| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSdoeEX_L2-3ccpF@kbusch-mbp>
Date: Wed, 26 Nov 2025 13:52:08 -0700
From: Keith Busch <kbusch@...nel.org>
To: Eugene Korenevsky <ekorenevsky@...yun.com>
Cc: Jens Axboe <axboe@...nel.dk>, Christoph Hellwig <hch@....de>,
Sagi Grimberg <sagi@...mberg.me>, linux-nvme@...ts.infradead.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob
On Wed, Nov 26, 2025 at 11:27:21PM +0300, Eugene Korenevsky wrote:
> Broken or malicious controller can send invalid ns id.
> Out-of-band memory access may occur if remaining buffer size
> is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
>
> Fix this issue by making nvme_process_id_decs() function aware of
> remaining buffer size.
>
> Also simplify nvme_process_id_decs(): replace copy-pasted `case`
> branches with table lookup.
>
> Signed-off-by: Eugene Korenevsky <ekorenevsky@...yun.com>
> ---
> drivers/nvme/host/core.c | 80 ++++++++++++++++++++--------------------
> 1 file changed, 39 insertions(+), 41 deletions(-)
Is this simpler check not sufficient?
---
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index fa534f1d6b27a..6cc43cbb04dd9 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1566,7 +1566,7 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl,
for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
struct nvme_ns_id_desc *cur = data + pos;
- if (cur->nidl == 0)
+ if (cur->nidl == 0 || cur->nidl + pos > NVME_IDENTIFY_DATA_SIZE)
break;
len = nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen);
--
Powered by blists - more mailing lists