Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob

Next message: kernel test robot: "Re: [PATCH v4 2/3] tracing/fprobe: Support comma-separated symbols and :entry/:exit"
Previous message: Stefano Garzarella: "Re: [PATCH net-next v12 11/12] selftests/vsock: add tests for host &lt;-&gt; vm connectivity with namespaces"
In reply to: Eugene Korenevsky: "Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob"
Next in thread: Eugene Korenevsky: "Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christoph Hellwig

Date: Thu Nov 27 2025 - 09:49:26 EST

On Wed, Nov 26, 2025 at 01:52:08PM -0700, Keith Busch wrote:
> On Wed, Nov 26, 2025 at 11:27:21PM +0300, Eugene Korenevsky wrote:
> > Broken or malicious controller can send invalid ns id.
> > Out-of-band memory access may occur if remaining buffer size
> > is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
> >
> > Fix this issue by making nvme_process_id_decs() function aware of
> > remaining buffer size.
> >
> > Also simplify nvme_process_id_decs(): replace copy-pasted `case`
> > branches with table lookup.
> >
> > Signed-off-by: Eugene Korenevsky <ekorenevsky@xxxxxxxxxx>
> > ---
> > drivers/nvme/host/core.c | 80 ++++++++++++++++++++--------------------
> > 1 file changed, 39 insertions(+), 41 deletions(-)
>
> Is this simpler check not sufficient?

I think we'll need a somewhat more complex check that at there
is at least enough space for the len member. But I prefer that
style over a table lookup and magic name pasting macros.