diff options
| author | Christoph Hellwig <hch@lst.de> | 2015-05-08 12:00:26 -0400 |
|---|---|---|
| committer | Jens Axboe <axboe@fb.com> | 2015-05-13 10:22:12 -0400 |
| commit | 3fd61b209977db8a9fe6c44d5a5a7aee7a255f64 (patch) | |
| tree | 424d48e7b77df6c569e516ca721d739726867434 /drivers | |
| parent | 336b7e1f230912cd8df2497be8dd7be4647d8fc8 (diff) | |
nvme: fix kernel memory corruption with short INQUIRY buffers
If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI
translation layer will happily write past the end of the INQUIRY buffer
allocation.
This is fairly easily reproducible by running the libiscsi test
suite and then starting an xfstests run.
Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/block/nvme-scsi.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/block/nvme-scsi.c b/drivers/block/nvme-scsi.c index 88f13c525712..44f2514fb775 100644 --- a/drivers/block/nvme-scsi.c +++ b/drivers/block/nvme-scsi.c | |||
| @@ -2257,7 +2257,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr, | |||
| 2257 | page_code = GET_INQ_PAGE_CODE(cmd); | 2257 | page_code = GET_INQ_PAGE_CODE(cmd); |
| 2258 | alloc_len = GET_INQ_ALLOC_LENGTH(cmd); | 2258 | alloc_len = GET_INQ_ALLOC_LENGTH(cmd); |
| 2259 | 2259 | ||
| 2260 | inq_response = kmalloc(alloc_len, GFP_KERNEL); | 2260 | inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH), |
| 2261 | GFP_KERNEL); | ||
| 2261 | if (inq_response == NULL) { | 2262 | if (inq_response == NULL) { |
| 2262 | res = -ENOMEM; | 2263 | res = -ENOMEM; |
| 2263 | goto out_mem; | 2264 | goto out_mem; |