[PATCH] nvmet: pci-epf: fix heap overflow for invalid I/O SQES/CQES from the host
Damien Le Moal
dlemoal at kernel.org
Sun Apr 26 22:30:40 PDT 2026
On 4/24/26 11:24 PM, Junrui Luo wrote:
> nvmet_pci_epf_enable_ctrl() computes ctrl->io_sqes and ctrl->io_cqes
> from the host-controlled CC.IOSQES/CC.IOCQES fields and only rejects
> values below sizeof(struct nvme_command) / sizeof(struct nvme_completion).
> The resulting sizes are used as DMA transfer lengths against the
> fixed-size iod->cmd (64B) and iod->cqe (16B) buffers.
>
> An oversized IOSQES causes nvmet_pci_epf_transfer() to overflow
> iod->cmd with host-controlled data, and an oversized IOCQES causes
> memcpy_toio() to leak adjacent slab memory back to the host.
>
> Change both checks from '<' to '!='.
>
> Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver")
> Reported-by: Yuhao Jiang <danisjiang at gmail.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain at outlook.com>
Looks OK.
Reviewed-by: Damien Le Moal <dlemoal at kernel.org>
--
Damien Le Moal
Western Digital Research
More information about the Linux-nvme
mailing list