From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from verein.lst.de (verein.lst.de [213.95.11.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 570D428D830
	for <linux-kernel@vger.kernel.org>; Thu, 27 Nov 2025 14:49:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.95.11.211
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764254968; cv=none; b=u4qdsQGktHuba16h5ZEqhmrUkgQcDaVzw4RGPlJHaxAXG3Pzc2N4Q0eXr5/w/uF00nGVpE0FM34sSbC4OEHQWqVi6t00m0LKUtlLxfJGON7XYByqixFIIkekTX113ptYCdjIA2V9XQlDUNzS2VNtFt54LVpC7cI4P6WLB+S7PGM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764254968; c=relaxed/simple;
	bh=FG7JRIf0MYmVi2ySiQnHT4QBONwwqS6ln1uoevF+sXE=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=OHKTGUI+MrLNJ7nIjTbl1B7bBEFVdcA3qxIgHaP4DsuaEA7m2k1cfUS/O0JKd7dEur3jXaDJzpP/RSlnCNNqYnGDT+BuHJkl99gemjaE9DTaL9LBsiiDAx59XQyh+PJ16q0df1i8fGLnuV91wPJRfVSDSANSYsyNsxw2QXsEpxQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lst.de; spf=pass smtp.mailfrom=lst.de; arc=none smtp.client-ip=213.95.11.211
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lst.de
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lst.de
Received: by verein.lst.de (Postfix, from userid 2407)
	id 9FA1167373; Thu, 27 Nov 2025 15:49:16 +0100 (CET)
Date: Thu, 27 Nov 2025 15:49:16 +0100
From: Christoph Hellwig <hch@lst.de>
To: Keith Busch <kbusch@kernel.org>
Cc: Eugene Korenevsky <ekorenevsky@aliyun.com>,
	Jens Axboe <axboe@kernel.dk>, Christoph Hellwig <hch@lst.de>,
	Sagi Grimberg <sagi@grimberg.me>, linux-nvme@lists.infradead.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob
Message-ID: <20251127144916.GA9423@lst.de>
References: <aSdiqVR-o6yNav6I@localhost.localdomain> <aSdoeEX_L2-3ccpF@kbusch-mbp>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aSdoeEX_L2-3ccpF@kbusch-mbp>
User-Agent: Mutt/1.5.17 (2007-11-01)

On Wed, Nov 26, 2025 at 01:52:08PM -0700, Keith Busch wrote:
> On Wed, Nov 26, 2025 at 11:27:21PM +0300, Eugene Korenevsky wrote:
> > Broken or malicious controller can send invalid ns id.
> > Out-of-band memory access may occur if remaining buffer size
> > is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
> > 
> > Fix this issue by making nvme_process_id_decs() function aware of
> > remaining buffer size.
> > 
> > Also simplify nvme_process_id_decs(): replace copy-pasted `case`
> > branches with table lookup.
> > 
> > Signed-off-by: Eugene Korenevsky <ekorenevsky@aliyun.com>
> > ---
> >  drivers/nvme/host/core.c | 80 ++++++++++++++++++++--------------------
> >  1 file changed, 39 insertions(+), 41 deletions(-)
> 
> Is this simpler check not sufficient?

I think we'll need a somewhat more complex check that at there
is at least enough space for the len member.  But I prefer that
style over a table lookup and magic name pasting macros.