[PATCH] ufs: core: Fix heap corruption due to out of bounds write
Marek Vasut
marek.vasut at mailbox.org
Mon Mar 30 19:20:35 CEST 2026
On 3/30/26 10:03 AM, Neil Armstrong wrote:
[...]
>> diff --git a/drivers/ufs/ufs-uclass.c b/drivers/ufs/ufs-uclass.c
>> index 81fd431f951..6a51f337e47 100644
>> --- a/drivers/ufs/ufs-uclass.c
>> +++ b/drivers/ufs/ufs-uclass.c
>> @@ -1751,7 +1751,15 @@ static int ufshcd_read_string_desc(struct
>> ufs_hba *hba, int desc_index,
>> goto out;
>> }
>> - buff_ascii = kmalloc(ascii_len, GFP_KERNEL);
>
> I think the whole function is a mess, I think we would rewrite with
> something like this:
>
> ...
> int max_len;
> int ascii_len;
>
> max_len = (desc_len - QUERY_DESC_HDR_SIZE) * 2 + 1;
> buff_ascii = kmalloc(max_len, GFP_KERNEL);
>
> ascii_len = utf16_to_utf8(buff_ascii,
> (uint16_t *)&buf[QUERY_DESC_HDR_SIZE], max_len);
> ...
>
> So we stop having random len, and use the _real_ len returned by
> utf16_to_utf8.
Maybe we should port the utf16s_to_utf8s() from Linux instead ?
More information about the U-Boot
mailing list