Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2018-05-22 16:48:12 +0200
committerKernel Build Daemon <kbuild@suse.de>2018-05-22 16:48:12 +0200
commit890e4fa2a0c9328409fa36a9fe411aaa7d705675 (patch)
treea0b2529fe243e5ebbe5e719ce99e7275d4e28195
parent6c97630b22f72712fc5f1524881ed3838107f577 (diff)
parentd5e09b180e3446694d884b35784fc61c0aa1429d (diff)
Merge branch 'users/jthumshirn/SLE12-SP3/for-next' into SLE12-SP3
-rw-r--r--patches.drivers/nvme-target-fix-buffer-overflow.patch43
-rw-r--r--series.conf1
2 files changed, 44 insertions, 0 deletions
diff --git a/patches.drivers/nvme-target-fix-buffer-overflow.patch b/patches.drivers/nvme-target-fix-buffer-overflow.patch
new file mode 100644
index 0000000000..ec6cbf111c
--- /dev/null
+++ b/patches.drivers/nvme-target-fix-buffer-overflow.patch
@@ -0,0 +1,43 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 12 Apr 2018 09:16:07 -0600
+Subject: nvme: target: fix buffer overflow
+Patch-mainline: v4.17-rc1
+Git-commit: 6038aa532a224da68c478f34f4dbce33c47169e6
+References: FATE#321732 FATE#321590 bsc#993388
+
+nvmet_execute_get_disc_log_page() passes a fixed-length string into
+nvmet_format_discovery_entry(), which then does a longer memcpy() on
+it, as pointed out by gcc-8:
+
+In function 'nvmet_format_discovery_entry',
+ inlined from 'nvmet_execute_get_disc_log_page' at drivers/nvme/target/discovery.c:126:4:
+drivers/nvme/target/discovery.c:62:2: error: 'memcpy' forming offset [38, 223] is out of the bounds [0, 37] [-Werror=array-bounds]
+ memcpy(e->subnqn, subsys_nqn, NVMF_NQN_SIZE);
+
+Using strncpy() will make this well-defined, filling the rest of the
+buffer with zeroes, under the assumption that the input is either
+a NUL-terminated string, or a byte sequence containing no zeroes.
+If the input is a string that is longer than NVMF_NQN_SIZE, we
+continue to have no NUL-termination in the output.
+
+Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/nvme/target/discovery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/target/discovery.c
++++ b/drivers/nvme/target/discovery.c
+@@ -58,7 +58,7 @@ static void nvmet_format_discovery_entry
+ memcpy(e->trsvcid, port->disc_addr.trsvcid, NVMF_TRSVCID_SIZE);
+ memcpy(e->traddr, port->disc_addr.traddr, NVMF_TRADDR_SIZE);
+ memcpy(e->tsas.common, port->disc_addr.tsas.common, NVMF_TSAS_SIZE);
+- memcpy(e->subnqn, subsys_nqn, NVMF_NQN_SIZE);
++ strncpy(e->subnqn, subsys_nqn, NVMF_NQN_SIZE);
+ }
+
+ static void nvmet_execute_get_disc_log_page(struct nvmet_req *req)
diff --git a/series.conf b/series.conf
index 89e0670a15..740e42e7a0 100644
--- a/series.conf
+++ b/series.conf
@@ -18218,6 +18218,7 @@
patches.fixes/block-don-t-assign-cmd_flags-in-__blk_rq_prep_clone.patch
patches.suse/blk-mq-fix-bad-clear-of-RQF_MQ_INFLIGHT-in-blk_mq_ct.patch
patches.suse/block-correctly-mask-out-flags-in-blk_rq_append_bio.patch
+ patches.drivers/nvme-target-fix-buffer-overflow.patch
# bsc#1060985
patches.drivers/scsi-sd-Remove-LBPRZ-dependency-for-discards.patch