Skip to content

Instantly share code, notes, and snippets.

@frederic
Last active October 23, 2020 08:05
Show Gist options
  • Save frederic/0246dde2ecbb8c35f7bb61e98002ceb0 to your computer and use it in GitHub Desktop.
Save frederic/0246dde2ecbb8c35f7bb61e98002ceb0 to your computer and use it in GitHub Desktop.
good bug on vim3l
amlogic s905d3 bootrom
in usb_do_vendor_request, messages AM_REQ_WR_LARGE_MEM & AM_REQ_RD_LARGE_MEM allow to set :
_pcd->bulk_len : ushort <= 0x1000 (or 0xfff)
_pcd->bulk_num : ushort != 0
they're not reset after bulk transfer is setup
in dwc_otg_ep_req_start: if (pcd->bulk_data_len < pcd->bulk_len) is signed.
In do_bulk_complete, _pcd->bulk_data_len can be underflowed :
_pcd->bulk_data_len = _pcd->bulk_data_len - _pcd->xfer_len
But also _pcd->bulk_num:
iVar1 = _pcd->bulk_num + -1;
_pcd->bulk_num = iVar1;
=>once underflowed, bulk transfers can continue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment