Skip to content

Commit

Permalink
nvme: Fix parsing of ANA log page
Browse files Browse the repository at this point in the history 
Check validity of offset into ANA log buffer before accessing
nvme_ana_group_desc. This check ensures the size of ANA log buffer >=
offset + sizeof(nvme_ana_group_desc)

Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Prabhath Sajeepa <psajeepa@purestorage.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
  • Loading branch information
Prabhath Sajeepa authored and Jens Axboe committed Nov 4, 2019
1 parent 716fd9c commit 64fab72
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions drivers/nvme/host/multipath.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -445,8 +445,14 @@ static int nvme_parse_ana_log(struct nvme_ctrl *ctrl, void *data,

for (i = 0; i < le16_to_cpu(ctrl->ana_log_buf->ngrps); i++) {
struct nvme_ana_group_desc *desc = base + offset;
u32 nr_nsids = le32_to_cpu(desc->nnsids);
size_t nsid_buf_size = nr_nsids * sizeof(__le32);
u32 nr_nsids;
size_t nsid_buf_size;

if (WARN_ON_ONCE(offset > ctrl->ana_log_size - sizeof(*desc)))
return -EINVAL;

nr_nsids = le32_to_cpu(desc->nnsids);
nsid_buf_size = nr_nsids * sizeof(__le32);

if (WARN_ON_ONCE(desc->grpid == 0))
return -EINVAL;
Expand All @@ -466,8 +472,6 @@ static int nvme_parse_ana_log(struct nvme_ctrl *ctrl, void *data,
return error;

offset += nsid_buf_size;
if (WARN_ON_ONCE(offset > ctrl->ana_log_size - sizeof(*desc)))
return -EINVAL;
}

return 0;
Expand Down

0 comments on commit 64fab72

Please sign in to comment.