Skip to content

Commit

Permalink
nvme: fix kernel memory corruption with short INQUIRY buffers
Browse files Browse the repository at this point in the history 
If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI
translation layer will happily write past the end of the INQUIRY buffer
allocation.

This is fairly easily reproducible by running the libiscsi test
suite and then starting an xfstests run.

Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
  • Loading branch information
Christoph Hellwig authored and Jens Axboe committed May 13, 2015
1 parent 336b7e1 commit 3fd61b2
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion drivers/block/nvme-scsi.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2257,7 +2257,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr,
page_code = GET_INQ_PAGE_CODE(cmd);
alloc_len = GET_INQ_ALLOC_LENGTH(cmd);

inq_response = kmalloc(alloc_len, GFP_KERNEL);
inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH),
GFP_KERNEL);
if (inq_response == NULL) {
res = -ENOMEM;
goto out_mem;
Expand Down

0 comments on commit 3fd61b2

Please sign in to comment.