Thread (19 messages) 19 messages, 4 authors, 2025-12-02

Re: [PATCH v2 2/4] nvme: reject invalid pr_read_keys() num_keys values

From: Chaitanya Kulkarni <hidden>
Date: 2025-12-01 07:11:35
Also in: linux-nvme, linux-scsi, lkml

On 11/27/25 07:54, Stefan Hajnoczi wrote:
quoted hunk ↗ jump to hunk
The pr_read_keys() interface has a u32 num_keys parameter. The NVMe
Reservation Report command has a u32 maximum length. Reject num_keys
values that are too large to fit.

This will become important when pr_read_keys() is exposed to untrusted
userspace via an <linux/pr.h> ioctl.

Signed-off-by: Stefan Hajnoczi<stefanha@redhat.com>
---
  drivers/nvme/host/pr.c | 4 ++++
  1 file changed, 4 insertions(+)
diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c
index ca6a74607b139..156a2ae1fac2e 100644
--- a/drivers/nvme/host/pr.c
+++ b/drivers/nvme/host/pr.c
@@ -233,6 +233,10 @@ static int nvme_pr_read_keys(struct block_device *bdev,
  	int ret, i;
  	bool eds;
  
+	/* Check that keys fit into u32 rse_len */
+	if (num_keys > (U32_MAX - sizeof(*rse)) / sizeof(rse->regctl_eds[0]))
+		return -EINVAL;
de-referencing res in res->regctl_eds[0] is safe in this patch ?

if so please ignore this comment ...

-ck

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help