RE: [PATCH v4 3/5] scsi: ufs: fix potential access NULL pointer while memcpy
From: Avri Altman
Date: Mon Jun 01 2020 - 02:25:18 EST
Hi,
> If param_offset is not 0, the memcpy length shouldn't be the
> true descriptor length.
>
> Fixes: a4b0e8a4e92b ("scsi: ufs: Factor out ufshcd_read_desc_param")
> Signed-off-by: Bean Huo <beanhuo@xxxxxxxxxx>
> ---
> drivers/scsi/ufs/ufshcd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
> index f7e8bfefe3d4..bc52a0e89cd3 100644
> --- a/drivers/scsi/ufs/ufshcd.c
> +++ b/drivers/scsi/ufs/ufshcd.c
> @@ -3211,7 +3211,7 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
>
> /* Check wherher we will not copy more data, than available */
> if (is_kmalloc && param_size > buff_len)
> - param_size = buff_len;
> + param_size = buff_len - param_offset;
But Is_kmalloc is true if (param_offset != 0 || param_size < buff_len)
So if (is_kmalloc && param_size > buff_len) implies that param_offset is 0,
Or did I get it wrong?
Still, I think that there is a problem here because nowhere we are checking that
param_offset + param_size < buff_len, which now can happen because of ufs-bsg.
Maybe you can add it and get rid of that is_kmalloc which is an awkward way to test for valid values?
Thanks,
Avri
>
> if (is_kmalloc)
> memcpy(param_read_buf, &desc_buf[param_offset], param_size);
> --
> 2.17.1