From: Keith Busch <kbusch@kernel.org>
To: hexlabsecurity@proton.me
Cc: "security@kernel.org" <security@kernel.org>,
"hch@lst.de" <hch@lst.de>, "sagi@grimberg.me" <sagi@grimberg.me>,
"kch@nvidia.com" <kch@nvidia.com>,
"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
Subject: Re: [REPORT] nvmet-rdma: integer overflow in inline-data SGL bounds check -> pre-auth kernel-memory read + remote crash (candidate patch inline)
Date: Fri, 29 May 2026 10:09:14 -0600 [thread overview]
Message-ID: <ahm6Ksr3rfGdnOsN@kbusch-mbp> (raw)
In-Reply-To: <LM21QIR-1-qJb7PViyJKCnGBnUzizeiNJVWQ3wb7ZwGezodjgKg3f-iobqOyequ-sT1jFCKJImfqNO_BKU3KO80xFITnaI5GTV_GxLUNDDc=@proton.me>
On Fri, May 29, 2026 at 06:52:13AM +0000, hexlabsecurity@proton.me wrote:
> @@ -847,6 +848,7 @@ static u16 nvmet_rdma_map_sgl_inline(struct nvmet_rdma_rsp *rsp)
> struct nvme_sgl_desc *sgl = &rsp->req.cmd->common.dptr.sgl;
> u64 off = le64_to_cpu(sgl->addr);
> u32 len = le32_to_cpu(sgl->length);
> + u64 bound;
>
> if (!nvme_is_write(rsp->req.cmd)) {
> rsp->req.error_loc =
> @@ -854,7 +856,8 @@ static u16 nvmet_rdma_map_sgl_inline(struct nvmet_rdma_rsp *rsp)
> return NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
> }
>
> - if (off + len > rsp->queue->dev->inline_data_size) {
> + if (check_add_overflow(off, (u64)len, &bound) ||
> + bound > rsp->queue->dev->inline_data_size) {
Since you don't use "bound" for anything other than the final check, I
think we make this simpler without it:
if (off > rsp->queue->dev->inline_data_size ||
len > rsp->queue->dev->inline_data_size - off) {
Thanks for the report.
prev parent reply other threads:[~2026-05-29 16:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 6:52 [REPORT] nvmet-rdma: integer overflow in inline-data SGL bounds check -> pre-auth kernel-memory read + remote crash (candidate patch inline) hexlabsecurity
2026-05-29 16:09 ` Keith Busch [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahm6Ksr3rfGdnOsN@kbusch-mbp \
--to=kbusch@kernel.org \
--cc=hch@lst.de \
--cc=hexlabsecurity@proton.me \
--cc=kch@nvidia.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=linux-rdma@vger.kernel.org \
--cc=sagi@grimberg.me \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox