From: Stefan Hajnoczi <stefanha@redhat.com>
To: Christoph Hellwig <hch@lst.de>
Cc: linux-block@vger.kernel.org, Keith Busch <kbusch@kernel.org>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-kernel@vger.kernel.org,
"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
Mike Christie <michael.christie@oracle.com>,
linux-nvme@lists.infradead.org, Jens Axboe <axboe@kernel.dk>,
linux-scsi@vger.kernel.org, Sagi Grimberg <sagi@grimberg.me>
Subject: Re: [PATCH v2 2/4] nvme: reject invalid pr_read_keys() num_keys values
Date: Mon, 1 Dec 2025 11:22:55 -0500 [thread overview]
Message-ID: <20251201162255.GD866564@fedora> (raw)
In-Reply-To: <20251201063649.GB19461@lst.de>
[-- Attachment #1: Type: text/plain, Size: 2403 bytes --]
On Mon, Dec 01, 2025 at 07:36:49AM +0100, Christoph Hellwig wrote:
> On Thu, Nov 27, 2025 at 10:54:22AM -0500, Stefan Hajnoczi wrote:
> > The pr_read_keys() interface has a u32 num_keys parameter. The NVMe
> > Reservation Report command has a u32 maximum length. Reject num_keys
> > values that are too large to fit.
> >
> > This will become important when pr_read_keys() is exposed to untrusted
> > userspace via an <linux/pr.h> ioctl.
> >
> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > ---
> > drivers/nvme/host/pr.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c
> > index ca6a74607b139..156a2ae1fac2e 100644
> > --- a/drivers/nvme/host/pr.c
> > +++ b/drivers/nvme/host/pr.c
> > @@ -233,6 +233,10 @@ static int nvme_pr_read_keys(struct block_device *bdev,
> > int ret, i;
> > bool eds;
> >
> > + /* Check that keys fit into u32 rse_len */
> > + if (num_keys > (U32_MAX - sizeof(*rse)) / sizeof(rse->regctl_eds[0]))
> > + return -EINVAL;
> > +
>
> We use struct_size to calculate the size below, which saturates on
> overflow. So just checking the rse_len variable returned by the that
> would be nicer. Bonus points for using sizeof_field() instead of
> hardcoding U32_MAX.
Will fix. I don't see how to use sizeof_field() here, but taking
advantage of struct_size() already improves things a lot:
diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c
index ca6a74607b139..ad2ecc2f49a97 100644
--- a/drivers/nvme/host/pr.c
+++ b/drivers/nvme/host/pr.c
@@ -228,7 +228,8 @@ static int nvme_pr_resv_report(struct block_device *bdev, void *data,
static int nvme_pr_read_keys(struct block_device *bdev,
struct pr_keys *keys_info)
{
- u32 rse_len, num_keys = keys_info->num_keys;
+ size_t rse_len;
+ u32 num_keys = keys_info->num_keys;
struct nvme_reservation_status_ext *rse;
int ret, i;
bool eds;
@@ -238,6 +239,9 @@ static int nvme_pr_read_keys(struct block_device *bdev,
* enough to get enough keys to fill the return keys buffer.
*/
rse_len = struct_size(rse, regctl_eds, num_keys);
+ if (rse_len > U32_MAX)
+ return -EINVAL;
+
rse = kzalloc(rse_len, GFP_KERNEL);
if (!rse)
return -ENOMEM;
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2025-12-01 16:23 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 15:54 [PATCH v2 0/4] block: add IOC_PR_READ_KEYS and IOC_PR_READ_RESERVATION ioctls Stefan Hajnoczi
2025-11-27 15:54 ` [PATCH v2 1/4] scsi: sd: reject invalid pr_read_keys() num_keys values Stefan Hajnoczi
2025-11-27 18:03 ` Hannes Reinecke
2025-12-01 6:34 ` Christoph Hellwig
2025-12-01 15:09 ` Stefan Hajnoczi
2025-12-01 16:23 ` Stefan Hajnoczi
2025-11-27 15:54 ` [PATCH v2 2/4] nvme: " Stefan Hajnoczi
2025-11-27 18:04 ` Hannes Reinecke
2025-12-01 6:36 ` Christoph Hellwig
2025-12-01 16:22 ` Stefan Hajnoczi [this message]
2025-12-02 5:55 ` Christoph Hellwig
2025-12-01 7:11 ` Chaitanya Kulkarni
2025-12-01 7:27 ` Christoph Hellwig
2025-11-27 15:54 ` [PATCH v2 3/4] block: add IOC_PR_READ_KEYS ioctl Stefan Hajnoczi
2025-11-27 18:06 ` Hannes Reinecke
2025-12-01 6:40 ` Christoph Hellwig
2025-12-01 16:33 ` Stefan Hajnoczi
2025-11-27 15:54 ` [PATCH v2 4/4] block: add IOC_PR_READ_RESERVATION ioctl Stefan Hajnoczi
2025-12-01 6:40 ` Christoph Hellwig
2025-11-29 21:44 ` [PATCH v2 0/4] block: add IOC_PR_READ_KEYS and IOC_PR_READ_RESERVATION ioctls Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251201162255.GD866564@fedora \
--to=stefanha@redhat.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=michael.christie@oracle.com \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox