Re: [PATCH v2 2/4] nvme: reject invalid pr_read_keys() num_keys values
From: Chaitanya Kulkarni <hidden>
Date: 2025-12-01 07:11:35
Also in:
linux-nvme, linux-scsi, lkml
From: Chaitanya Kulkarni <hidden>
Date: 2025-12-01 07:11:35
Also in:
linux-nvme, linux-scsi, lkml
On 11/27/25 07:54, Stefan Hajnoczi wrote:
The pr_read_keys() interface has a u32 num_keys parameter. The NVMe Reservation Report command has a u32 maximum length. Reject num_keys values that are too large to fit. This will become important when pr_read_keys() is exposed to untrusted userspace via an <linux/pr.h> ioctl. Signed-off-by: Stefan Hajnoczi<stefanha@redhat.com> --- drivers/nvme/host/pr.c | 4 ++++ 1 file changed, 4 insertions(+)diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c index ca6a74607b139..156a2ae1fac2e 100644 --- a/drivers/nvme/host/pr.c +++ b/drivers/nvme/host/pr.c@@ -233,6 +233,10 @@ static int nvme_pr_read_keys(struct block_device *bdev, int ret, i; bool eds; + /* Check that keys fit into u32 rse_len */ + if (num_keys > (U32_MAX - sizeof(*rse)) / sizeof(rse->regctl_eds[0])) + return -EINVAL;
de-referencing res in res->regctl_eds[0] is safe in this patch ? if so please ignore this comment ... -ck