nvme: fix kernel memory corruption with short INQUIRY buffers
authorChristoph Hellwig <hch@lst.de>
Fri, 8 May 2015 16:00:26 +0000 (18:00 +0200)
committerJens Axboe <axboe@fb.com>
Wed, 13 May 2015 14:22:12 +0000 (10:22 -0400)
If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI
translation layer will happily write past the end of the INQUIRY buffer
allocation.

This is fairly easily reproducible by running the libiscsi test
suite and then starting an xfstests run.

Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
drivers/block/nvme-scsi.c

index 88f13c525712f700d05428e741cafeeac752ad2d..44f2514fb7755d0bdf9f4524ebbe5364a84af5a3 100644 (file)
@@ -2257,7 +2257,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr,
        page_code = GET_INQ_PAGE_CODE(cmd);
        alloc_len = GET_INQ_ALLOC_LENGTH(cmd);
 
-       inq_response = kmalloc(alloc_len, GFP_KERNEL);
+       inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH),
+                               GFP_KERNEL);
        if (inq_response == NULL) {
                res = -ENOMEM;
                goto out_mem;