From nobody Mon Jun 8 07:22:04 2026 Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A62343BBFDF for ; Fri, 5 Jun 2026 00:53:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780620827; cv=none; b=ZYrVHfC4qp2wlg/PIxGXdGUctDFUrNCKAJ0UfEOCG2IsNKw5urwckaztgnzqWnQL5W8NXbLGjzi5Sdrj/ViPJiYRGWPmiUXNd1LC8Hg6LLUXTibxtgBpEq9s4i+c9kef5oJLwmYidUTtKStDZW71JBedg3OgxFRE9nlWbQMN9S4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780620827; c=relaxed/simple; bh=PFav5VD2/Lbfe2U2C3+G1yrwwL6GfFTbD3BIzNoEnag=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=erNIzfiicT0F0tYTGlLiF5cta6/RSNIf6ncQe8CJnckKGN3Ml83Da0tUx4QICgAQ6Nf3rqS9N9zJngQoxd/PmFDv3UG5UubsmRsz743Q9YhNqVZsVgrqCFOXKWPxZWwotwLsU+sxk8kHiqHzb+NgO7Jk1+LeP/GYoalRnqG4eF8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com; spf=pass smtp.mailfrom=trailofbits.com; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b=Bm8zUGMA; arc=none smtp.client-ip=209.85.160.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b="Bm8zUGMA" Received: by mail-qt1-f172.google.com with SMTP id d75a77b69052e-5177b1a7441so18804311cf.3 for ; Thu, 04 Jun 2026 17:53:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1780620825; x=1781225625; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=c/lu4bYahy0yJMEjoPlQrT63mxbKgUzB2AcPTpyaOp8=; b=Bm8zUGMAws8cN7MNTjKdibOSAl8BS+LYIPz3XqLxgMrKQ4gFmAeyAlHqBOiB91jBZQ SeAHrqJTSvCQo4zI1LRXblPWgRNSlvTC5Ej9QLEAR2NBRH75qB/4GBTsDJko+Qqf07Pu zLGmWYisW8F9u1HjBz4ZVG4V3RzjvQkgcwdrQ/qSNxa7aoXq3xfGzbCXdo3RKZO3q99g EwLj1jCRMGE/QbAR0VatGcYoGrtwDLL+WZ1+VZQ/VKOC9asD18RaPTCyq5aFFlji8DMs bd+TO/apMN+SajIYWncZijXOH3Jqz04UZOH38MXpy8Jog3P2nTimeqDbEZJ7NFzqqvRm thug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780620825; x=1781225625; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=c/lu4bYahy0yJMEjoPlQrT63mxbKgUzB2AcPTpyaOp8=; b=WFF2QcB38d2/ScUcrupfRh93OHNymfDGoEbJQAy6Vf2UapPyclbcHXn20H504HU+0e les/VvwwbOWILCqVnq9uCZNPD+o9jdI8NQwgL+ToPZ2SmT6Xab6Wk5uSXHOplhRD1CYb QfDttj97ePIVCLBPAVZR28dBmPakLrWi1frdIu1zT3dcfHBaw9Ih+Uptw0VpRFPIRCYh DHB+OlePW+KSJr/hrP/bUtrbNsWTH6bwndZTjGdov38PGBdWU52QLXggRcCeW19/0e1j J8Lb0tkGwD8cHqp8Ho+arRZSAZEywwSlgRFk2vTYI89z+FMBPSQD2katCe4rgAxoKYHX 4xrw== X-Forwarded-Encrypted: i=1; AFNElJ+xRL2XCLAYppwHVDlD4MODsXosAMOPGXZoXxvXa7lqvGfIBZ3tOUYfvtmsN3++Gj3zQ8/7cl+iUJwoji4=@vger.kernel.org X-Gm-Message-State: AOJu0YxrDmaOEegh9Jipy/euwaRJc82JB4Nld9zsLwhImwDzFuL1CY+Y QC5HG0w6b8574oQY7nHG2ncEiQeqiDKgmFPq9ICYoPpGJGS9gzfaPtAxlzOnoMvx5Bk= X-Gm-Gg: Acq92OH1P1nL1k1MATNZgctygSiB22Oj3rgTki+kIiHNXbJUaVQs5vO7BL2m4awWgFL +KKvw8pSLC2IjHH/vx3lEaNDSsr6Vv6ssNcEhsgElY9Qd5DDfITwjWYowad/YqY2Bz0KsRUH9Ew ImrIWMlhrHLllmB4jFM4513oxVnEmX/+GeLvWLQsjq2MC3n2OcUzuAX3LLJBJaOHaembWURy67b 5Ys4Gj5fSebBthm51jktbte7fKUGW4vY46r1/AaasHuv9xbUjomzXXe24hUwZjkuGAsyiYR55S/ rY0ldk8YWTFh6JvjZJvBzxbfpG4dlBCQ1DdU/4kTeeDvz7AxuGjQiV0JtadTK7p2K/HXMUXQtxJ jVcZxoOaySdTXTKC0M1etW03EEOQiB1s9PltjrknWYyjp5y5FTDOjSbLezEYfT2FPVexj0ojycT 63L1UBL8bt3j4Z9cf2SA0VrYWn07yqddazaNngHw== X-Received: by 2002:a05:622a:251b:b0:516:c9f2:a9f0 with SMTP id d75a77b69052e-51795c6b1dcmr17503151cf.30.1780620824662; Thu, 04 Jun 2026 17:53:44 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id d75a77b69052e-51775da6f41sm63506761cf.22.2026.06.04.17.53.