From 045de29691f2d6b16fdf2d3dc6f4cd339d872102 Mon Sep 17 00:00:00 2001 From: Keith Busch Date: Mon, 8 Jan 2024 17:17:12 +0800 Subject: [PATCH] nvme: sanitize metadata bounce buffer for reads mainline inclusion from mainline-v6.1-rc1 commit 2b32c76e2b0154b98b9322ae7546b8156cd703e6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8UHPD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b32c76e2b0154b98b9322ae7546b8156cd703e6 ---------------------------------------- User can request more metadata bytes than the device will write. Ensure kernel buffer is initialized so we're not leaking unsanitized memory on the copy-out. Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata") Reviewed-by: Jens Axboe Reviewed-by: Christoph Hellwig Reviewed-by: Kanchan Joshi Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch Conflicts: Commit 2405252a680e ("nvme: move the ioctl code to a separate file") move nvme_add_user_metadata() from drivers/nvme/host/core.c to drivers/nvme/host/ioctl.c; Commit 38c0ddab7b93 ("nvme: refactor nvme_add_user_metadata") changed to use REQ_OP_DRV_OUT to identify the write request. Signed-off-by: Li Lingfeng --- drivers/nvme/host/core.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 32e08f287602..142f3a03509c 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -966,9 +966,13 @@ static void *nvme_add_user_metadata(struct bio *bio, void __user *ubuf, if (!buf) goto out; - ret = -EFAULT; - if (write && copy_from_user(buf, ubuf, len)) - goto out_free_meta; + if (write) { + ret = -EFAULT; + if (copy_from_user(buf, ubuf, len)) + goto out_free_meta; + } else { + memset(buf, 0, len); + } bip = bio_integrity_alloc(bio, GFP_KERNEL, 1); if (IS_ERR(bip)) { -- Gitee