]> git.baikalelectronics.ru Git - kernel.git/commit
nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify
authorScott Bauer <scott.bauer@intel.com>
Sat, 15 Apr 2017 18:55:36 +0000 (20:55 +0200)
committerJens Axboe <axboe@fb.com>
Sun, 16 Apr 2017 16:06:25 +0000 (10:06 -0600)
commit495dc18fb00d1452ae7e25e7e88b57f2fd392b02
tree5413b4d53c288bfa68381206cefc2f1467a55e9c
parent1563b956a1c616ceb92fc8bce53e7bac40392886
nvme/lightnvm: Prevent small buffer overflow in nvme_nvm_identify

There are two closely named structs in lightnvm:
struct nvme_nvm_addr_format and
struct nvme_addr_format.

The first struct has 4 reserved bytes at the end, the second does not.
(gdb) p sizeof(struct nvme_nvm_addr_format)
$1 = 16
(gdb) p sizeof(struct nvm_addr_format)
$2 = 12

In the nvme_nvm_identify function we memcpy from the larger struct to the
smaller struct. We incorrectly pass the length of the larger struct
and overflow by 4 bytes, lets not do that.

Signed-off-by: Scott Bauer <scott.bauer@intel.com>
Signed-off-by: Matias Bjørling <matias@cnexlabs.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
drivers/nvme/host/lightnvm.c