From: Eugene Korenevsky <ekorenevsky@aliyun.com>
To: Keith Busch <kbusch@kernel.org>, Jens Axboe <axboe@kernel.dk>,
Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH] nvme: nvme_identify_ns_descs: prevent oob
Date: Wed, 26 Nov 2025 23:27:21 +0300 [thread overview]
Message-ID: <aSdiqVR-o6yNav6I@localhost.localdomain> (raw)
Broken or malicious controller can send invalid ns id.
Out-of-band memory access may occur if remaining buffer size
is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
Fix this issue by making nvme_process_id_decs() function aware of
remaining buffer size.
Also simplify nvme_process_id_decs(): replace copy-pasted `case`
branches with table lookup.
Signed-off-by: Eugene Korenevsky <ekorenevsky@aliyun.com>
---
drivers/nvme/host/core.c | 80 ++++++++++++++++++++--------------------
1 file changed, 39 insertions(+), 41 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index f1f719351f3f..2d1a4b9882ca 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1481,52 +1481,45 @@ static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id)
return error;
}
+struct ns_id_info {
+ __u8 nidl;
+ char *name;
+};
+
+#define NS_ID_INFO(nidt) \
+ [nidt] = {nidt##_LEN, #nidt}
+
+static const struct ns_id_info niis[] = {
+ NS_ID_INFO(NVME_NIDT_EUI64),
+ NS_ID_INFO(NVME_NIDT_NGUID),
+ NS_ID_INFO(NVME_NIDT_UUID),
+ NS_ID_INFO(NVME_NIDT_CSI),
+};
+
static int nvme_process_ns_desc(struct nvme_ctrl *ctrl, struct nvme_ns_ids *ids,
- struct nvme_ns_id_desc *cur, bool *csi_seen)
+ struct nvme_ns_id_desc *cur, int remain,
+ bool *csi_seen)
{
- const char *warn_str = "ctrl returned bogus length:";
- void *data = cur;
+ const char *warn_fmt = "ctrl returned bogus ns id: %u %u %d %s";
+ const struct ns_id_info *nii;
switch (cur->nidt) {
+ case NVME_NIDT_CSI:
+ *csi_seen = true;
+ fallthrough;
case NVME_NIDT_EUI64:
- if (cur->nidl != NVME_NIDT_EUI64_LEN) {
- dev_warn(ctrl->device, "%s %d for NVME_NIDT_EUI64\n",
- warn_str, cur->nidl);
- return -1;
- }
- if (ctrl->quirks & NVME_QUIRK_BOGUS_NID)
- return NVME_NIDT_EUI64_LEN;
- memcpy(ids->eui64, data + sizeof(*cur), NVME_NIDT_EUI64_LEN);
- return NVME_NIDT_EUI64_LEN;
case NVME_NIDT_NGUID:
- if (cur->nidl != NVME_NIDT_NGUID_LEN) {
- dev_warn(ctrl->device, "%s %d for NVME_NIDT_NGUID\n",
- warn_str, cur->nidl);
- return -1;
- }
- if (ctrl->quirks & NVME_QUIRK_BOGUS_NID)
- return NVME_NIDT_NGUID_LEN;
- memcpy(ids->nguid, data + sizeof(*cur), NVME_NIDT_NGUID_LEN);
- return NVME_NIDT_NGUID_LEN;
case NVME_NIDT_UUID:
- if (cur->nidl != NVME_NIDT_UUID_LEN) {
- dev_warn(ctrl->device, "%s %d for NVME_NIDT_UUID\n",
- warn_str, cur->nidl);
+ nii = &niis[cur->nidt];
+ if (cur->nidl != nii->nidl || remain < nii->nidl) {
+ dev_warn(ctrl->device, warn_fmt,
+ cur->nidl, nii->nidl, remain, nii->name);
return -1;
}
if (ctrl->quirks & NVME_QUIRK_BOGUS_NID)
- return NVME_NIDT_UUID_LEN;
- uuid_copy(&ids->uuid, data + sizeof(*cur));
- return NVME_NIDT_UUID_LEN;
- case NVME_NIDT_CSI:
- if (cur->nidl != NVME_NIDT_CSI_LEN) {
- dev_warn(ctrl->device, "%s %d for NVME_NIDT_CSI\n",
- warn_str, cur->nidl);
- return -1;
- }
- memcpy(&ids->csi, data + sizeof(*cur), NVME_NIDT_CSI_LEN);
- *csi_seen = true;
- return NVME_NIDT_CSI_LEN;
+ return nii->nidl;
+ memcpy(&ids->csi, cur + 1, nii->nidl);
+ return nii->nidl;
default:
/* Skip unknown types */
return cur->nidl;
@@ -1538,7 +1531,8 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl,
{
struct nvme_command c = { };
bool csi_seen = false;
- int status, pos, len;
+ int status, len, remain;
+ struct nvme_ns_id_desc *cur;
void *data;
if (ctrl->vs < NVME_VS(1, 3, 0) && !nvme_multi_css(ctrl))
@@ -1563,17 +1557,21 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl,
goto free_data;
}
- for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
- struct nvme_ns_id_desc *cur = data + pos;
-
+ remain = NVME_IDENTIFY_DATA_SIZE;
+ cur = data;
+ while (remain >= sizeof(*cur)) {
if (cur->nidl == 0)
break;
- len = nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen);
+ len = nvme_process_ns_desc(ctrl, &info->ids,
+ cur, remain - sizeof(*cur),
+ &csi_seen);
if (len < 0)
break;
len += sizeof(*cur);
+ remain -= len;
+ cur += len;
}
if (nvme_multi_css(ctrl) && !csi_seen) {
--
2.47.3
next reply other threads:[~2025-11-26 20:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-26 20:27 Eugene Korenevsky [this message]
2025-11-26 20:52 ` [PATCH] nvme: nvme_identify_ns_descs: prevent oob Keith Busch
2025-11-26 21:45 ` Eugene Korenevsky
2025-11-27 14:49 ` Christoph Hellwig
2025-11-29 19:57 ` Eugene Korenevsky
2025-11-30 22:20 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aSdiqVR-o6yNav6I@localhost.localdomain \
--to=ekorenevsky@aliyun.com \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox