From 3fd61b209977db8a9fe6c44d5a5a7aee7a255f64 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Fri, 8 May 2015 18:00:26 +0200 Subject: nvme: fix kernel memory corruption with short INQUIRY buffers If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI translation layer will happily write past the end of the INQUIRY buffer allocation. This is fairly easily reproducible by running the libiscsi test suite and then starting an xfstests run. Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation") Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe diff --git a/drivers/block/nvme-scsi.c b/drivers/block/nvme-scsi.c index 88f13c5..44f2514 100644 --- a/drivers/block/nvme-scsi.c +++ b/drivers/block/nvme-scsi.c @@ -2257,7 +2257,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr, page_code = GET_INQ_PAGE_CODE(cmd); alloc_len = GET_INQ_ALLOC_LENGTH(cmd); - inq_response = kmalloc(alloc_len, GFP_KERNEL); + inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH), + GFP_KERNEL); if (inq_response == NULL) { res = -ENOMEM; goto out_mem; -- cgit v0.10.2