>
> If param_offset > buff_len then the memcpy() statement in
> ufshcd_read_desc_param() corrupts memory since it copies
> 256 + buff_len - param_offset bytes into a buffer with size buff_len.
> Since param_offset < 256 this results in writing past the bound of the output
> buffer.
param_offset >= buff_len is tested in line 3381?
Thanks,
Avri
>
> Fixes: cbe193f6f093 ("scsi: ufs: Fix potential NULL pointer access during
> memcpy")
> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx>
> ---
> drivers/scsi/ufs/ufshcd.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index
> 89da2cf2c969..00502ffe9b4a 100644
> --- a/drivers/scsi/ufs/ufshcd.c
> +++ b/drivers/scsi/ufs/ufshcd.c
> @@ -3365,7 +3365,9 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
>
> if (is_kmalloc) {
> /* Make sure we don't copy more data than available */
> - if (param_offset + param_size > buff_len)
> + if (buff_len < param_offset)
> + param_size = 0;
> + else if (param_offset + param_size > buff_len)
> param_size = buff_len - param_offset;
> memcpy(param_read_buf, &desc_buf[param_offset], param_size);
> }
