From patchwork Sat Apr 15 18:55:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Matias_Bj=C3=B8rling?= X-Patchwork-Id: 9682345 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8F54760388 for ; Sat, 15 Apr 2017 18:56:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8213725223 for ; Sat, 15 Apr 2017 18:56:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 76EF327D0E; Sat, 15 Apr 2017 18:56:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F406725E13 for ; Sat, 15 Apr 2017 18:56:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754764AbdDOS4W (ORCPT ); Sat, 15 Apr 2017 14:56:22 -0400 Received: from mail-dm3nam03on0041.outbound.protection.outlook.com ([104.47.41.41]:38016 "EHLO NAM03-DM3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752985AbdDOS4S (ORCPT ); Sat, 15 Apr 2017 14:56:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cnexlabs.onmicrosoft.com; s=selector1-cnexlabs-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=aBkj+06XE8J68Q0rq4BiK8Eh+Vnrvm0cntZR7Fvt52c=; b=oCtD5MhgkjiAvpFiImw/6Eca4QFa6I0hARaSvvyWCFtXMMfFPn4itKbYbbOCMX//SMvJhoKW0S1uFwqxc9/kqQf05JKHSb1kYAxLuKv0ynavRYYtzyHng3a8vn1jBp2aZbIq1Sha7rPb9wg04S9UF5l55h4ztpNAklS4qD1PYIc= Authentication-Results: fb.com; dkim=none (message not signed) header.d=none; fb.com; dmarc=none action=none header.from=cnexlabs.com; Received: from skyninja.cnexlabs.com (193.106.164.211) by CY4PR06MB2774.namprd06.prod.outlook.com (10.175.117.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.10; Sat, 15 Apr 2017 18:56:14 +0000 From: =?UTF-8?q?Matias=20Bj=C3=B8rling?= To: CC: , , Scott Bauer , =?UTF-8?q?Matias=20Bj=C3=B8rling?= Subject: [GIT PULL 02/19] nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify Date: Sat, 15 Apr 2017 20:55:36 +0200 Message-ID: <20170415185553.16098-3-matias@cnexlabs.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170415185553.16098-1-matias@cnexlabs.com> References: <20170415185553.16098-1-matias@cnexlabs.com> MIME-Version: 1.0 X-Originating-IP: [193.106.164.211] X-ClientProxiedBy: AM5PR0701CA0069.eurprd07.prod.outlook.com (10.169.145.159) To CY4PR06MB2774.namprd06.prod.outlook.com (10.175.117.142) X-MS-Office365-Filtering-Correlation-Id: f8e271ff-dcd6-4304-75cb-08d4843117a2 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(201703131423075)(201703031133081); SRVR:CY4PR06MB2774; X-Microsoft-Exchange-Diagnostics: 1; CY4PR06MB2774; 