| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Yif8svaBscrL9WZk@T590>
Date: Wed, 9 Mar 2022 09:02:42 +0800
From: Ming Lei <ming.lei@...hat.com>
To: Keith Busch <kbusch@...nel.org>
Cc: Maurizio Lombardi <mlombard@...hat.com>,
linux-nvme@...ts.infradead.org, axboe@...com,
Christoph Hellwig <hch@....de>,
Sagi Grimberg <sagi@...mberg.me>, Ming Lei <minlei@...hat.com>,
linux-kernel@...r.kernel.org
Subject: Re: nvme-host: disk corruptions when issuing IDENTIFY commands via
ioctl()
On Tue, Mar 08, 2022 at 04:39:04PM -0800, Keith Busch wrote:
> On Wed, Mar 09, 2022 at 08:18:47AM +0800, Ming Lei wrote:
> > Given NVMe spec states that data length of IDENTIFY command should be
> > 4096bytes, and PRP list can't be used.
> >
> > So looks nvme driver need to validate the command before submitting to
> > hardware, otherwise any buggy application can break FS or memory easily.
>
> No way. The driver does not police the user passthrough interface for
> these kinds of things.
So you trust application to provide correct data always?
>From user viewpoint, this defect provides one easy hole to break FS or
memory, it is one serious issue, IMO. The FS/memory corruption can
be reproduced easily even in VM.
> It couldn't ever be complete or future proof if
> it did.
But the spec states clearly the data length of IDENTIFY command is 4096
and PRP list can't be used, so why do you think it isn't complete or
future proof to validate data length of IDENTIFY in nvme driver?
Thanks,
Ming
Powered by blists - more mailing lists