Commit 52a0a985 authored by YunJe Shin's avatar YunJe Shin Committed by Keith Busch
Browse files

nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec 



nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU
length or offset exceeds sg_cnt and then use bogus sg->length/offset
values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining
entries, and sg->length/offset before building the bvec.

Fixes: 872d26a3 ("nvmet-tcp: add NVMe over TCP target driver")
Signed-off-by: default avatarYunJe Shin <ioerts@kookmin.ac.kr>
Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
Reviewed-by: default avatarJoonkyo Jung <joonkyoj@yonsei.ac.kr>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
parent 071be3b0

drivers/nvme/target/tcp.c

+17 −0
Original line number Diff line number Diff line
@@ -349,11 +349,14 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) 
	cmd->req.sg = NULL;

}



static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);



static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)

{

	struct bio_vec *iov = cmd->iov;

	struct scatterlist *sg;

	u32 length, offset, sg_offset;

	unsigned int sg_remaining;

	int nr_pages;



	length = cmd->pdu_len;
@@ -361,9 +364,22 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) 
	offset = cmd->rbytes_done;

	cmd->sg_idx = offset / PAGE_SIZE;

	sg_offset = offset % PAGE_SIZE;

	if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {

		nvmet_tcp_fatal_error(cmd->queue);

		return;

	}

	sg = &cmd->req.sg[cmd->sg_idx];

	sg_remaining = cmd->req.sg_cnt - cmd->sg_idx;



	while (length) {

		if (!sg_remaining) {

			nvmet_tcp_fatal_error(cmd->queue);

			return;

		}

		if (!sg->length || sg->length <= sg_offset) {

			nvmet_tcp_fatal_error(cmd->queue);

			return;

		}

		u32 iov_len = min_t(u32, length, sg->length - sg_offset);



		bvec_set_page(iov, sg_page(sg), iov_len,
@@ -371,6 +387,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) 


		length -= iov_len;

		sg = sg_next(sg);

		sg_remaining--;

		iov++;

		sg_offset = 0;

	}