[PATCH] nvme: nvme_identify_ns_descs: prevent oob
Keith Busch
kbusch at kernel.org
Wed Nov 26 12:52:08 PST 2025
On Wed, Nov 26, 2025 at 11:27:21PM +0300, Eugene Korenevsky wrote:
> Broken or malicious controller can send invalid ns id.
> Out-of-band memory access may occur if remaining buffer size
> is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
>
> Fix this issue by making nvme_process_id_decs() function aware of
> remaining buffer size.
>
> Also simplify nvme_process_id_decs(): replace copy-pasted `case`
> branches with table lookup.
>
> Signed-off-by: Eugene Korenevsky <ekorenevsky at aliyun.com>
> ---
> drivers/nvme/host/core.c | 80 ++++++++++++++++++++--------------------
> 1 file changed, 39 insertions(+), 41 deletions(-)
Is this simpler check not sufficient?
---
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index fa534f1d6b27a..6cc43cbb04dd9 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1566,7 +1566,7 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl,
for (pos = 0; pos < NVME_IDENTIFY_DATA_SIZE; pos += len) {
struct nvme_ns_id_desc *cur = data + pos;
- if (cur->nidl == 0)
+ if (cur->nidl == 0 || cur->nidl + pos > NVME_IDENTIFY_DATA_SIZE)
break;
len = nvme_process_ns_desc(ctrl, &info->ids, cur, &csi_seen);
--
More information about the Linux-nvme
mailing list