* [patch] nvme: lightnvm: buffer overflow in nvme_nvm_identity()
@ 2016-01-26 9:27 Dan Carpenter
2016-01-26 9:56 ` Matias Bjørling
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2016-01-26 9:27 UTC (permalink / raw)
To: Keith Busch, Matias Bjørling
Cc: Jens Axboe, linux-nvme, linux-kernel, kernel-janitors
nvme_nvm_id->ppaf is 4 bytes larger than nvm_id->ppaf. We're using the
larger size struct for the sizeof() so we end up corrupting the
first four bytes of nvm_id->groups[]. It doesn't look like we actually
want to copy those last bytes anyway.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Static analysis, not tested. Please review this one carefully, I think
this bug would show up in testing.
diff --git a/drivers/nvme/host/lightnvm.c b/drivers/nvme/host/lightnvm.c
index 5cd3725..0f0864f 100644
--- a/drivers/nvme/host/lightnvm.c
+++ b/drivers/nvme/host/lightnvm.c
@@ -319,7 +319,7 @@ static int nvme_nvm_identity(struct nvm_dev *nvmdev, struct nvm_id *nvm_id)
nvm_id->cap = le32_to_cpu(nvme_nvm_id->cap);
nvm_id->dom = le32_to_cpu(nvme_nvm_id->dom);
memcpy(&nvm_id->ppaf, &nvme_nvm_id->ppaf,
- sizeof(struct nvme_nvm_addr_format));
+ sizeof(struct nvm_addr_format));
ret = init_grps(nvm_id, nvme_nvm_id);
out:
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-01-26 9:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-26 9:27 [patch] nvme: lightnvm: buffer overflow in nvme_nvm_identity() Dan Carpenter
2016-01-26 9:56 ` Matias Bjørling
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox