projects / platform / kernel / linux-rpi.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d353e09) | patch
scsi: ufs: Fix memory corruption by ufshcd_read_desc_param()
authorBart Van Assche <bvanassche@acm.org>
Thu, 22 Jul 2021 03:34:22 +0000 (20:34 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 18 Sep 2021 11:40:12 +0000 (13:40 +0200)
commit3b2bbcccd6e9a19c552e720da3af83cd48b75f98
treec892b4346effd4f13de55a6d7f196cb900885760tree | snapshot
parentd353e093c0d5cb5c7d5e6c4c4327d2da7d8104f1commit | diff
scsi: ufs: Fix memory corruption by ufshcd_read_desc_param()

[ Upstream commit d3d9c4570285090b533b00946b72647361f0345b ]

If param_offset > buff_len then the memcpy() statement in
ufshcd_read_desc_param() corrupts memory since it copies 256 + buff_len -
param_offset bytes into a buffer with size buff_len.  Since param_offset <
256 this results in writing past the bound of the output buffer.

Link: https://lore.kernel.org/r/20210722033439.26550-2-bvanassche@acm.org
Fixes: cbe193f6f093 ("scsi: ufs: Fix potential NULL pointer access during memcpy")
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Reviewed-by: Daejun Park <daejun7.park@samsung.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/scsi/ufs/ufshcd.c diff | blob | history
Domain: System / Kernel;