Re: [PATCH] nvmet: pci-epf: fix heap overflow for invalid I/O SQES/CQES from the host

Next message: Brajesh Gupta: "[PATCH v3 0/2] drm/imagination: FW trace bug fix and configuration update"
Previous message: Rosen Penev: "[PATCH net-next] net: enc28j60: use of_get_ethdev_address"
In reply to: Junrui Luo: "[PATCH] nvmet: pci-epf: fix heap overflow for invalid I/O SQES/CQES from the host"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Damien Le Moal

Date: Mon Apr 27 2026 - 01:30:56 EST

On 4/24/26 11:24 PM, Junrui Luo wrote:
> nvmet_pci_epf_enable_ctrl() computes ctrl->io_sqes and ctrl->io_cqes
> from the host-controlled CC.IOSQES/CC.IOCQES fields and only rejects
> values below sizeof(struct nvme_command) / sizeof(struct nvme_completion).
> The resulting sizes are used as DMA transfer lengths against the
> fixed-size iod->cmd (64B) and iod->cqe (16B) buffers.
>
> An oversized IOSQES causes nvmet_pci_epf_transfer() to overflow
> iod->cmd with host-controlled data, and an oversized IOCQES causes
> memcpy_toio() to leak adjacent slab memory back to the host.
>
> Change both checks from '<' to '!='.
>
> Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>

Looks OK.

Reviewed-by: Damien Le Moal <dlemoal@xxxxxxxxxx>

--
Damien Le Moal
Western Digital Research