From: keith.busch@intel.com (Keith Busch)
Subject: [PATCH] nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify
Date: Fri, 24 Feb 2017 10:43:44 -0500 [thread overview]
Message-ID: <20170224154343.GA15307@localhost.localdomain> (raw)
In-Reply-To: <1487900927-29348-1-git-send-email-scott.bauer@intel.com>
+Matias
On Thu, Feb 23, 2017@06:48:47PM -0700, Scott Bauer wrote:
> There are two closely named structs in lightnvm:
> struct nvme_nvm_addr_format and
> struct nvme_addr_format.
>
> The first struct has 4 reserved bytes at the end, the second does not.
> (gdb) p sizeof(struct nvme_nvm_addr_format)
> $1 = 16
> (gdb) p sizeof(struct nvm_addr_format)
> $2 = 12
We need Matias to resolve what the size of these structs are supposed
to be. There is a compile time assert:
sizeof(struct nvme_nvm_addr_format) == 128
that should clearly fail, but the compiler removes _nvme_nvm_check_size
since it's not called from anywhere. lightnvm has a couple badly assumed
struct sizes, but I don't know if the struct is incorrectly defined or
if the assert is wrong.
> In the nvme_nvm_identify function we memcpy from the larger struct to the
> smaller struct. We incorrectly pass the length of the larger struct
> and overflow by 4 bytes, lets not do that.
>
> Signed-off-by: Scott Bauer <scott.bauer at intel.com>
> ---
> drivers/nvme/host/lightnvm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/nvme/host/lightnvm.c b/drivers/nvme/host/lightnvm.c
> index 21cac85..fd98954 100644
> --- a/drivers/nvme/host/lightnvm.c
> +++ b/drivers/nvme/host/lightnvm.c
> @@ -324,7 +324,7 @@ static int nvme_nvm_identity(struct nvm_dev *nvmdev, struct nvm_id *nvm_id)
> nvm_id->cap = le32_to_cpu(nvme_nvm_id->cap);
> nvm_id->dom = le32_to_cpu(nvme_nvm_id->dom);
> memcpy(&nvm_id->ppaf, &nvme_nvm_id->ppaf,
> - sizeof(struct nvme_nvm_addr_format));
> + sizeof(struct nvm_addr_format));
next prev parent reply other threads:[~2017-02-24 15:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-24 1:48 [PATCH] nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify Scott Bauer
2017-02-24 15:43 ` Keith Busch [this message]
2017-02-24 16:42 ` Matias Bjørling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170224154343.GA15307@localhost.localdomain \
--to=keith.busch@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox