From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com [209.85.217.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A0542C11CB for ; Sat, 18 Apr 2026 04:28:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776486525; cv=none; b=MQ0uZCYwoXp6+TQ9wHwz7u18MGnQsmh/VJ3K99ndaVSSdEIkw/A+EjQ+i2nfJ5lcgEEaZjESFj9RstJ0mKWNP7wEpLC1ZMcEQ/M8wyVVhIY1zj4DkUtGcvlwZDN99zY11WVivZ5mlerTfVnH7YuIgOze+TeqcZC1+evw9mZzejw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776486525; c=relaxed/simple; bh=6ZdV7LGz6lTqrQ967LmuAO1bDPywF5sWerwEcVkgFYo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=r0xDzoajCJ5xbkHakmHvZ0e+DDmIWWxT42kYQaJP1Kn79iVH3VQGQSrSDvfUwDwt8AFT06scXLwvoxSo9SviAd7n9gmwEFJZhvn3gmHX77xeRgJ/mSNhxSvrbgOXWQexFw/LIfF8ekUL4QCDAzYp7xZJyTEr31HMwk01EZIqM88= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=qpl8SWyx; arc=none smtp.client-ip=209.85.217.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qpl8SWyx" Received: by mail-vs1-f46.google.com with SMTP id ada2fe7eead31-605def5b80cso442160137.2 for ; Fri, 17 Apr 2026 21:28:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776486523; x=1777091323; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LXgD7NclC9d98p10sskyzvFvooGgTAnqnSUCs8hQF7Q=; b=qpl8SWyx3nS1uUs/+1fenL38u32/5qCgkvgXUKPMteuoCuv3SmpqrWiAInl21mH9JT wFFki9VugRbahx6Sqyx+e/n8OwJeuHaO311/T5nPZXG+iqPrv6RU7FOW44mUPyv1hbNR RaodF7WCw9A9Dg8b+F50ffKspltGK+gNmTJuusDhfhinlnrMXK/pNCyog+jAc3jcnITv DXUQPa1robexcdHX9RRA3UCycw/6rbpY5gvNyD25PBciNKVee2V7sVZyd5RrWZpHncVJ GrRJ/PW/OZcZPZpqYmUXxb4mdoS213o83uvpY0sq+Is03RXhhduEnuG8LRhIPbziZRka lJDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776486523; x=1777091323; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=LXgD7NclC9d98p10sskyzvFvooGgTAnqnSUCs8hQF7Q=; b=AIZq5JkOabf9+vdfGjDzOpXFsMsVUAEkfLzx19ABLxA9T7NmyYDKbLnVk1ZXvHjG2e slzvj/C5Js9GEr7C2ToQy7i6rIlzSDOOXNxXrB+uM5viDXzj9mTHpd/vglWsvkYuxXO4 Me5XoRd6EwUL+68jwcQxG+yVQsBhQGx7vKCi06jVZFgd/hyOFyfWtG2fZwx8o3BY4NHP /aEKdvs/H8Rbwn0mp0oRKGtJo5Q26aesUk6O3K28BgggUvNd6p0uAqihnfJNMFzkEash nISVftNj6pltOPVPSn98wLEQ/kxPDQUaFonsuGi1RRquj/8fSKrrj3zPYVK3jzPZ4RW1 YRRA== X-Forwarded-Encrypted: i=1; AFNElJ8qMxXQZ63BGaQVnQihBi8nxvq8iIjUNqFENY6GVi/RoQGbHyWFkwkI5tjglR2RYi0qY89wxBGUUXIBSko=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+ad7iKHXwalFrdFQy4SUbz9AZFoXE0BzMRrsHbjvd6T9QB6qx +xJU4ur3cVks/w9lqIE8ue1A6lFSo3Dpgdw09NhGMewiUssnK5n02uN9 X-Gm-Gg: AeBDietMaDZ9vOKJCIDTWXOWojftK1pzRTQi4Xprx5K8DS4fQgtJorrUhPBosVog9Cg Mi7bXc+mtbFfN25yWC197m0+VOAP5eCOpllI427aAqN0wBT0/PaIY/V9q5yJOqoSb2aVbtqdOED 2sF7IskjUeP2YsYFlDVjkTdVkLEAcNXHFOksL7VxrQE3iLJ3h99rv6ZnRrfhwZKCLgK2mlt1l1e s9IHDr1xEheQVF923e6a3fBsGnbKq3C31Ib0c6ZCdMLl8keCc+wzLqloyJKj4plAOrBh/RkrCZl QNNftrye+oyQg2GJaPRYcnhiqwA/ERz/xuDlI4Kqu/VayQ5cze3SEgXhNMZEGdJHH7QCdzW7g0l 0332ZyK5/ngMv5EM9T45xf646jMHXORvetZmnMCD3TNvJ2q56Qse8CG5Z4ouYZ7AsdMSv4TpG83 ebpOLE4nPCXdqPhOVCglbqy/zaOMLupDI/jFVCHQAlFSv2JO7gjKzB X-Received: by 2002:a05:6102:c93:b0:5ff:efdc:e225 with SMTP id ada2fe7eead31-616f53a7d34mr2809005137.3.1776486523112; Fri, 17 Apr 2026 21:28:43 -0700 (PDT) Received: from syssplab.cs.fiu.edu (nat1.cs.fiu.edu. [131.94.134.89]) by smtp.gmail.com with ESMTPSA id ada2fe7eead31-61745d93542sm1697599137.6.2026.04.17.21.28.