[PATCH v4 2/2] nvme: validate FDP configuration descriptor sizes

Next message: tip-bot2 for Peter Zijlstra: "[tip: x86/urgent] x86/kvm/vmx: Fix x86_64 CFI build"
Previous message: Xueqin Luo: "[PATCH -next] initramfs: Add CRC32 debugging mechanism for unpack failures"
In reply to: liuxixin: "[PATCH v4 1/2] nvme: fix FDP fdpcidx bounds check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: liuxixin

Date: Thu May 28 2026 - 05:42:11 EST

Validate descriptor sizes while walking the FDP configurations log so
dsze == 0 or a descriptor past the log end cannot cause unbounded
iteration or reads past the buffer.

Reviewed-by: Nitesh Shetty <nj.shetty@xxxxxxxxxxx>
Reviewed-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: liuxixin <gliuxen@xxxxxxxxx>
---
drivers/nvme/host/core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 766157ba6..40e87b563 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
desc = log;
end = log + size - sizeof(*h);
for (i = 0; i < fdp_idx; i++) {
- log += le16_to_cpu(desc->dsze);
+ u16 dsze = le16_to_cpu(desc->dsze);
+
+ if (!dsze || log + dsze > end) {
+ dev_warn(ctrl->device,
+ "FDP invalid config descriptor at index %d\n", i);
+ ret = 0;
+ goto out;
+ }
+ log += dsze;
desc = log;
if (log >= end) {
dev_warn(ctrl->device,
--
2.43.0