New warning `nvme nvme0: using unchecked data buffer` (was: [PATCHv3 3/3] nvme-pci: use sgls for all user requests if possible)

[Keith Busch]

On Mon, Dec 02, 2024 at 08:56:03AM +0100, Paul Menzel wrote:
> Am 18.11.24 um 16:57 schrieb Keith Busch:
> > From: Keith Busch <kbusch at kernel.org>
> > 
> > If the device supports SGLs, use these for all user requests. This
> > format encodes the expected transfer length so it can catch short buffer
> > errors in a user command, whether it occurred accidently or maliciously.
> > 
> > For controllers that support SGL data mode, this is a viable mitigation
> > to CVE-2023-6238. For controllers that don't support SGL, log a warning
> 
> For the layman, what is this security problem?

The passthrough interface can't validate buffer lengths against the
command's actual payload. NVMe traditionally did not have explicit
buffer sizes encoded in commands, so this only works correctly if the
device and host both agree on what the implicit transfer size actually
is. More recent NVMe features fixed that problem with explicit buffer
sizes in the commands.

Whether by accident or on purpose, user space can request a smaller
buffer than the device is going to transfer into it. That will corrupt
memory.
 
> > -	if (has_metadata && !supports_metadata)
> > -		return -EINVAL;
> > +	if (!nvme_ctrl_sgl_supported(ctrl))
> > +		dev_warn_once(ctrl->device, "using unchecked data buffer\n");
> 
> Linux logs this on the Dell XPS 13 9360 with PC300 NVMe SK hynix 512GB
> (firmware revision 20004A00).
> 
>     [   14.399238] nvme nvme0: using unchecked data buffer
> 
> What should a user do about it?

Nothing for a user to do. This is an indication that the passthrough
interface has been used with a device that can only use implicit
transfer lengths. It's more of an indication that improper use of this
interface might be the cause of memory corruption observations.