| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251127144916.GA9423@lst.de> Date: Thu, 27 Nov 2025 15:49:16 +0100 From: Christoph Hellwig <hch@....de> To: Keith Busch <kbusch@...nel.org> Cc: Eugene Korenevsky <ekorenevsky@...yun.com>, Jens Axboe <axboe@...nel.dk>, Christoph Hellwig <hch@....de>, Sagi Grimberg <sagi@...mberg.me>, linux-nvme@...ts.infradead.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob On Wed, Nov 26, 2025 at 01:52:08PM -0700, Keith Busch wrote: > On Wed, Nov 26, 2025 at 11:27:21PM +0300, Eugene Korenevsky wrote: > > Broken or malicious controller can send invalid ns id. > > Out-of-band memory access may occur if remaining buffer size > > is less than .nidl (ns id length) field of `struct nvme_ns_id_desc` > > > > Fix this issue by making nvme_process_id_decs() function aware of > > remaining buffer size. > > > > Also simplify nvme_process_id_decs(): replace copy-pasted `case` > > branches with table lookup. > > > > Signed-off-by: Eugene Korenevsky <ekorenevsky@...yun.com> > > --- > > drivers/nvme/host/core.c | 80 ++++++++++++++++++++-------------------- > > 1 file changed, 39 insertions(+), 41 deletions(-) > > Is this simpler check not sufficient? I think we'll need a somewhat more complex check that at there is at least enough space for the len member. But I prefer that style over a table lookup and magic name pasting macros.
Powered by blists - more mailing lists