[PATCH] nvme: nvme_identify_ns_descs: prevent oob
Christoph Hellwig
hch at lst.de
Thu Nov 27 06:49:16 PST 2025
On Wed, Nov 26, 2025 at 01:52:08PM -0700, Keith Busch wrote:
> On Wed, Nov 26, 2025 at 11:27:21PM +0300, Eugene Korenevsky wrote:
> > Broken or malicious controller can send invalid ns id.
> > Out-of-band memory access may occur if remaining buffer size
> > is less than .nidl (ns id length) field of `struct nvme_ns_id_desc`
> >
> > Fix this issue by making nvme_process_id_decs() function aware of
> > remaining buffer size.
> >
> > Also simplify nvme_process_id_decs(): replace copy-pasted `case`
> > branches with table lookup.
> >
> > Signed-off-by: Eugene Korenevsky <ekorenevsky at aliyun.com>
> > ---
> > drivers/nvme/host/core.c | 80 ++++++++++++++++++++--------------------
> > 1 file changed, 39 insertions(+), 41 deletions(-)
>
> Is this simpler check not sufficient?
I think we'll need a somewhat more complex check that at there
is at least enough space for the len member. But I prefer that
style over a table lookup and magic name pasting macros.
More information about the Linux-nvme
mailing list