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Jun 2026 17:53:44 -0700 (PDT) From: Samuel Moelius To: Dan Williams Cc: Samuel Moelius , Vishal Verma , Dave Jiang , Ira Weiny , Alison Schofield , Guangshuo Li , nvdimm@lists.linux.dev (open list:LIBNVDIMM: NON-VOLATILE MEMORY DEVICE SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] nvdimm: ndtest: reject wrapped config-data offsets Date: Fri, 5 Jun 2026 00:53:36 +0000 Message-ID: <20260605005341.2051848-1-sam.moelius@trailofbits.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The ndtest provider validates get/set config-data requests by adding the ioctl-provided offset and length and comparing the result against LABEL_SIZE. That addition can wrap, so an offset such as U32_MAX with a one-byte length passes validation and then copies from or to label_area + U32_MAX. Validate the command buffer shape, then validate the offset first and validate the length against the remaining label area so wrapped ranges are rejected before the copy. Report the rejection through the command status field so the DIMM ioctl ABI returns a nonzero command status instead of faulting. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- tools/testing/nvdimm/test/ndtest.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test= /ndtest.c index 8e3b6be53839..1df93f5e4cb6 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -207,9 +207,15 @@ static int ndtest_config_get(struct ndtest_dimm *p, un= signed int buf_len, { unsigned int len; =20 - if ((hdr->in_offset + hdr->in_length) > LABEL_SIZE) + if (buf_len < sizeof(*hdr) || hdr->in_length > buf_len - sizeof(*hdr)) return -EINVAL; =20 + if (hdr->in_offset > LABEL_SIZE || + hdr->in_length > LABEL_SIZE - hdr->in_offset) { + hdr->status =3D -EINVAL; + return 0; + } + hdr->status =3D 0; len =3D min(hdr->in_length, LABEL_SIZE - hdr->in_offset); memcpy(hdr->out_buf, p->label_area + hdr->in_offset, len); @@ -221,10 +227,20 @@ static int ndtest_config_set(struct ndtest_dimm *p, u= nsigned int buf_len, struct nd_cmd_set_config_hdr *hdr) { unsigned int len; + u32 *status; =20 - if ((hdr->in_offset + hdr->in_length) > LABEL_SIZE) + if (buf_len < sizeof(*hdr) + sizeof(*status) || + hdr->in_length > buf_len - sizeof(*hdr) - sizeof(*status)) return -EINVAL; =20 + status =3D (void *)hdr + sizeof(*hdr) + hdr->in_length; + if (hdr->in_offset > LABEL_SIZE || + hdr->in_length > LABEL_SIZE - hdr->in_offset) { + *status =3D -EINVAL; + return 0; + } + + *status =3D 0; len =3D min(hdr->in_length, LABEL_SIZE - hdr->in_offset); memcpy(p->label_area + hdr->in_offset, hdr->in_buf, len); =20 --=20 2.43.0