From: Keith Busch <kbusch@kernel.org>
To: Chao Shi <coshi036@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>,
Daniel Wagner <dwagner@suse.de>, Hannes Reinecke <hare@suse.de>,
Maurizio Lombardi <mlombard@arkamax.eu>,
Sungwoo Kim <iam@sung-woo.kim>, Dave Tian <daveti@purdue.edu>,
Weidong Zhu <weizhu@fiu.edu>
Subject: Re: [PATCH v3] nvme: core: reject invalid LBA data size from Identify Namespace
Date: Wed, 20 May 2026 13:33:30 -0600 [thread overview]
Message-ID: <ag4Mism3AV_2nPDR@kbusch-mbp> (raw)
In-Reply-To: <20260515185853.2761456-1-coshi036@gmail.com>
On Fri, May 15, 2026 at 02:58:53PM -0400, Chao Shi wrote:
> nvme_update_ns_info_block() trusts id->lbaf[lbaf].ds from the
> controller and assigns it directly to ns->head->lba_shift without
> bounds checking. nvme_lba_to_sect() then does:
>
> return lba << (head->lba_shift - SECTOR_SHIFT);
>
> When called with lba = le64_to_cpu(id->nsze) to compute the device
> capacity, an attacker-controlled controller can choose ds < 9 or a
> combination of (ds, nsze) that makes the left shift overflow
> sector_t. The former is a C undefined behaviour that UBSAN reports
> as a BUG; the latter silently yields a bogus capacity that the
> block layer then trusts for bounds checking.
>
> Validate ds against SECTOR_SHIFT and use check_shl_overflow() to
> compute capacity so that any (ds, nsze) combination that would
> overflow sector_t is rejected. The namespace is skipped with
> -ENODEV instead of crashing the kernel. This is reachable by a
> malicious NVMe device, a buggy firmware, or an attacker-controlled
> NVMe-oF target.
Thanks, applied to nvme-7.2.
next prev parent reply other threads:[~2026-05-20 19:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 18:58 [PATCH v3] nvme: core: reject invalid LBA data size from Identify Namespace Chao Shi
2026-05-20 19:33 ` Keith Busch [this message]
2026-06-02 13:10 ` John Garry
2026-06-02 15:15 ` Keith Busch
2026-06-02 15:42 ` Keith Busch
2026-06-02 16:18 ` John Garry
2026-06-03 10:08 ` John Garry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ag4Mism3AV_2nPDR@kbusch-mbp \
--to=kbusch@kernel.org \
--cc=axboe@kernel.dk \
--cc=coshi036@gmail.com \
--cc=daveti@purdue.edu \
--cc=dwagner@suse.de \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=iam@sung-woo.kim \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=mlombard@arkamax.eu \
--cc=sagi@grimberg.me \
--cc=weizhu@fiu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.