Bug 2394652 (CVE-2025-39788) - CVE-2025-39788 kernel: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
Summary: CVE-2025-39788 kernel: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
Keywords:
Status: NEW
Alias: CVE-2025-39788
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-11 17:04 UTC by OSIDB Bzimport
Modified: 2025-09-12 12:25 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-11 17:04:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE

On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
and in this case the driver ends up programming the UTRL_NEXUS_TYPE
incorrectly as 0.

This is because the left hand side of the shift is 1, which is of type
int, i.e. 31 bits wide. Shifting by more than that width results in
undefined behaviour.

Fix this by switching to the BIT() macro, which applies correct type
casting as required. This ensures the correct value is written to
UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
warning:

    UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
    shift exponent 32 is too large for 32-bit type 'int'

For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
write.
Comment 1 Mauro Matteo Cascella 2025-09-12 12:25:51 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091152-CVE-2025-39788-a86f@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.