[PATCH v3] nvme: nvme_identify_ns

public inbox for linux-nvme@lists.infradead.org
 help / color / mirror / Atom feed

* [PATCH v3] nvme: nvme_identify_ns_descs: prevent oob
@ 2025-12-01 19:43 Eugene Korenevsky
  2025-12-02  0:27 ` Keith Busch
  0 siblings, 1 reply; 5+ messages in thread
From: Eugene Korenevsky @ 2025-12-01 19:43 UTC (permalink / raw)
  To: Keith Busch, Jens Axboe, Christoph Hellwig, Sagi Grimberg,
	linux-nvme, linux-kernel

Broken or malicious controller can send invalid ns id.
Out-of-band memory access may occur if remaining buffer size
is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`

Fix this issue by checking (header size + .nidl) against
remaining buffer length.

Also small minor related fix: `pos` should be unsigned size_t,
not signed int.

Signed-off-by: Eugene Korenevsky <ekorenevsky@aliyun.com>
---
v1->v2:
 * Simplification: do not touch nvme_process_ns_desc()
 * Update commit description
v2->v3:
 * Even more simplification
 * Replace while with do-while as first pre-loop condition
   check is pointless
 * Change `pos` type: int -> size_t
 * Update commit description
---
 drivers/nvme/host/core.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index f1f719351f3f..73263545e3cd 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1538,8 +1538,10 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl,
 {
 	struct nvme_command c = { };
 	bool csi_seen = false;
-	int status, pos, len;
+	int status, len;
+	size_t pos;
 	void *data;
+	struct nvme_ns_id_desc *cur;
 
 	if (ctrl->vs < NVME_VS(1, 3, 0) && !nvme_multi_css(ctrl))
 		return 0;
@@ -1563,18 +1565,23 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl,
 		goto free_data;
 	}
 
-	for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
-		struct nvme_ns_id_desc *cur = data + pos;
+	pos = 0;
+	do {
+		cur = data + pos;
 
 		if (cur->nidl == 0)
 			break;
+		/* check ns id desc does not exceed remaining buffer by size */
+		if (cur->nidl + sizeof(*cur) > NVME_IDENTIFY_DATA_SIZE - pos)
+			break;
 
 		len = nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen);
 		if (len < 0)
 			break;
 
-		len += sizeof(*cur);
-	}
+		pos += sizeof(*cur);
+		pos += len;
+	} while (pos < NVME_IDENTIFY_DATA_SIZE - sizeof(*cur));
 
 	if (nvme_multi_css(ctrl) && !csi_seen) {
 		dev_warn(ctrl->device, "Command set not reported for nsid:%d\n",
-- 
2.47.3



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v3] nvme: nvme_identify_ns_descs: prevent oob
  2025-12-01 19:43 [PATCH v3] nvme: nvme_identify_ns_descs: prevent oob Eugene Korenevsky
@ 2025-12-02  0:27 ` Keith Busch
  2025-12-02  5:57   ` Christoph Hellwig
  2025-12-02 20:30   ` Eugene Korenevsky
  0 siblings, 2 replies; 5+ messages in thread
From: Keith Busch @ 2025-12-02  0:27 UTC (permalink / raw)
  To: Eugene Korenevsky
  Cc: Jens Axboe, Christoph Hellwig, Sagi Grimberg, linux-nvme,
	linux-kernel

On Mon, Dec 01, 2025 at 10:43:23PM +0300, Eugene Korenevsky wrote:
> -	for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
> -		struct nvme_ns_id_desc *cur = data + pos;
> +	pos = 0;
> +	do {
> +		cur = data + pos;
>  
>  		if (cur->nidl == 0)
>  			break;
> +		/* check ns id desc does not exceed remaining buffer by size */
> +		if (cur->nidl + sizeof(*cur) > NVME_IDENTIFY_DATA_SIZE - pos)
> +			break;
>  
>  		len = nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen);
>  		if (len < 0)
>  			break;
>  
> -		len += sizeof(*cur);
> -	}
> +		pos += sizeof(*cur);
> +		pos += len;
> +	} while (pos < NVME_IDENTIFY_DATA_SIZE - sizeof(*cur));

