[PATCH v2] nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Jens Axboe
axboe at kernel.dk
Fri Dec 12 13:15:51 PST 2025
On 12/12/25 2:08 PM, Shivam wrote:
> From: Shivam <skumar47 at syr.edu>
>
> The CVE-2023-6356 patch added ttag bounds checking and data_offset
Please just replace that with an actual sha, and add it as a Fixes
tag too. No need to resend for that, I'm assuming whoever applies
this can sort that out. Some random CVE number doesn't mean anything
to me, a sha is something that is easily identifiable.
Rest of commit message looks good.
> validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
> whether the command's data structures (cmd->req.sg and cmd->iov) have
> been properly initialized before processing H2C_DATA PDUs.
>
> The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
> without NULL checks. This can be triggered by sending an H2C_DATA PDU
> immediately after the ICREQ/ICRESP handshake, before sending a CONNECT
> command or NVMe write command.
>
> Attack vectors that trigger NULL pointer dereferences:
> 1. H2C_DATA PDU sent before CONNECT → both pointers NULL
> 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
> 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
>
> The fix validates both cmd->req.sg and cmd->iov before calling
> nvmet_tcp_build_pdu_iovec(). Both checks are required because:
> - Uninitialized commands: both NULL
> - READ commands: cmd->req.sg allocated, cmd->iov NULL
> - WRITE commands: both allocated
>
> Reported-by: Shivam Kumar <skumar47 at syr.edu>
> Signed-off-by: Shivam Kumar <skumar47 at syr.edu>
No need for the Reported-by tag, you already have your SOB there.
--
Jens Axboe
More information about the Linux-nvme
mailing list