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Apr 2026 21:28:41 -0700 (PDT) From: Chao Shi To: Keith Busch , Jens Axboe , Christoph Hellwig , Sagi Grimberg , Daniel Wagner , Hannes Reinecke , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Cc: Chao Shi , Sungwoo Kim , Dave Tian , Weidong Zhu Subject: [PATCH] nvme: core: reject invalid LBA data size from Identify Namespace Date: Sat, 18 Apr 2026 00:28:34 -0400 Message-ID: <20260418042835.420281-1-coshi036@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit nvme_update_ns_info_block() trusts id->lbaf[lbaf].ds from the controller and assigns it directly to ns->head->lba_shift without bounds checking. nvme_lba_to_sect() then does: return lba << (head->lba_shift - SECTOR_SHIFT); When called with lba = le64_to_cpu(id->nsze) to compute the device capacity, an attacker-controlled controller can choose ds < 9 or a combination of (ds, nsze) that makes the left shift overflow sector_t. The former is a C undefined behaviour that UBSAN reports as a BUG; the latter silently yields a bogus capacity that the block layer then trusts for bounds checking. Validate ds against SECTOR_SHIFT and use check_shl_overflow() to compute capacity so that any (ds, nsze) combination that would overflow sector_t is rejected. The namespace is skipped with -EIO instead of crashing the kernel. This is reachable by a malicious NVMe device, a buggy firmware, or an attacker-controlled NVMe-oF target. Stack trace (UBSAN, ds < 9 variant): RIP: nvme_lba_to_sect drivers/nvme/host/nvme.h:699 [inline] RIP: nvme_update_ns_info_block.cold+0x5/0x7 Call Trace: nvme_update_ns_info+0x175/0xd90 drivers/nvme/host/core.c:2467 nvme_validate_ns drivers/nvme/host/core.c:4299 [inline] nvme_scan_ns drivers/nvme/host/core.c:4350 nvme_scan_ns_async+0xa5/0xe0 drivers/nvme/host/core.c:4383 async_run_entry_fn process_one_work worker_thread kthread Found by Syzkaller. Fixes: 9419e71b8d67 ("nvme: move ns id info to struct nvme_ns_head") Acked-by: Sungwoo Kim Acked-by: Dave Tian Acked-by: Weidong Zhu Signed-off-by: Chao Shi --- drivers/nvme/host/core.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 1e33af94c24..9b3bf3e4075 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -2407,9 +2407,19 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns, lim = queue_limits_start_update(ns->disk->queue); memflags = blk_mq_freeze_queue(ns->disk->queue); + if (id->lbaf[lbaf].ds < SECTOR_SHIFT || + check_shl_overflow(le64_to_cpu(id->nsze), + id->lbaf[lbaf].ds - SECTOR_SHIFT, + &capacity)) { + dev_warn_once(ns->ctrl->device, + "invalid LBA data size %u, skipping namespace\n", + id->lbaf[lbaf].ds); + ret = -EIO; + blk_mq_unfreeze_queue(ns->disk->queue, memflags); + goto out; + } ns->head->lba_shift = id->lbaf[lbaf].ds; ns->head->nuse = le64_to_cpu(id->nuse); - capacity = nvme_lba_to_sect(ns->head, le64_to_cpu(id->nsze)); nvme_set_ctrl_limits(ns->ctrl, &lim, false); nvme_configure_metadata(ns->ctrl, ns->head, id, nvm, info); nvme_set_chunk_sectors(ns, id, &lim); -- 2.43.0