[PATCHv2] nvme: sanitize metadata bounce buffer for reads

[PATCHv2] nvme: sanitize metadata bounce buffer for reads

[Keith Busch]

From: Keith Busch <kbusch@kernel.org>

User can request more metadata bytes than the device will write. Ensure
kernel buffer is initialized so we are not leaking unsanitized memory on
the completion's copy-out.

Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
Signed-off-by: Keith Busch <kbusch@kernel.org>
---
v1->v2:

  correctly split data direction handling (axboe)

 drivers/nvme/host/ioctl.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index 788b36e7915ab..eb2ef3e149614 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -36,9 +36,13 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf,
 	if (!buf)
 		goto out;
 
-	ret = -EFAULT;
-	if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len))
-		goto out_free_meta;
+	if (req_op(req) == REQ_OP_DRV_OUT) {
+		ret = -EFAULT;
+		if (copy_from_user(buf, ubuf, len))
+			goto out_free_meta;
+	} else {
+		memset(buf, 0, len);
+	}
 
 	bip = bio_integrity_alloc(bio, GFP_KERNEL, 1);
 	if (IS_ERR(bip)) {
-- 
2.34.1

Re: [PATCHv2] nvme: sanitize metadata bounce buffer for reads

[Jens Axboe]

On 10/16/23 5:06 PM, Keith Busch wrote:
> From: Keith Busch <kbusch@kernel.org>
> 
> User can request more metadata bytes than the device will write. Ensure
> kernel buffer is initialized so we are not leaking unsanitized memory on
> the completion's copy-out.
> 
> Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
> Signed-off-by: Keith Busch <kbusch@kernel.org>
> ---
> v1->v2:
> 
>   correctly split data direction handling (axboe)
> 
>  drivers/nvme/host/ioctl.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
> index 788b36e7915ab..eb2ef3e149614 100644
> --- a/drivers/nvme/host/ioctl.c
> +++ b/drivers/nvme/host/ioctl.c
> @@ -36,9 +36,13 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf,
>  	if (!buf)
>  		goto out;
>  
> -	ret = -EFAULT;
> -	if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len))
> -		goto out_free_meta;
> +	if (req_op(req) == REQ_OP_DRV_OUT) {
> +		ret = -EFAULT;
> +		if (copy_from_user(buf, ubuf, len))
> +			goto out_free_meta;
> +	} else {
> +		memset(buf, 0, len);
> +	}
>  
>  	bip = bio_integrity_alloc(bio, GFP_KERNEL, 1);
>  	if (IS_ERR(bip)) {

Reviewed-by: Jens Axboe <axboe@kernel.dk>

-- 
Jens Axboe

Re: [PATCHv2] nvme: sanitize metadata bounce buffer for reads

[Christoph Hellwig]

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCHv2] nvme: sanitize metadata bounce buffer for reads

[Kanchan Joshi]

On 10/17/2023 4:36 AM, Keith Busch wrote:
> From: Keith Busch <kbusch@kernel.org>
> 
> User can request more metadata bytes than the device will write. Ensure
> kernel buffer is initialized so we are not leaking unsanitized memory on
> the completion's copy-out.

Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>

Re: [PATCHv2] nvme: sanitize metadata bounce buffer for reads

[Chaitanya Kulkarni]

On 10/16/23 16:06, Keith Busch wrote:
> From: Keith Busch <kbusch@kernel.org>
>
> User can request more metadata bytes than the device will write. Ensure
> kernel buffer is initialized so we are not leaking unsanitized memory on
> the completion's copy-out.
>
> Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
> Signed-off-by: Keith Busch <kbusch@kernel.org>
> ---
>

V2 has a fix for comment posted on v1, looks good.

Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>

-ck