[Bug Report] NVMe-oF/TCP - Slab OOB Read in `nvmet_ctrl_find_get`

Chaitanya Kulkarni chaitanyak at nvidia.com
Wed Nov 8 14:09:27 PST 2023


> Think of nvmet_copy_from_sgl as a memcpy from a different address
> space.  It works on a very different abstraction layer and thus
> doesn't even know about strings.  The callers really need to,
> and maybe we want a helper for that.  For now that patch below should
> fix the issue you reported, although for me KASAN doesn't trip up
> on the reproducer with or without the patch, so if you could test it
> on your setup that would be great:
>
> diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
> index 43b5bd8bb6a52d..0920fe7ce4ac99 100644
> --- a/drivers/nvme/target/fabrics-cmd.c
> +++ b/drivers/nvme/target/fabrics-cmd.c
> @@ -244,6 +244,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req)
>   		goto out;
>   	}
>   
> +	d->subsysnqn[NVMF_NQN_FIELD_LEN] = '\0';
> +	d->hostnqn[NVMF_NQN_FIELD_LEN] = '\0';
>   	status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req,
>   				  le32_to_cpu(c->kato), &ctrl);
>   	if (status)
> @@ -313,6 +315,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req)
>   		goto out;
>   	}
>   
> +	d->subsysnqn[NVMF_NQN_FIELD_LEN] = '\0';
> +	d->hostnqn[NVMF_NQN_FIELD_LEN] = '\0';
>   	ctrl = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn,
>   				   le16_to_cpu(d->cntlid), req);
>   	if (!ctrl) {

I specifically didn't send this patch when I wrote it initially, coz we are
modifying connect data and yes it will work just fine functionally but
in principal we should not touch connect data after nvmet_copy_from_sgl()
call even for the sake of debug prints or string comparison since it's
a data that we've received from host and should be in read-only mode.

please correct me if connect data should not be treated as read-only...

-ck




More information about the Linux-nvme mailing list