| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251126163600.583036-3-stefanha@redhat.com> Date: Wed, 26 Nov 2025 11:35:58 -0500 From: Stefan Hajnoczi <stefanha@...hat.com> To: linux-block@...r.kernel.org Cc: "Martin K. Petersen" <martin.petersen@...cle.com>, linux-kernel@...r.kernel.org, "James E.J. Bottomley" <James.Bottomley@...senPartnership.com>, Mike Christie <michael.christie@...cle.com>, Jens Axboe <axboe@...nel.dk>, linux-nvme@...ts.infradead.org, Keith Busch <kbusch@...nel.org>, Sagi Grimberg <sagi@...mberg.me>, linux-scsi@...r.kernel.org, Christoph Hellwig <hch@....de>, Stefan Hajnoczi <stefanha@...hat.com> Subject: [PATCH 2/4] nvme: reject invalid pr_read_keys() num_keys values The pr_read_keys() interface has a u32 num_keys parameter. The NVMe Reservation Report command has a u32 maximum length. Reject num_keys values that are too large to fit. This will become important when pr_read_keys() is exposed to untrusted userspace via an <linux/pr.h> ioctl. Signed-off-by: Stefan Hajnoczi <stefanha@...hat.com> --- drivers/nvme/host/pr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c index ca6a74607b139..476a0518a11ca 100644 --- a/drivers/nvme/host/pr.c +++ b/drivers/nvme/host/pr.c @@ -233,6 +233,11 @@ static int nvme_pr_read_keys(struct block_device *bdev, int ret, i; bool eds; + /* Check that keys fit into u32 rse_len */ + if (num_keys > -(u32)offsetof(typeof(*rse), regctl_eds) / + sizeof(rse->regctl_eds[0])) + return -EINVAL; + /* * Assume we are using 128-bit host IDs and allocate a buffer large * enough to get enough keys to fill the return keys buffer. -- 2.52.0
Powered by blists - more mailing lists