| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251127155424.617569-3-stefanha@redhat.com> Date: Thu, 27 Nov 2025 10:54:22 -0500 From: Stefan Hajnoczi <stefanha@...hat.com> To: linux-block@...r.kernel.org Cc: Keith Busch <kbusch@...nel.org>, "Martin K. Petersen" <martin.petersen@...cle.com>, linux-kernel@...r.kernel.org, "James E.J. Bottomley" <James.Bottomley@...senPartnership.com>, Christoph Hellwig <hch@....de>, Mike Christie <michael.christie@...cle.com>, linux-nvme@...ts.infradead.org, Jens Axboe <axboe@...nel.dk>, linux-scsi@...r.kernel.org, Sagi Grimberg <sagi@...mberg.me>, Stefan Hajnoczi <stefanha@...hat.com> Subject: [PATCH v2 2/4] nvme: reject invalid pr_read_keys() num_keys values The pr_read_keys() interface has a u32 num_keys parameter. The NVMe Reservation Report command has a u32 maximum length. Reject num_keys values that are too large to fit. This will become important when pr_read_keys() is exposed to untrusted userspace via an <linux/pr.h> ioctl. Signed-off-by: Stefan Hajnoczi <stefanha@...hat.com> --- drivers/nvme/host/pr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c index ca6a74607b139..156a2ae1fac2e 100644 --- a/drivers/nvme/host/pr.c +++ b/drivers/nvme/host/pr.c @@ -233,6 +233,10 @@ static int nvme_pr_read_keys(struct block_device *bdev, int ret, i; bool eds; + /* Check that keys fit into u32 rse_len */ + if (num_keys > (U32_MAX - sizeof(*rse)) / sizeof(rse->regctl_eds[0])) + return -EINVAL; + /* * Assume we are using 128-bit host IDs and allocate a buffer large * enough to get enough keys to fill the return keys buffer. -- 2.52.0
Powered by blists - more mailing lists