ghsa-44fw-3x9p-jf29
Vulnerability from github
Published
2025-09-11 18:35
Modified
2025-09-11 18:35
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE

On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0.

This is because the left hand side of the shift is 1, which is of type int, i.e. 31 bits wide. Shifting by more than that width results in undefined behaviour.

Fix this by switching to the BIT() macro, which applies correct type casting as required. This ensures the correct value is written to UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift warning:

UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
shift exponent 32 is too large for 32-bit type 'int'

For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE write.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39788"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T17:15:45Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\n\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\nincorrectly as 0.\n\nThis is because the left hand side of the shift is 1, which is of type\nint, i.e. 31 bits wide. Shifting by more than that width results in\nundefined behaviour.\n\nFix this by switching to the BIT() macro, which applies correct type\ncasting as required. This ensures the correct value is written to\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\nwarning:\n\n    UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\n    shift exponent 32 is too large for 32-bit type \u0027int\u0027\n\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\nwrite.",
  "id": "GHSA-44fw-3x9p-jf29",
  "modified": "2025-09-11T18:35:52Z",
  "published": "2025-09-11T18:35:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39788"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.