I don't want bikeshed this, but I thought this looked better as a
for-loop. You can just modify the continuing condition instead of
changing the loop type to do-while.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v3] nvme: nvme_identify_ns_descs: prevent oob
  2025-12-02  0:27 ` Keith Busch
@ 2025-12-02  5:57   ` Christoph Hellwig
  2025-12-02 20:30   ` Eugene Korenevsky
  1 sibling, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2025-12-02  5:57 UTC (permalink / raw)
  To: Keith Busch
  Cc: Eugene Korenevsky, Jens Axboe, Christoph Hellwig, Sagi Grimberg,
	linux-nvme, linux-kernel

On Mon, Dec 01, 2025 at 05:27:48PM -0700, Keith Busch wrote:
> I don't want bikeshed this, but I thought this looked better as a
> for-loop. You can just modify the continuing condition instead of
> changing the loop type to do-while.

The reason I went for the while in my whiteboard coding is that it
would allow for keeping len local inside the loop, which I like
in general.  The actual patch doesn't do this anyway, and I don't
care too strongly, so I'm fine with the somewhat more natural for
loop as well.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v3] nvme: nvme_identify_ns_descs: prevent oob
  2025-12-02  0:27 ` Keith Busch
  2025-12-02  5:57   ` Christoph Hellwig
@ 2025-12-02 20:30   ` Eugene Korenevsky
  2025-12-02 20:34     ` Keith Busch
  1 sibling, 1 reply; 5+ messages in thread
From: Eugene Korenevsky @ 2025-12-02 20:30 UTC (permalink / raw)
  To: Keith Busch
  Cc: Jens Axboe, Christoph Hellwig, Sagi Grimberg, linux-nvme,
	linux-kernel

> > -	for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
> > -		struct nvme_ns_id_desc *cur = data + pos;

> > +	pos = 0;
> > +	do {

> > +	} while (pos < NVME_IDENTIFY_DATA_SIZE - sizeof(*cur));

> I don't want bikeshed this, but I thought this looked better as a
> for-loop. You can just modify the continuing condition instead of
> changing the loop type to do-while.

OK, tried to make the patch as close as possible to previous code.
See v4.

Also, adding 'pos += len' to modified `for` makes the line longer
than 80 symbols. However, checkpatch.pl says it is OK. Let me know
if it should be fixed somehow (e.g. by moving 'pos += len' to the
end of loop compound statement).


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v3] nvme: nvme_identify_ns_descs: prevent oob
  2025-12-02 20:30   ` Eugene Korenevsky
@ 2025-12-02 20:34     ` Keith Busch
  0 siblings, 0 replies; 5+ messages in thread
From: Keith Busch @ 2025-12-02 20:34 UTC (permalink / raw)
  To: Eugene Korenevsky
  Cc: Jens Axboe, Christoph Hellwig, Sagi Grimberg, linux-nvme,
	linux-kernel

On Tue, Dec 02, 2025 at 11:30:04PM +0300, Eugene Korenevsky wrote:
> OK, tried to make the patch as close as possible to previous code.
> See v4.

Yep, I saw. Mostly looks good to me.
 
> Also, adding 'pos += len' to modified `for` makes the line longer
> than 80 symbols. However, checkpatch.pl says it is OK. Let me know
> if it should be fixed somehow (e.g. by moving 'pos += len' to the
> end of loop compound statement).

The convention for this driver is to wrap lines at 80 characters. But
don't worry about sending a new version for just that; I can fix that
when applying.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-12-02 20:34 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-01 19:43 [PATCH v3] nvme: nvme_identify_ns_descs: prevent oob Eugene Korenevsky
2025-12-02  0:27 ` Keith Busch
2025-12-02  5:57   ` Christoph Hellwig
2025-12-02 20:30   ` Eugene Korenevsky
2025-12-02 20:34     ` Keith Busch

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox