data. The definition EFI_USB_SUPER_SPEED_HUB_DESCRIPTOR is wrong (HubDelay field should be UINT16 type) and no code is using it, the patch removes it. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Bret Barkelew <bret.barkelew@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Bret Barkelew <bret.barkelew@microsoft.com> |
||
|---|---|---|
| .. | ||
| ComponentName.c | ||
| UsbBus.c | ||
| UsbBus.h | ||
| UsbBusDxe.inf | ||
| UsbBusDxe.uni | ||
| UsbBusDxeExtra.uni | ||
| UsbDesc.c | ||
| UsbDesc.h | ||
| UsbEnumer.c | ||
| UsbEnumer.h | ||
| UsbHub.c | ||
| UsbHub.h | ||
| UsbUtility.c | ||
| UsbUtility.h | ||