New warning `nvme nvme0: using unchecked data buffer`

Paul Menzel pmenzel at molgen.mpg.de
Mon Dec 2 07:15:03 PST 2024 

Dear Keith,


Thank you very much for your quick reply.

Am 02.12.24 um 16:05 schrieb Keith Busch:
> On Mon, Dec 02, 2024 at 08:56:03AM +0100, Paul Menzel wrote:
>> Am 18.11.24 um 16:57 schrieb Keith Busch:
>>> From: Keith Busch <kbusch at kernel.org>
>>>
>>> If the device supports SGLs, use these for all user requests. This
>>> format encodes the expected transfer length so it can catch short buffer
>>> errors in a user command, whether it occurred accidently or maliciously.
>>>
>>> For controllers that support SGL data mode, this is a viable mitigation
>>> to CVE-2023-6238. For controllers that don't support SGL, log a warning
>>
>> For the layman, what is this security problem?
> 
> The passthrough interface can't validate buffer lengths against the
> command's actual payload. NVMe traditionally did not have explicit
> buffer sizes encoded in commands, so this only works correctly if the
> device and host both agree on what the implicit transfer size actually
> is. More recent NVMe features fixed that problem with explicit buffer
> sizes in the commands.
> 
> Whether by accident or on purpose, user space can request a smaller
> buffer than the device is going to transfer into it. That will corrupt
> memory.

Does the Linux kernel know the buffer size?

>>> -	if (has_metadata && !supports_metadata)
>>> -		return -EINVAL;
>>> +	if (!nvme_ctrl_sgl_supported(ctrl))
>>> +		dev_warn_once(ctrl->device, "using unchecked data buffer\n");
>>
>> Linux logs this on the Dell XPS 13 9360 with PC300 NVMe SK hynix 512GB
>> (firmware revision 20004A00).
>>
>>      [   14.399238] nvme nvme0: using unchecked data buffer
>>
>> What should a user do about it?
> 
> Nothing for a user to do. This is an indication that the passthrough
> interface has been used with a device that can only use implicit
> transfer lengths. It's more of an indication that improper use of this
> interface might be the cause of memory corruption observations.

Could it be fixed by a firmware update?

I wonder if the level should be reduced then to info, or if it can be 
elaborated. Maybe:

The PC300 NVMe SK hynix 512GB can only use implicit transfer length. 
Improper use might be the cause of memory corruption observations.


Kind regards,

Paul

More information about the Linux-nvme mailing list