From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out30-82.freemail.mail.aliyun.com (out30-82.freemail.mail.aliyun.com [115.124.30.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 548132FB0B9 for ; Wed, 26 Nov 2025 21:45:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.82 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764193518; cv=none; b=XyK0h5SOBVMkAidBtAgEx0qL/NnfHzfUD53/WmZHdCrtviDVxnaymBgCpI5WDPyTBLNkC7i/KNGZ3rLWWDTtTcTFtUUaEGvhC6jTM/bIN/SYVmbHrl3v60iaOWGEITLTzWAckkye7lAZzKpWpXwhJreJbnyZzOn3byID0fragTc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764193518; c=relaxed/simple; bh=TntuyYBHEBWoG9EuOnAsGxCRQOsvHRiq1rprnXqf0/M=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=TQ8n22hxciPVi/T9pvHuxFHAu4iusl2X56waVMnmto3HbUsNvGVbo7vxQjxGuBWJzjWJUfdWTHerJph0WKDyJbGxe9ftLIa9/ZRK4unljofamCBRfaa51EbMxeJF0Aen0QI/sampli2yo8v/yNrUTbQUYeyPS1YGGk7jp7wnP9Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=aliyun.com; spf=pass smtp.mailfrom=aliyun.com; dkim=pass (1024-bit key) header.d=aliyun.com header.i=@aliyun.com header.b=bj9QRtkk; arc=none smtp.client-ip=115.124.30.82 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=aliyun.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aliyun.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=aliyun.com header.i=@aliyun.com header.b="bj9QRtkk" DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=aliyun.com; s=s1024; t=1764193513; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; bh=yD+Cpr7S28K99HYGJEOreBrsZymLymWB6lpHo+wDaYg=; b=bj9QRtkkt4kfQJk34/20/J8kzP9jf0kbFE5SJ3rq63mU8ahQUA0ek3/mv0LQkgF77zWrFkSpWRzKxVkMIcmZHTn+0FbcOQktCR0VJEkDb6BHnxxTWZBnsCK5/dOYPysUgE3h29P2NzQxV0Q9jfL4gqf/OlZOVv7vqSY6G+V9HkM= Received: from aliyun.com(mailfrom:ekorenevsky@aliyun.com fp:SMTPD_---0WtUEZ.R_1764193510 cluster:ay36) by smtp.aliyun-inc.com; Thu, 27 Nov 2025 05:45:12 +0800 Date: Thu, 27 Nov 2025 00:45:08 +0300 From: Eugene Korenevsky To: Keith Busch Cc: Jens Axboe , Christoph Hellwig , Sagi Grimberg , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nvme: nvme_identify_ns_descs: prevent oob Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, Nov 26, 2025 at 01:52:08PM -0700, Keith Busch wrote: > Is this simpler check not sufficient? > @@ -1566,7 +1566,7 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl, > for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) { Alas size of ns id header+data may be 4+1=5 if .nidt == NVME_NIDT_CSI. `pos` may be not aligned to 4 (size of `struct nvme_ns_id_desc` header). It can be NVME_IDENTIFY_DATA_SIZE-1 here. And when cur->nidl (i.e. pos+1) is referenced later, we'll get a problem. > struct nvme_ns_id_desc *cur = data + pos; > > - if (cur->nidl == 0) > + if (cur->nidl == 0 || cur->nidl + pos > NVME_IDENTIFY_DATA_SIZE) > break; > > len = nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen); > --