nvme: fix kernel memory corruption with short INQUIRY buffers

If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI translation layer will happily write past the end of the INQUIRY buffer allocation. This is fairly easily reproducible by running the libiscsi test suite and then starting an xfstests run. Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation") Signed-off-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Jens Axboe <axboe@fb.com>

nvme: fix kernel memory corruption with short INQUIRY buffers
If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI translation layer will happily write past the end of the INQUIRY buffer allocation. This is fairly easily reproducible by running the libiscsi test suite and then starting an xfstests run. Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation") Signed-off-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Jens Axboe <axboe@fb.com>
3fd61b20 · Christoph Hellwig · Jens Axboe · 336b7e1f · 3fd61b20
显示空白变更内容
内联并排

Showing with 2 addition and 1 deletion

drivers/block/nvme-scsi.c drivers/block/nvme-scsi.c +2 -1

未找到文件。
--- a/drivers/block/nvme-scsi.c
+++ b/drivers/block/nvme-scsi.c
@@ -2257,7 +2257,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr,
 	page_code = GET_INQ_PAGE_CODE(cmd);
 	alloc_len = GET_INQ_ALLOC_LENGTH(cmd);

-	inq_response = kmalloc(alloc_len, GFP_KERNEL);
+	inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH),
+				GFP_KERNEL);
 	if (inq_response == NULL) {
 		res = -ENOMEM;
 		goto out_mem;