From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934095AbcAZJbc (ORCPT ); Tue, 26 Jan 2016 04:31:32 -0500 Received: from aserp1050.oracle.com ([141.146.126.70]:44854 "EHLO aserp1050.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756480AbcAZJbZ (ORCPT ); Tue, 26 Jan 2016 04:31:25 -0500 Date: Tue, 26 Jan 2016 12:27:34 +0300 From: Dan Carpenter To: Keith Busch , Matias =?iso-8859-1?Q?Bj=F8rling?= Cc: Jens Axboe , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] nvme: lightnvm: buffer overflow in nvme_nvm_identity() Message-ID: <20160126092734.GE15717@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userp1040.oracle.com [156.151.31.81] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org nvme_nvm_id->ppaf is 4 bytes larger than nvm_id->ppaf. We're using the larger size struct for the sizeof() so we end up corrupting the first four bytes of nvm_id->groups[]. It doesn't look like we actually want to copy those last bytes anyway. Signed-off-by: Dan Carpenter --- Static analysis, not tested. Please review this one carefully, I think this bug would show up in testing. diff --git a/drivers/nvme/host/lightnvm.c b/drivers/nvme/host/lightnvm.c index 5cd3725..0f0864f 100644 --- a/drivers/nvme/host/lightnvm.c +++ b/drivers/nvme/host/lightnvm.c @@ -319,7 +319,7 @@ static int nvme_nvm_identity(struct nvm_dev *nvmdev, struct nvm_id *nvm_id) nvm_id->cap = le32_to_cpu(nvme_nvm_id->cap); nvm_id->dom = le32_to_cpu(nvme_nvm_id->dom); memcpy(&nvm_id->ppaf, &nvme_nvm_id->ppaf, - sizeof(struct nvme_nvm_addr_format)); + sizeof(struct nvm_addr_format)); ret = init_grps(nvm_id, nvme_nvm_id); out: