[PATCH v5 1/1] nvme: validate FDP configuration descriptor sizes
liuxixin
gliuxen at gmail.com
Tue Jun 2 07:00:01 PDT 2026
Validate descriptor sizes while walking the FDP configurations log so
dsze == 0 or a descriptor past the log end cannot cause unbounded
iteration or reads past the buffer.
Reviewed-by: Nitesh Shetty <nj.shetty at samsung.com>
Reviewed-by: Christoph Hellwig <hch at lst.de>
Signed-off-by: liuxixin <gliuxen at gmail.com>
---
drivers/nvme/host/core.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 766157ba6..48633a8bb 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2275,14 +2275,16 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
desc = log;
end = log + size - sizeof(*h);
for (i = 0; i < fdp_idx; i++) {
- log += le16_to_cpu(desc->dsze);
- desc = log;
- if (log >= end) {
+ u16 dsze = le16_to_cpu(desc->dsze);
+
+ if (!dsze || log + dsze > end) {
dev_warn(ctrl->device,
- "FDP invalid config descriptor list\n");
+ "FDP invalid config descriptor at index %d\n", i);
ret = 0;
goto out;
}
+ log += dsze;
+ desc = log;
}
if (le32_to_cpu(desc->nrg) > 1) {
--
2.43.0
More information about the Linux-nvme
mailing list