From nobody Mon Dec 1 22:04:00 2025 Received: from out30-70.freemail.mail.aliyun.com (out30-70.freemail.mail.aliyun.com [115.124.30.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 646402550AF for ; Sat, 29 Nov 2025 20:03:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.70 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764446620; cv=none; b=urNXZ1OI47TGtO00l2/28N9K0gmsOP1yFH2cyLOYJy7Yj2PLfl66Imtjm+8EIrqxUQFLN1QAF+Ky/5NYf4dZhLzKdGwfHObfolP3JRjZxOW4LmTo6pxjGsvBGK+d6k6GqftGWoO4Q/u6fxg8phNf0/tCsYcvdUPtBJ/pJ69L2t4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764446620; c=relaxed/simple; bh=fmk/16zhuEyvI0g56DDMSqqll1uBGm4AaeGxogi0KZs=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=SKlqFh6mjxrAXYJ8uzZvvVDKEPYtwIfEEhyesvSW2bgLAeVnyd5rss2jQZ4aL4XtnP7w8oSeGvLa0YviYUZE3i7yzH94szENVdCnXrgZlZchqeNMco9ZQ4sy8SKXDUZ3l6HM7ohku1MXq5amvIYN1dTutSpK1icquMwvW2QzI+w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=aliyun.com; spf=pass smtp.mailfrom=aliyun.com; dkim=pass (1024-bit key) header.d=aliyun.com header.i=@aliyun.com header.b=Cnc4kziV; arc=none smtp.client-ip=115.124.30.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=aliyun.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aliyun.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=aliyun.com header.i=@aliyun.com header.b="Cnc4kziV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aliyun.com; s=s1024; t=1764446615; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; bh=u8DRDLd/Oqd4RgJtj49lXSTClvbtmSA2vS6r0uPhCaM=; b=Cnc4kziV7d4rFsv7MgaK22SrcgY1PbiT7AibiqoRe7o0e/4eXTJ2qYqNH2F8cO+Vt7AVRMTxKueU0FpT/3YFlF0n5UQSbf6YQAlIeIz82GLOT5nZQBgWhJ3g3KuXZvFFqRcOBMB785G5r04Fbh9ACoUFoGR6DLeA/cz6yC3LiSo= Received: from aliyun.com(mailfrom:ekorenevsky@aliyun.com fp:SMTPD_---0WtgOLk1_1764446604 cluster:ay36) by smtp.aliyun-inc.com; Sun, 30 Nov 2025 04:03:32 +0800 Date: Sat, 29 Nov 2025 23:03:05 +0300 From: Eugene Korenevsky To: Keith Busch , Jens Axboe , Christoph Hellwig , Sagi Grimberg , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] nvme: nvme_identify_ns_descs: prevent oob Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Broken or malicious controller can send invalid ns id. Out-of-band memory access may occur if remaining buffer size is less than .nidl (ns id length) field of `struct nvme_ns_id_desc` Fix this issue by counting remaining buffer length and checking .nidl against it. Signed-off-by: Eugene Korenevsky --- v1->v2: * Simplification: do not touch nvme_process_ns_desc() * Update commit description --- drivers/nvme/host/core.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index f1f719351f3f..62143f256a63 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -1538,7 +1538,8 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *c= trl, { struct nvme_command c =3D { }; bool csi_seen =3D false; - int status, pos, len; + int status, len, remain; + struct nvme_ns_id_desc *cur; void *data; =20 if (ctrl->vs < NVME_VS(1, 3, 0) && !nvme_multi_css(ctrl)) @@ -1563,17 +1564,21 @@ static int nvme_identify_ns_descs(struct nvme_ctrl = *ctrl, goto free_data; } =20 - for (pos =3D 0; pos < NVME_IDENTIFY_DATA_SIZE; pos +=3D len) { - struct nvme_ns_id_desc *cur =3D data + pos; - + remain =3D NVME_IDENTIFY_DATA_SIZE; + cur =3D data; + while (remain >=3D sizeof(*cur)) { if (cur->nidl =3D=3D 0) break; + if (sizeof(*cur) + cur->nidl > remain) + break; =20 len =3D nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen); if (len < 0) break; =20 len +=3D sizeof(*cur); + remain -=3D len; + cur +=3D len; } =20 if (nvme_multi_css(ctrl) && !csi_seen) { --=20 2.47.3