From a486427b4c99f49dbb668e2db19f7f8818bbbe70 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Wed, 10 Jan 2024 15:27:47 +0800 Subject: [PATCH] nvmet: nul-terminate the NQNs passed in the connect command mainline inclusion from mainline-v6.7-rc3 commit 1c22e0295a5eb571c27b53c7371f95699ef705ff category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8H4UJ CVE: CVE-2023-6121 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1c22e0295a5eb571c27b53c7371f95699ef705ff -------------------------------- The host and subsystem NQNs are passed in the connect command payload and interpreted as nul-terminated strings. Ensure they actually are nul-terminated before using them. Fixes: a07b4970f464 "nvmet: add a generic NVMe target") Reported-by: Alon Zahavi Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Cheng Yu (cherry picked from commit d23b262c5d466b822570b7dc2b278158e6d4c864) --- drivers/nvme/target/fabrics-cmd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c index e62d3d0fa6c8..66506a70310d 100644 --- a/drivers/nvme/target/fabrics-cmd.c +++ b/drivers/nvme/target/fabrics-cmd.c @@ -189,6 +189,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req, le32_to_cpu(c->kato), &ctrl); if (status) { @@ -250,6 +252,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn, le16_to_cpu(d->cntlid), req, &ctrl); -- Gitee