Re: [PATCH] scsi: ufs: Fix memory corruption by ufshcd_read_desc_param()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 7/19/21 11:45 PM, Avri Altman wrote:
>> If param_offset > buff_len then the memcpy() statement in
>> ufshcd_read_desc_param() corrupts memory since it copies
>> 256 + buff_len - param_offset bytes into a buffer with size buff_len.
>> Since param_offset < 256 this results in writing past the bound of the output
>> buffer.
>
> param_offset >= buff_len is tested in line 3381?

Hi Avri,

That's correct. However, a few lines lower there is the following code:

ret = ufshcd_query_descriptor_retry(hba, UPIU_QUERY_OPCODE_READ_DESC,
				desc_id, desc_index, 0,
				desc_buf, &buff_len);

That call may modify (reduce) 'buff_len'. Hence, a second check is needed.

Thanks,

Bart.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux