[PATCH] nvme: sanitize metadata bounce buffer for reads

Jens Axboe axboe at kernel.dk
Mon Oct 16 13:25:11 PDT 2023


On 10/16/23 2:21 PM, Keith Busch wrote:
> From: Keith Busch <kbusch at kernel.org>
> 
> User can request more metadata bytes than the device will write. Ensure
> kernel buffer is initialized so we're not leaking unsanitized memory on
> the copy-out.
> 
> Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
> Signed-off-by: Keith Busch <kbusch at kernel.org>
> ---
>  drivers/nvme/host/ioctl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
> index 788b36e7915ab..154eb7c944e76 100644
> --- a/drivers/nvme/host/ioctl.c
> +++ b/drivers/nvme/host/ioctl.c
> @@ -39,6 +39,8 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf,
>  	ret = -EFAULT;
>  	if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len))
>  		goto out_free_meta;
> +	else
> +		memset(buf, 0, len);

Do you need this else?

-- 
Jens Axboe





More information about the Linux-nvme mailing list