diff options
| author | Bart Van Assche <bvanassche@acm.org> | 2021-07-22 05:34:22 +0200 |
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2021-08-03 03:43:57 +0200 |
| commit | d3d9c4570285090b533b00946b72647361f0345b (patch) | |
| tree | 3ef3cda72f95c1ebd378f720144c9f0b5077063a /drivers/scsi/ufs/ufshcd.c | |
| parent | scsi: ufs: ufshpb: Make host mode parameters configurable (diff) | |
| download | linux-d3d9c4570285090b533b00946b72647361f0345b.tar.xz linux-d3d9c4570285090b533b00946b72647361f0345b.zip | |
scsi: ufs: Fix memory corruption by ufshcd_read_desc_param()
If param_offset > buff_len then the memcpy() statement in
ufshcd_read_desc_param() corrupts memory since it copies 256 + buff_len -
param_offset bytes into a buffer with size buff_len. Since param_offset <
256 this results in writing past the bound of the output buffer.
Link: https://lore.kernel.org/r/20210722033439.26550-2-bvanassche@acm.org
Fixes: cbe193f6f093 ("scsi: ufs: Fix potential NULL pointer access during memcpy")
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Reviewed-by: Daejun Park <daejun7.park@samsung.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to '')
| -rw-r--r-- | drivers/scsi/ufs/ufshcd.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 40d371f6e147..5829b25f5999 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -3426,9 +3426,11 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, if (is_kmalloc) { /* Make sure we don't copy more data than available */ - if (param_offset + param_size > buff_len) - param_size = buff_len - param_offset; - memcpy(param_read_buf, &desc_buf[param_offset], param_size); + if (param_offset >= buff_len) + ret = -EINVAL; + else + memcpy(param_read_buf, &desc_buf[param_offset], + min_t(u32, param_size, buff_len - param_offset)); } out: if (is_kmalloc) |