Mirrors/u-boot
1
0
Fork 0
mirror of https://source.denx.de/u-boot/u-boot.git synced 2026-06-02 09:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

ufs: core: Fix heap corruption due to out of bounds write

Browse Source 
The ufshcd_read_string_desc() can perform out of bounds write and
corrupt heap in case the input utf-16 string contains code points
which convert to anything more than plain 7-bit ASCII string.

This occurs because utf16_to_utf8(dst, src, size) in U-Boot behaves
differently than Linux utf16s_to_utf8s(..., maxlen), but the porting
process did not take that into consideration. The U-Boot variant of
the function converts up to $size utf-16 fixed-length 16-bit input
characters into as many 1..4 Byte long variable-length utf-8 output
characters. That means for 16 Byte input, the output can be up to 64
Bytes long. The Linux variant converts up utf-16 input into up to
$maxlen Bytes worth of utf-8 output, but stops at the $maxlen limit.
That means for 16 Byte input with maxlen=32, the processing will stop
after writing 32 output Bytes.

In case of U-Boot, use of utf16_to_utf8() leads to potential corruption
of data past the $size Bytes and therefore corruption of surrounding
content on the heap.

The fix is as simple, allocate buffer that is sufficient to fit the
utf-8 string. The rest of the code in ufshcd_read_string_desc() does
correctly limit the buffer to fit into the DMA descriptor afterward.

Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Link: https://patch.msgid.link/20260329231151.332108-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
This commit is contained in:
Marek Vasut
2026-03-30 01:11:36 +02:00
committed by Neil Armstrong
parent c7299ff33e
commit c7ebdb9871
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/ufs/ufs-uclass.c
View File

@@ -1751,7 +1751,15 @@ static int ufshcd_read_string_desc(struct ufs_hba *hba, int desc_index,
goto out;
}
buff_ascii = kmalloc(ascii_len, GFP_KERNEL);
/*
* utf-8 is encoded using up to 4-Bytes per character,
* however, we only allocate such a buffer because the
* utf16_to_utf8() converts the entire $ascii_len worth
* of input characters into up to 4-Byte long utf-8
* characters. The rest of the function uses only up to
* $ascii_len bytes of that utf-8 string.
*/
buff_ascii = kmalloc(ascii_len * 4, GFP_KERNEL);
if (!buff_ascii) {
err = -ENOMEM;
goto out;