From cbe193f6f093b79fd1ab998dd95f73f874fb4733 Mon Sep 17 00:00:00 2001 From: Bean Huo Date: Wed, 3 Jun 2020 11:19:57 +0200 Subject: [PATCH] scsi: ufs: Fix potential NULL pointer access during memcpy If param_offset is not 0, the memcpy length shouldn't be the true descriptor length. Link: https://lore.kernel.org/r/20200603091959.27618-4-huobean@gmail.com Acked-by: Avri Altman Signed-off-by: Bean Huo Signed-off-by: Martin K. Petersen --- drivers/scsi/ufs/ufshcd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 228895053ab1..50364a1680f4 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -3223,8 +3223,8 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, } /* Check wherher we will not copy more data, than available */ - if (is_kmalloc && param_size > buff_len) - param_size = buff_len; + if (is_kmalloc && (param_offset + param_size) > buff_len) + param_size = buff_len - param_offset; if (is_kmalloc) memcpy(param_read_buf, &desc_buf[param_offset], param_size);