Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob

Next message: Thomas Gleixner: "Re: [PATCH v7 3/4] rseq: Make rseq work with protection keys"
Previous message: NeilBrown: "Re: [linux-next:master] [VFS/nfsd/cachefiles/ovl] 7ab96df840: WARNING:at_fs/dcache.c:#umount_check"
In reply to: Eugene Korenevsky: "[PATCH] nvme: nvme_identify_ns_descs: prevent oob"
Next in thread: Eugene Korenevsky: "Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Keith Busch

Date: Wed Nov 26 2025 - 15:52:10 EST

On Wed, Nov 26, 2025 at 11:27:21PM +0300, Eugene Korenevsky wrote:
> Broken or malicious controller can send invalid ns id.
> Out-of-band memory access may occur if remaining buffer size
> is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
>
> Fix this issue by making nvme_process_id_decs() function aware of
> remaining buffer size.
>
> Also simplify nvme_process_id_decs(): replace copy-pasted `case`
> branches with table lookup.
>
> Signed-off-by: Eugene Korenevsky <ekorenevsky@xxxxxxxxxx>
> ---
> drivers/nvme/host/core.c | 80 ++++++++++++++++++++--------------------
> 1 file changed, 39 insertions(+), 41 deletions(-)

Is this simpler check not sufficient?

---
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index fa534f1d6b27a..6cc43cbb04dd9 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1566,7 +1566,7 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl,
for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
struct nvme_ns_id_desc *cur = data + pos;

- if (cur->nidl == 0)
+ if (cur->nidl == 0 || cur->nidl + pos > NVME_IDENTIFY_DATA_SIZE)
break;

len = nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen);
--