[PATCH] nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify

All of lore.kernel.org
 help / color / mirror / Atom feed

From: scott.bauer@intel.com (Scott Bauer)
Subject: [PATCH] nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify
Date: Thu, 23 Feb 2017 18:48:47 -0700	[thread overview]
Message-ID: <1487900927-29348-1-git-send-email-scott.bauer@intel.com> (raw)

There are two closely named structs in lightnvm:
struct nvme_nvm_addr_format and
struct nvme_addr_format.

The first struct has 4 reserved bytes at the end, the second does not.
(gdb) p sizeof(struct nvme_nvm_addr_format)
$1 = 16
(gdb) p sizeof(struct nvm_addr_format)
$2 = 12

In the nvme_nvm_identify function we memcpy from the larger struct to the
smaller struct. We incorrectly pass the length of the larger struct
and overflow by 4 bytes, lets not do that.

Signed-off-by: Scott Bauer <scott.bauer at intel.com>
---
 drivers/nvme/host/lightnvm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvme/host/lightnvm.c b/drivers/nvme/host/lightnvm.c
index 21cac85..fd98954 100644
--- a/drivers/nvme/host/lightnvm.c
+++ b/drivers/nvme/host/lightnvm.c
@@ -324,7 +324,7 @@ static int nvme_nvm_identity(struct nvm_dev *nvmdev, struct nvm_id *nvm_id)
 	nvm_id->cap = le32_to_cpu(nvme_nvm_id->cap);
 	nvm_id->dom = le32_to_cpu(nvme_nvm_id->dom);
 	memcpy(&nvm_id->ppaf, &nvme_nvm_id->ppaf,
-					sizeof(struct nvme_nvm_addr_format));
+					sizeof(struct nvm_addr_format));

 	ret = init_grps(nvm_id, nvme_nvm_id);
 out:
-- 
2.7.4

next             reply	other threads:[~2017-02-24  1:48 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-24  1:48 Scott Bauer [this message]
2017-02-24 15:43 ` [PATCH] nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify Keith Busch
2017-02-24 16:42   ` Matias Bjørling

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:21cac85 dfblob:fd98954 )
 OR (
bs:"[PATCH] nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1487900927-29348-1-git-send-email-scott.bauer@intel.com \
    --to=scott.bauer@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.