nvme: core: reject invalid LBA data size from Identify Namespace

nvme_update_ns_info_block() trusts id->lbaf[lbaf].ds from the
controller and assigns it directly to ns->head->lba_shift without
bounds checking.  nvme_lba_to_sect() then does:

    return lba << (head->lba_shift - SECTOR_SHIFT);

When called with lba = le64_to_cpu(id->nsze) to compute the device
capacity, an attacker-controlled controller can choose ds < 9 or a
combination of (ds, nsze) that makes the left shift overflow
sector_t.  The former is a C undefined behaviour that UBSAN reports
as a BUG; the latter silently yields a bogus capacity that the
block layer then trusts for bounds checking.

Validate ds against SECTOR_SHIFT and use check_shl_overflow() to
compute capacity so that any (ds, nsze) combination that would
overflow sector_t is rejected.  The namespace is skipped with
-ENODEV instead of crashing the kernel.  This is reachable by a
malicious NVMe device, a buggy firmware, or an attacker-controlled
NVMe-oF target.

The check is performed before queue_limits_start_update() and
blk_mq_freeze_queue(), so the error path is a plain `goto out` with
no cleanup needed.

Stack trace (UBSAN, ds < 9 variant):

  RIP: nvme_lba_to_sect drivers/nvme/host/nvme.h:699 [inline]
  RIP: nvme_update_ns_info_block.cold+0x5/0x7
  Call Trace:
   nvme_update_ns_info+0x175/0xd90 drivers/nvme/host/core.c:2467
   nvme_validate_ns drivers/nvme/host/core.c:4299 [inline]
   nvme_scan_ns drivers/nvme/host/core.c:4350
   nvme_scan_ns_async+0xa5/0xe0 drivers/nvme/host/core.c:4383
   async_run_entry_fn
   process_one_work
   worker_thread
   kthread

Found by Syzkaller.

Acked-by: Sungwoo Kim <iam@sung-woo.kim>
Acked-by: Dave Tian <daveti@purdue.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Signed-off-by: Chao Shi <coshi036@gmail.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 72c50d5e938d707f662633d090acb0a3aef0ef64..10f154529334cec9be00469858d0a35105f2d752 100644 (file)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2407,12 +2407,22 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns,
                        goto out;
        }
 
+       if (id->lbaf[lbaf].ds < SECTOR_SHIFT ||
+           check_shl_overflow(le64_to_cpu(id->nsze),
+                              id->lbaf[lbaf].ds - SECTOR_SHIFT,
+                              &capacity)) {
+               dev_warn_once(ns->ctrl->device,
+                       "invalid LBA data size %u, skipping namespace\n",
+                       id->lbaf[lbaf].ds);
+               ret = -ENODEV;
+               goto out;
+       }
+
        lim = queue_limits_start_update(ns->disk->queue);
 
        memflags = blk_mq_freeze_queue(ns->disk->queue);
        ns->head->lba_shift = id->lbaf[lbaf].ds;
        ns->head->nuse = le64_to_cpu(id->nuse);
-       capacity = nvme_lba_to_sect(ns->head, le64_to_cpu(id->nsze));
        nvme_set_ctrl_limits(ns->ctrl, &lim, false);
        nvme_configure_metadata(ns->ctrl, ns->head, id, nvm, info);
        nvme_set_chunk_sectors(ns, id, &lim);