[PATCH] nvmet: passthru: fix OOB reads when parsing ns id descriptor list
From: Hari Mishal
Date: Fri Jul 17 2026 - 10:44:23 EST
nvmet_passthru_override_id_descs() walks a namespace identification
descriptor list populated from the underlying passthru controller's
Identify response, which is device reported. The loop advanced pos by
device controlled amounts (sizeof(*cur) + nidl) without checking that
the next descriptor header actually fits inside the buffer, so a
malicious device could push pos to within a few bytes of the buffer end
and cause cur->nidl, cur->nidt or the reserved field to be read past the
allocation.
Additionally, when a CSI descriptor lands exactly at the last valid
header offset, cur + 1 points one byte past the end of the buffer.
The unconditional memcpy(&csi, cur + 1, NVME_NIDT_CSI_LEN) could read
that out-of-bounds byte and copy it back to the initiator via
nvmet_copy_to_sgl(), leaking adjacent heap memory.
Bounds check both the descriptor header and the CSI value before
dereferencing them.
Signed-off-by: Hari Mishal <harimishal1@xxxxxxxxx>
---
drivers/nvme/target/passthru.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c
index e27f84e3cf2b..7ef02958078b 100644
--- a/drivers/nvme/target/passthru.c
+++ b/drivers/nvme/target/passthru.c
@@ -53,13 +53,21 @@ static u16 nvmet_passthru_override_id_descs(struct nvmet_req *req)
for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
struct nvme_ns_id_desc *cur = data + pos;
+ if (pos + sizeof(*cur) > NVME_IDENTIFY_DATA_SIZE)
+ break;
+
if (cur->nidl == 0)
break;
+
if (cur->nidt == NVME_NIDT_CSI) {
+ if (pos + sizeof(*cur) + NVME_NIDT_CSI_LEN > NVME_IDENTIFY_DATA_SIZE)
+ break;
+
memcpy(&csi, cur + 1, NVME_NIDT_CSI_LEN);
csi_seen = true;
break;
}
+
len = sizeof(struct nvme_ns_id_desc) + cur->nidl;
}
--
2.43.0