From: hch@infradead.org (Christoph Hellwig)
Subject: [PATCH 9/8] nvme: fix kernel memory corruption with short INQUIRY buffers
Date: Tue, 21 Apr 2015 13:32:17 -0700 [thread overview]
Message-ID: <20150421203217.GA30340@infradead.org> (raw)
In-Reply-To: <1429388864-29648-1-git-send-email-hch@lst.de>
If userspace asks for less than 36 byte INQUIRY buffers the SCSI
translation layer will happily write pas the end of the allocation.
This is fairly easily reproducible by running the libiscsi test
suite and then starting an xfstests run.
Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation")
Signed-off-by: Christoph Hellwig <hch at lst.de>
---
drivers/block/nvme-scsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/block/nvme-scsi.c b/drivers/block/nvme-scsi.c
index cf2b6c0..b92ff76 100644
--- a/drivers/block/nvme-scsi.c
+++ b/drivers/block/nvme-scsi.c
@@ -2005,7 +2005,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr,
page_code = cmd[2];
alloc_len = get_unaligned_be16(&cmd[3]);
- inq_response = kmalloc(alloc_len, GFP_KERNEL);
+ inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH),
+ GFP_KERNEL);
if (inq_response == NULL) {
res = -ENOMEM;
goto out_mem;
--
1.9.1
prev parent reply other threads:[~2015-04-21 20:32 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-18 20:27 NVMe SCSI translation layer updates Christoph Hellwig
2015-04-18 20:27 ` [PATCH 1/8] nvme: remove the unused dma_addr_t arguments to nvme_{get, set}_features Christoph Hellwig
2015-04-18 20:27 ` [PATCH 2/8] nvme: split nvme_trans_send_fw_cmd Christoph Hellwig
2015-04-18 20:27 ` [PATCH 3/8] nvme: fix scsi translation error handling Christoph Hellwig
2015-04-18 20:27 ` [PATCH 4/8] nvme: first round at deobsfucating the scsi translation code Christoph Hellwig
2015-04-18 20:27 ` [PATCH 5/8] nvme: simplify and cleanup the READ/WRITE SCSI CDB parsing code Christoph Hellwig
2015-04-18 20:27 ` [PATCH 6/8] nvme: handle invalid SCSI LBAs correctly Christoph Hellwig
2015-04-27 18:00 ` Busch, Keith
2015-04-27 19:28 ` Christoph Hellwig
2015-04-27 19:55 ` Keith Busch
2015-05-01 16:02 ` Christoph Hellwig
2015-04-18 20:27 ` [PATCH 7/8] nvme: report the DPOFUA in MODE_SENSE Christoph Hellwig
2015-04-18 20:27 ` [PATCH 8/8] nvme: fail SCSI read/write command with unsupported protection bit Christoph Hellwig
2015-04-21 20:32 ` Christoph Hellwig [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150421203217.GA30340@infradead.org \
--to=hch@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.