[PATCH v2] nvmet: fix pre-auth out-of-bounds heap read in Discovery Get Log Page
Keith Busch
kbusch at kernel.org
Tue Jun 2 03:42:56 PDT 2026
On Thu, May 28, 2026 at 04:02:17PM +0000, hexlabsecurity at proton.me wrote:
> From 6710e68439c458d691a4fe5c7fa354404745dd0a Mon Sep 17 00:00:00 2001
> From: Bryam Vargas <hexlabsecurity at proton.me>
> Date: Wed, 27 May 2026 15:00:00 -0500
> Subject: [PATCH v2] nvmet: fix pre-auth out-of-bounds heap read in Discovery
> Get Log Page
>
> nvmet_execute_disc_get_log_page() validates only the dword alignment
> of the host-supplied Log Page Offset (lpo). The 64-bit offset is then
> added to a small kzalloc'd buffer that holds the discovery log page
> and the result is passed straight to nvmet_copy_to_sgl(), which
> memcpy()s data_len bytes out to the host with no source-side bound
> check:
I've manaully applied this one, but next time, could you please just
send a proper patch instead? This whole thing is badly formatted. Have a
look at the raw message:
https://lore.kernel.org/linux-nvme/39YwPS5jntghiVQLt9ikZnmMc7O2g1AY3OVDcxdZjaK53FZHyzQNmyaS5eYBTS93g0Wc-S-UDC0auDRcGgC4iMR5RgXLEBPvqHfFZfbaeoU=@proton.me/raw
Just use 'git send-email' on a 'git format-patch' created patch.
More information about the Linux-nvme
mailing list