From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S964983AbcAZJ5F (ORCPT <rfc822;w@1wt.eu>);
	Tue, 26 Jan 2016 04:57:05 -0500
Received: from mail-wm0-f53.google.com ([74.125.82.53]:33924 "EHLO
	mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S934100AbcAZJ5A (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 26 Jan 2016 04:57:00 -0500
Subject: Re: [patch] nvme: lightnvm: buffer overflow in nvme_nvm_identity()
To: Dan Carpenter <dan.carpenter@oracle.com>,
        Keith Busch <keith.busch@intel.com>
References: <20160126092734.GE15717@mwanda>
Cc: Jens Axboe <axboe@fb.com>, linux-nvme@lists.infradead.org,
        linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
From: =?UTF-8?Q?Matias_Bj=c3=b8rling?= <m@bjorling.me>
Organization: Paletta
Message-ID: <56A742E9.3040108@bjorling.me>
Date: Tue, 26 Jan 2016 10:56:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20160126092734.GE15717@mwanda>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 01/26/2016 10:27 AM, Dan Carpenter wrote:
> nvme_nvm_id->ppaf is 4 bytes larger than nvm_id->ppaf.  We're using the
> larger size struct for the sizeof() so we end up corrupting the
> first four bytes of nvm_id->groups[].  It doesn't look like we actually
> want to copy those last bytes anyway.
> 

Thanks, Dan. You are right. The four bytes are overwritten afterwards
and hid the issue.