Re: [PATCH v4] nvme: nvme_identify_ns_descs: prevent oob

Next message: syzbot: "Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 559e608c46553c107dbba19dae0854af7b219400"
Previous message: David Laight: "Re: [PATCH] ext4: fix ext4_tune_sb_params padding"
In reply to: Christoph Hellwig: "Re: [PATCH v4] nvme: nvme_identify_ns_descs: prevent oob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Keith Busch

Date: Thu Dec 04 2025 - 11:09:21 EST

On Tue, Dec 02, 2025 at 09:22:13PM +0300, Eugene Korenevsky wrote:
> Broken or malicious controller can send invalid ns id.
> Out-of-band memory access may occur if remaining buffer size
> is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
>
> Fix this issue by checking (header size + .nidl) against
> remaining buffer length.

Thanks, applied to nvme-6.19 with the line length wrap fixed up.