From: Chaitanya Kulkarni <chaitanyak@nvidia.com>
To: Alon Zahavi <zahavi.alon@gmail.com>
Cc: Sagi Grimberg <sagi@grimberg.me>, Christoph Hellwig <hch@lst.de>,
"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>
Subject: Re: [Bug Report] NVMe-oF/TCP - Slab OOB Read in `nvmet_ctrl_find_get`
Date: Wed, 8 Nov 2023 08:46:20 +0000 [thread overview]
Message-ID: <1dd5331f-626c-4503-9323-77de0b0db886@nvidia.com> (raw)
In-Reply-To: <CAK5usQuJ=-1wt5LxHnWtrS_3iOeG-TWy9D88WA1EHSVv+hUNJQ@mail.gmail.com>
> ## Root Cause
> As explained above, the root cause for this bug is the fact that there
> are no NULL terminators to the strings in the object representing the
> `struct nvmf_connect_data`.
Can you see if this works for you ? it should at least take care of the
subsysnqn and hostnqn being accessed as NULL terminated string.
diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 3935165048e7..569046b6a269 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1235,13 +1235,19 @@ struct nvmet_ctrl *nvmet_ctrl_find_get(const
char *subsysnqn,
const char *hostnqn, u16 cntlid,
struct nvmet_req *req)
{
+ char subsysnqn_str[NVMF_NQN_SIZE + 1] = { 0 };
+ char hostnqn_str[NVMF_NQN_SIZE + 1] = { 0 };
struct nvmet_ctrl *ctrl = NULL;
struct nvmet_subsys *subsys;
- subsys = nvmet_find_get_subsys(req->port, subsysnqn);
+ /* subsysnqn & hostnqn may not be NULL ternimated */
+ strncpy(subsysnqn_str, subsysnqn, NVMF_NQN_SIZE);
+ strncpy(hostnqn_str, hostnqn, NVMF_NQN_SIZE);
+
+ subsys = nvmet_find_get_subsys(req->port, subsysnqn_str);
if (!subsys) {
pr_warn("connect request for invalid subsystem %s!\n",
- subsysnqn);
+ subsysnqn_str);
req->cqe->result.u32 = IPO_IATTR_CONNECT_DATA(subsysnqn);
goto out;
}
@@ -1249,7 +1255,7 @@ struct nvmet_ctrl *nvmet_ctrl_find_get(const char
*subsysnqn,
mutex_lock(&subsys->lock);
list_for_each_entry(ctrl, &subsys->ctrls, subsys_entry) {
if (ctrl->cntlid == cntlid) {
- if (strncmp(hostnqn, ctrl->hostnqn,
NVMF_NQN_SIZE)) {
+ if (strncmp(hostnqn_str, ctrl->hostnqn,
NVMF_NQN_SIZE)) {
pr_warn("hostnqn mismatch.\n");
continue;
}
@@ -1263,7 +1269,7 @@ struct nvmet_ctrl *nvmet_ctrl_find_get(const char
*subsysnqn,
ctrl = NULL; /* ctrl not found */
pr_warn("could not find controller %d for subsys %s / host %s\n",
- cntlid, subsysnqn, hostnqn);
+ cntlid, subsysnqn_str, hostnqn_str);
req->cqe->result.u32 = IPO_IATTR_CONNECT_DATA(cntlid);
found:
-ck
next prev parent reply other threads:[~2023-11-08 8:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:37 [Bug Report] NVMe-oF/TCP - Slab OOB Read in `nvmet_ctrl_find_get` Alon Zahavi
2023-11-08 8:46 ` Chaitanya Kulkarni [this message]
2023-11-08 9:01 ` Alon Zahavi
2023-11-08 10:02 ` Chaitanya Kulkarni
2023-11-08 11:02 ` Alon Zahavi
2023-11-08 14:03 ` Christoph Hellwig
2023-11-08 22:09 ` Chaitanya Kulkarni
2023-11-09 4:52 ` Christoph Hellwig
2023-11-09 8:49 ` Chaitanya Kulkarni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1dd5331f-626c-4503-9323-77de0b0db886@nvidia.com \
--to=chaitanyak@nvidia.com \
--cc=hch@lst.de \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=zahavi.alon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox