diff options
| author | Keith Busch <kbusch@kernel.org> | 2023-10-16 23:12:47 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-10-25 13:03:14 +0300 |
| commit | 2c0b40c310a5d360aa322c7f7a0e8e43e0bd22d1 (patch) | |
| tree | ab4c21bb16de9fa0b9c2020aea92cdfd2a9beea9 /drivers/nvme | |
| parent | a54974b0076f028f3533e6bb07f7652fc1b913ab (diff) | |
| download | linux-2c0b40c310a5d360aa322c7f7a0e8e43e0bd22d1.tar.xz | |
nvme: sanitize metadata bounce buffer for reads
commit 2b32c76e2b0154b98b9322ae7546b8156cd703e6 upstream.
User can request more metadata bytes than the device will write. Ensure
kernel buffer is initialized so we're not leaking unsanitized memory on
the copy-out.
Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/nvme')
| -rw-r--r-- | drivers/nvme/host/ioctl.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index 8224675f8de2..b33004a4bcb5 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -32,9 +32,13 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf, if (!buf) goto out; - ret = -EFAULT; - if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len)) - goto out_free_meta; + if (req_op(req) == REQ_OP_DRV_OUT) { + ret = -EFAULT; + if (copy_from_user(buf, ubuf, len)) + goto out_free_meta; + } else { + memset(buf, 0, len); + } bip = bio_integrity_alloc(bio, GFP_KERNEL, 1); if (IS_ERR(bip)) { |