nvme: fix kernel memory corruption with short INQUIRY buffers

If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI translation layer will happily write past the end of the INQUIRY buffer allocation. This is fairly easily reproducible by running the libiscsi test suite and then starting an xfstests run. Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation") Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>

nvme: fix kernel memory corruption with short INQUIRY buffers
If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI translation layer will happily write past the end of the INQUIRY buffer allocation. This is fairly easily reproducible by running the libiscsi test suite and then starting an xfstests run. Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation") Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>
3fd61b20 · Christoph Hellwig · Jens Axboe · 336b7e1f · 3fd61b20
Commit 3fd61b20 authored May 08, 2015 by Christoph Hellwig Committed by Jens Axboe May 13, 2015
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/block/nvme-scsi.c drivers/block/nvme-scsi.c +2 -1

No files found.
--- a/drivers/block/nvme-scsi.c
+++ b/drivers/block/nvme-scsi.c
@@ -2257,7 +2257,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr,
 	page_code = GET_INQ_PAGE_CODE(cmd);
 	alloc_len = GET_INQ_ALLOC_LENGTH(cmd);
-	inq_response = kmalloc(alloc_len, GFP_KERNEL);
+	inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH),
+				GFP_KERNEL);
 	if (inq_response == NULL) {
 		res = -ENOMEM;
 		goto out_mem;