3:uSgdEQsR7epBq7RAg6lDp+GY643SKtWUqKRL8bGaVQlzdf35j+fetj65xyvj8omu6aJV9RAyySe+27nLrGVxjym+h7DEnTu+AOX+l5Ygu6U3KpAHwh+TXnfbbt93UlNlG0404XwkCUPX84KWHdsWvKe9B/9ds7SkeNs7MRP1wV7SaRVq48uvGBygctowzIIrVSeFE7Kb33v2z425wHYkvX0ctu4709BiBVvMi+KSN6yBUrPvv3/pXcNlJutHk0k3Igulc4SmqpoyUex1vP8MlIcmfikq58it5nS92sHFBDqh9aIIKu7HvCU+i1ZVGFce5fkLex879TVfKA0/rp/i1g==; 25:H/tUMQHYd8BYcehUR2Yh0w29DCSi6myzuwRJ/4mZRxrXEJ/k8mlT+r6toqZ5DFd0pyhqm7t7LViW6sqqCtzkhS7UdVbp2I3nxosZCeGP7LR5IxZKBM6XnmjvO59o4tWNThj8wwFdTEJMnaogs3+tSnLBVmK8+zX3SkPIP6ATKUHGbAnoZ3U8JKE0osQHEmGF6P6gcoVxZ0hUjYybBhU97QLzcV2PQmMa11Hc5I8N5edn9EPq9jfWV1QaT02i/rNmlTBYVOzFY49YaLPhi9CPGCJ9r2CUnaLIwfwj7TPe4KxFZBTf5ahPy707b0jCuusFnqm/GBFlY2kiRMQzS3+PoLu7Wv1UmRyEuZe/kwmD+TnW0OKo1S/xAD46QolIkvDOg6HpW9ipEgnBozkzpo4zFHGp1MBDY82QX2InXLtxs/uztYYXIySiZj4EfPJ9UDgttTRQwfq+Kan5i0e9CC48sg== X-Microsoft-Exchange-Diagnostics: 1; CY4PR06MB2774; 31:D1uUxMgTLJWXuz7jthijVZWUhNB0/BWEFDYEit7Iqhw15JxyTCYwEnB0S2WP4FNNIq7sdd62JLwFOOylDOJcMIXLxdXy1XhZwqz6GMgMNrY22UyrCAUckUUJskGyEGbcnatu0kHgfVWuTBjDtY+zucaQSUDvL2CNdoCmLK0uIUkIfm9cWF5vJJhon5w1lwAX6H1Mfgj4AyuxI2JSnVHFYQHhYYC47ajUgB1ItfgoMzE=; 20:8OrX1dS7qJOff1Y+Hld/xVmSArzrnO3kKNTy1s/qUI+hdm5O6xZAXS2cxhmMEyQYQbLkPgD15tR2hyXaMwWfSOrrAFtn5dxmS/mpLejxp09GRnzvoGVLPgX9APNxhw9+eeP9vsXXSJSkV2hp4zWZ6GR9Y1xvqs64fGdLNv0mv1A= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(228905959029699); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6041248)(20161123564025)(20161123562025)(20161123560025)(201703131423075)(201703061421075)(20161123555025)(6072148); SRVR:CY4PR06MB2774; BCL:0; PCL:0; RULEID:; SRVR:CY4PR06MB2774; X-Microsoft-Exchange-Diagnostics: 1; CY4PR06MB2774; 4:P9zD+3L1oSJvQt7r4nD1lfxyM18OU8p4kv+mDxLN8uP5kDQYICQLuWzHSFMi6eTnsDplFlbaQ/yqj0uoPZF5k/TH5T8eldSIS2cC3M41vIjV4G+b9kVcnpnl/w5w5hDTGnBzhF8bl2Jssbxj/MBWMiyDOcguS6w4gn3nrhxIOXOpMrlvLm5qJLcJR9wIqYwdeaKDs7XPL6oRY+ViKa0OvUKe4yGes5gEBPuY+XG6RWS8xvLSkmYk7bWLba2ykOK1fkCV/WW001ydY/6/nSqbm+tTSlIX0Tjf1DkGINXi8QI+h7HqB3nYfcD2+wl8W1nL2C2g1GS4w/2U56qLM3uFRGILAmnLCZ6mOoq1PFd/9iNQVGmKc/TuBWgFpVyrEaQaZPxWm4eQqxIRbQR/QmHFalOZ2LGMCDwaT6jIA3Bd629AA2NoPJOYFoLjwnjKcufhTJAcP53SP12TCKl1TZv1fY7Wyivp4w/J5livmtVDlV8fiCFXrgdEgx0ddgCCdN5I6/MOcZ/AlqQQL4Oyg5cmw2c0+y7LoA0ZC0DgoQQAX3cdPI0kdVPdYzTlTWs91Cm4lDlW/j0SeFXZ9Pqimn2E5rSgAgE6uJwYLZEHuy/tiQ9qqW76fRkZ+MrkvSHHYg89d2Ky2JSOVzBkISEVIURkKCoL2vr7fYBQ2HryeKtwz5sBY/bU6CBShytWFosfD0RTI101hyNYkWr0AP2p71rw11Sy9+wxHSNHgZz9jjo77N8= X-Forefront-PRVS: 02788FF38E X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(39400400002)(39450400003)(86362001)(305945005)(1076002)(6916009)(6666003)(25786009)(2950100002)(6486002)(2906002)(3846002)(6116002)(2870700001)(54906002)(189998001)(53936002)(53416004)(107886003)(110136004)(5660300001)(38730400002)(50986999)(76176999)(2351001)(4326008)(66066001)(5820100001)(23676002)(81166006)(47776003)(42186005)(36756003)(33646002)(50226002)(8676002)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR06MB2774; H:skyninja.cnexlabs.com; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtDWTRQUjA2TUIyNzc0OzIzOjJBR01IMTdUUWpBQWJpQlczbDJJRkpjOXhY?= =?utf-8?B?bzlhaGdxbk81dTRkZEJSQ3VzcUtiOXZvNTJ5NHBvMkZYVWQwOFdieUNISnk3?= =?utf-8?B?MEthVkFuSkhKQ3UxWXZpYTZQSGxyemcvbDlPVWpQZWRIZGNmV1NRK2t3elY3?= =?utf-8?B?NjJ3QXRSNGNZd0JxcE9zY084dGsvWXJ3Y0hrR2J4TXdVSk9MOE9rOGFXT05a?= =?utf-8?B?SXpmNzhHdWhqOG1FYXVJRlBhcXVZM1VpNkpSTVk1eUE4Q1ArWUxaMGVnbEYx?= =?utf-8?B?TUxhem5uTUVRVE44aHdPa0xYNmFPNGVRY01JeVZuU2tuWEkrUEZZd3hHY09M?= =?utf-8?B?RzkzLzY1MGVSdWFkQjcwazEvTS9rS2R0MWxCNXY1ckJnWUJvQk9sSmxwUkV4?= =?utf-8?B?ajROakx1UW5TL0NTZXJNQ3VKaHlYQzczY3JtNnFzUFNzYSszUkNxUVB3d2I2?= =?utf-8?B?anF4RHV2MkFnRVkzZHR3RXVXRmw0cEprdnBTTzQ1dzlUdGVsRkU3VWoxNFcw?= =?utf-8?B?UmxYeFRNZzQyVlpBSXdTVkI1LzNiYmNIcVFJY1c3Q2FnSHpyRkJXZllSOTgy?= =?utf-8?B?MnYzRzlDbDgwcWt3NEdueU9LanVCM2FTVGpTUUlmSjBWYXNWc3Z0a2FkKysz?= =?utf-8?B?MHRUd29MdzZkMEU0ODJqMG9XSC9DeXJWelRlUWFDTXBQRVUzZkxLaDFoNlFB?= =?utf-8?B?bXNxMlhiSWIvV3FycjR2dmlzQVdVQnBjMzdOZFNyenZTK2E5WmJibFN0RU52?= =?utf-8?B?NFNFZyt3a0dGQk82ckJDSVJhd1lQdHI1MUo5ZXhjemtta01pU3Z0M1YzY0JX?= =?utf-8?B?aTFWOE1uQjBRckRrYnd0WXQwcWRMcktka0NlR1R0MzF1dk12L21WNmF4WUxT?= =?utf-8?B?NnQ2N0YvS1kyTnJKWk5qNXJnWWlUcnFXVVU2TXc0cWx1cDlIZmN2cjZteE9Z?= =?utf-8?B?T3BsMzNXWXVNNDBoZ1JzUzBUazVnQ2RDblN3eGpkem9wekFtTkRhbnR4YVdD?= =?utf-8?B?YWt1amExUWM3V2cwR1lTdDduWG5jeHdWRDR5Tk9YczMxRk90ZGJIK2lQZVhh?= =?utf-8?B?Wko2QlR1bkN2eU5sK1RtdFZjNXBHb2Nrc0RnWDlsVGpSN254R1ZxZ1RvUUtn?= =?utf-8?B?SmVydzlvcGwrZkc2VmxoUWFPYXp0SDc1YmN4VlcvN2NKdFJlbGs2WTk2YUVK?= =?utf-8?B?dFZQUDRwUFo3RmsrakFabGp4NHIrVVNwMXJCd1RVbVV3OGE4RDZBR2JlcFE5?= =?utf-8?B?Z004RDdCaE05Rzl2M3F0bStKSlRVc3Y1UlJxdC9zeU9wSW1QeFloSktKcy9S?= =?utf-8?Q?bvyqk7dfQvZgDMxWtI9l2VQ5QdUBhv7M=3D?