nvme: validate FDP configuration descriptor sizes

Validate descriptor sizes while walking the FDP configurations log so
dsze == 0 or a descriptor past the log end cannot cause unbounded
iteration or reads past the buffer.

Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: liuxixin <gliuxen@gmail.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index cad9d973526153359a6d1f0c9126a236d65f1ec0..23dfce27ace2df359f6875528570f53652d20dde 100644 (file)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2273,14 +2273,16 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
        desc = log;
        end = log + size - sizeof(*h);
        for (i = 0; i < fdp_idx; i++) {
-               log += le16_to_cpu(desc->dsze);
-               desc = log;
-               if (log >= end) {
+               u16 dsze = le16_to_cpu(desc->dsze);
+
+               if (!dsze || log + dsze > end) {
                        dev_warn(ctrl->device,
-                                "FDP invalid config descriptor list\n");
+                                "FDP invalid config descriptor at index %d\n", i);
                        ret = 0;
                        goto out;
                }
+               log += dsze;
+               desc = log;
        }
 
        if (le32_to_cpu(desc->nrg) > 1) {