From nobody Mon Feb  9 04:28:58 2026
Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com
 [209.85.214.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3BDF12A177
	for <linux-kernel@vger.kernel.org>; Wed, 18 Dec 2024 16:06:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1734537966; cv=none;
 b=Z6rERYB6sjWb2pZgyh/VQtdne+ODQSL8sAmq3bT/SjyVFsI8A2kl4SeiAsPcf2cVW0YRRjx6WZSQRJK1NCxqmhE9RV/H87dMgsglf9uNuPsYhaKGu5N1Y+X6nkxsjJdeZi7dKrnMv+QCyjfQv9zI1O6RGuwJkn8vDoEuvr9R6AE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1734537966; c=relaxed/simple;
	bh=b+J4BOUvlGK5Cz20hxtH7jD9Z3RfJwCMSL8JzPkC3F0=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=tGmWG5dM5BNMa7TNQ3qPpY7FLY7EdNaeL0RDdUiKo158YRGVk+d8jwG9WfAM3rZfZ6u7cBIdnMoZgp+92t1dNWs6w9Qt//s7b9F4XeV/VyJoOvtyJIgt2ihXuJoR19ijq4r6fxXzL6/Weqz/OcH9PrmuiWMiZWZ7zR14WQzkicI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=VSGJ968o; arc=none smtp.client-ip=209.85.214.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="VSGJ968o"
Received: by mail-pl1-f173.google.com with SMTP id
 d9443c01a7336-2164b1f05caso62939455ad.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 18 Dec 2024 08:06:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1734537964; x=1735142764;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=QGA07LvV3zN9Q99s9liqrOQiuEiANo/ydFwebQiH/o8=;
        b=VSGJ968oYArEIAjqqfgSpROhfC3Wwnp8KKdjOYBbIhLffnGESlNuurXCACXHtQBv33
         On5VKcwsnJULp5R1wS0sQMxWQCeXIE82SI05Zk2d/SE2BVKhW92BO+bio9gWcJ1LCIOG
         k7/0ldeGMD+3ILKKE7NFNeOQ6R+j70WKcslq4aPfLuZZHtyMeltNrKs9vl6eP/NOfdDG
         zmpKDdunF2a4YFNtlZhtwXfSEh3L0PxFi6ebLXR65AU4BsuE/hBHnFEEAtVEQLCw6iq7
         ARBQ38US1cj3YQ4v8VX4nTeuWYi3l6pSMCqpA1tJS1TRkez9S0NCSOwIAJ1ho2sGN7zV
         rnxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734537964; x=1735142764;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=QGA07LvV3zN9Q99s9liqrOQiuEiANo/ydFwebQiH/o8=;
        b=mGhMB2lQ10DPNHPoBpyl9xCssLaZpvZbcHOA1r3LQtdVUFaoOsS5DLDb7YtsTclOsf
         /3Qfl5zcD+aKDkyOhVxTte80ENBhpW6LksB/EogHXvD6moranqc2Cmi0db1st+hj8lBU
         fmlLQZcLWyKW+uAI8xBTY0GE7sPVh+nq9wcgNYv2Z54DSlz/xjCZrsi5gXq0rg9RuNSD
         ZOrOw/pVDfWDUWl9lnRLtBTLAhb0PTcnu37+i8DrDamGE60omBdHN00pB3Hoiks1kujT
         sNlcj/4mpryyKhArLFXki2GwxYojWd96VZ0isAORRfG7mzMM1wej7MmGK60cruY6VKGA
         CsBg==
X-Forwarded-Encrypted: i=1;
 AJvYcCU4qCd2/4Zl/7xmoXDkUaD9WtvoIctgmKyCtPL2LhZsg/pHwPuuPagwCFMSYMvMRTZ0whVH1L8+X1kBfCk=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywh3uEpouuRIFlNS82+hpIcXYyKW3IyYmVwss7YvAzD6KamJlLV
	yY9cubPIfPTu02jTetCv8EFRwbjYIkGdwgjGAOtYCxMwp+YjOVeI
X-Gm-Gg: ASbGncsO4uNudeRUGuGJ9P2RN41dAiUJmIuoUsUec1BLN5n9vIw3LUDI/80Xnz28Lvo
	SxoQg0JluW7FuGlriySB1ZlT19qTh7iSFJ98M95YQ21VaAK74rx3hXBxMMxEl6DuAq3pdSZI7YJ
	BxtdpcV2KBoVTwLTcG/ImSBbuwOe6ros9G0R230/HQELDE02fjFUF7DHAiECFRYeCfXDilRpxjd
	ChpNVoba66jUsr5nOJAyUISWwD1G2Grha8aL8jTRApLcTChN3IRjpVSB5rB+9stIotl0oKl
X-Google-Smtp-Source: 
 AGHT+IEucAWZibMABF49mbBrsMR26MY5jaeAS5hwwJZaLIeQ+Zl/CV6LRHdsRUZ65CLY1ysuLdeJpQ==
X-Received: by 2002:a17:902:e5c1:b0:216:3876:2cff with SMTP id
 d9443c01a7336-218d726fa81mr47570875ad.54.1734537963752;
        Wed, 18 Dec 2024 08:06:03 -0800 (PST)
Received: from tc.hsd1.or.comcast.net
 ([2601:1c2:c104:170:ce92:bb28:b3c4:b6e3])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-218a1e502c2sm75869075ad.128.2024.12.18.08.06.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 18 Dec 2024 08:06:03 -0800 (PST)
From: Leo Stone <leocstone@gmail.com>
To: hch@lst.de,
	sagi@grimberg.me,
	kch@nvidia.com
Cc: linux-nvme@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	Leo Stone <leocstone@gmail.com>,
	syzbot+ff4aab278fa7e27e0f9e@syzkaller.appspotmail.com
Subject: [PATCH v2] nvmet: Don't overflow subsysnqn
Date: Wed, 18 Dec 2024 08:04:59 -0800
Message-ID: <20241218160458.9587-2-leocstone@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

nvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed
size buffer, even though it is dynamically allocated to the size of the
string.

Create a new string with kstrdup instead of using the old buffer.

Reported-by: syzbot+ff4aab278fa7e27e0f9e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Dff4aab278fa7e27e0f9e
Fixes: 95409e277d83 ("nvmet: implement unique discovery NQN")
Signed-off-by: Leo Stone <leocstone@gmail.com>
---
v2: Allocate memory outside the lock and handle errors.
v1: https://lore.kernel.org/all/20241218005909.89092-2-leocstone@gmail.com/=
 =20
---
 drivers/nvme/target/configfs.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index eeee9e9b854c..3c9c98250cce 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -2254,12 +2254,17 @@ static ssize_t nvmet_root_discovery_nqn_store(struc=
t config_item *item,
 		const char *page, size_t count)
 {
 	struct list_head *entry;
+	char *new_nqn;
 	size_t len;
=20
 	len =3D strcspn(page, "\n");
 	if (!len || len > NVMF_NQN_FIELD_LEN - 1)
 		return -EINVAL;
=20
+	new_nqn =3D kstrdup(page, GFP_KERNEL);
+	if (!new_nqn)
+		return -ENOMEM;
+
 	down_write(&nvmet_config_sem);
 	list_for_each(entry, &nvmet_subsystems_group.cg_children) {
 		struct config_item *item =3D
@@ -2268,11 +2273,12 @@ static ssize_t nvmet_root_discovery_nqn_store(struc=
t config_item *item,
 		if (!strncmp(config_item_name(item), page, len)) {
 			pr_err("duplicate NQN %s\n", config_item_name(item));
 			up_write(&nvmet_config_sem);
+			kfree(new_nqn);
 			return -EINVAL;
 		}
 	}
-	memset(nvmet_disc_subsys->subsysnqn, 0, NVMF_NQN_FIELD_LEN);
-	memcpy(nvmet_disc_subsys->subsysnqn, page, len);
+	kfree(nvmet_disc_subsys->subsysnqn);
+	nvmet_disc_subsys->subsysnqn =3D new_nqn;
 	up_write(&nvmet_config_sem);
=20
 	return len;
--=20
2.43.0