= X-Microsoft-Exchange-Diagnostics: 1; CY4PR06MB2774; 6:1WimuP3DXuEk5GYsc3v/0p1CQiZy+7/5nUpR/HS7AJqAFkohjnCUB8xz2TKkr80y3CpiiPkvKi2th0a02hZFKTtQtRlK3NFYUdB0UuwKA/W0QgcjZfs5Lguno5wmsnkhwyA/Q5WtkkQdERmOs3uGLKNLLcAcrftegjtKVtiLCYEhcU2axC1owIrpyPEMMla/mWQamHzYlt/pOAyfRLypDTFDwWOLteOO2mnBJB2d0P31caw2J/rFWpbe8gN032943fEhXWga/OafoIPaOoy0hTh0oBM6bL+O93ErfsuKDkqW6U6ZS6iKcyOVaD5z1KYR6QsafDBN95A8fFdRIEDENFF23e4vyjBxwKHYcTSO3HDFxzxt7qYiSTEJEXOilAar17HcdeWqJIh/cPJkhDTkYRdxqxRuksBQCldiRZAWuePoGB3RKBWld8ek5wWiItxfJd1gExJq64z1F4Kf/2c1gg==; 5:hSS5Qc31jazMc3oyjgnBLIrSq0DHs8uQxxWRC8OqF0KbGY1enI+wbpHi8/e+JPt5WIqG37u4SisRmIY/ny93l8AcwPGuKMw5lk4OcUQK+Bx37QyQzDkWDmIrIWfBXi2KRHDaFmSpVP6NjAyPJZFweA==; 24:uygzm2HaJcTg76/DYj4F+9B8imS28B4q+b8CLQ6rJPy8CqKTq2xuMcEFmr4Gv8UejGxxSbhL9Mwt3oid3Ftbtgq6OndDJJQkPj+UdoGX3Ho= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY4PR06MB2774; 7:f2Mqt7GsIi7yM6q3kAUykdXzSLzMNu3qhL2g2f37ZVRA61f6RK5rnSLvH5NTwjL5EtI7/4k6aA4kzWeLJXfwcAjs+R70lBBY4DeNeN6yKeN19IT/w+dqoZFB5uuwt4hugPzg47PedyO9lELvIxpMShPJDRsjrIFiSSC4R7cJYZuV9Ik1Nir9RVTYk4+E/BQc/L88GEEQhR50Y1Un81OEuWlZWaZkMUMda7jL5/GH8j67R2OU4NmoTO38IY1JgILJw25oDKNK5Fcgtrgx2OTBby3MKMISodoXTvDxSMeKqXP1KUiY315UWe4rSZ4VILEeXUubYD1zTcVAhm5Dij0gog== X-OriginatorOrg: cnexlabs.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2017 18:56:14.0590 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR06MB2774 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Scott Bauer There are two closely named structs in lightnvm: struct nvme_nvm_addr_format and struct nvme_addr_format. The first struct has 4 reserved bytes at the end, the second does not. (gdb) p sizeof(struct nvme_nvm_addr_format) $1 = 16 (gdb) p sizeof(struct nvm_addr_format) $2 = 12 In the nvme_nvm_identify function we memcpy from the larger struct to the smaller struct. We incorrectly pass the length of the larger struct and overflow by 4 bytes, lets not do that. Signed-off-by: Scott Bauer Signed-off-by: Matias Bjørling --- drivers/nvme/host/lightnvm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/host/lightnvm.c b/drivers/nvme/host/lightnvm.c index 21cac85..fd98954 100644 --- a/drivers/nvme/host/lightnvm.c +++ b/drivers/nvme/host/lightnvm.c @@ -324,7 +324,7 @@ static int nvme_nvm_identity(struct nvm_dev *nvmdev, struct nvm_id *nvm_id) nvm_id->cap = le32_to_cpu(nvme_nvm_id->cap); nvm_id->dom = le32_to_cpu(nvme_nvm_id->dom); memcpy(&nvm_id->ppaf, &nvme_nvm_id->ppaf, - sizeof(struct nvme_nvm_addr_format)); + sizeof(struct nvm_addr_format)); ret = init_grps(nvm_id, nvme_nvm_id); out: