From: Chao Shi Date: Fri, 15 May 2026 18:58:53 +0000 (-0400) Subject: nvme: core: reject invalid LBA data size from Identify Namespace X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c8cdecdb47d3191146ab6a90b422d3271bc1ef89;p=thirdparty%2Fkernel%2Flinux.git nvme: core: reject invalid LBA data size from Identify Namespace nvme_update_ns_info_block() trusts id->lbaf[lbaf].ds from the controller and assigns it directly to ns->head->lba_shift without bounds checking. nvme_lba_to_sect() then does: return lba << (head->lba_shift - SECTOR_SHIFT); When called with lba = le64_to_cpu(id->nsze) to compute the device capacity, an attacker-controlled controller can choose ds < 9 or a combination of (ds, nsze) that makes the left shift overflow sector_t. The former is a C undefined behaviour that UBSAN reports as a BUG; the latter silently yields a bogus capacity that the block layer then trusts for bounds checking. Validate ds against SECTOR_SHIFT and use check_shl_overflow() to compute capacity so that any (ds, nsze) combination that would overflow sector_t is rejected. The namespace is skipped with -ENODEV instead of crashing the kernel. This is reachable by a malicious NVMe device, a buggy firmware, or an attacker-controlled NVMe-oF target. The check is performed before queue_limits_start_update() and blk_mq_freeze_queue(), so the error path is a plain `goto out` with no cleanup needed. Stack trace (UBSAN, ds < 9 variant): RIP: nvme_lba_to_sect drivers/nvme/host/nvme.h:699 [inline] RIP: nvme_update_ns_info_block.cold+0x5/0x7 Call Trace: nvme_update_ns_info+0x175/0xd90 drivers/nvme/host/core.c:2467 nvme_validate_ns drivers/nvme/host/core.c:4299 [inline] nvme_scan_ns drivers/nvme/host/core.c:4350 nvme_scan_ns_async+0xa5/0xe0 drivers/nvme/host/core.c:4383 async_run_entry_fn process_one_work worker_thread kthread Found by Syzkaller. Acked-by: Sungwoo Kim Acked-by: Dave Tian Acked-by: Weidong Zhu Signed-off-by: Chao Shi Signed-off-by: Keith Busch --- diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 72c50d5e938d7..10f154529334c 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -2407,12 +2407,22 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns, goto out; } + if (id->lbaf[lbaf].ds < SECTOR_SHIFT || + check_shl_overflow(le64_to_cpu(id->nsze), + id->lbaf[lbaf].ds - SECTOR_SHIFT, + &capacity)) { + dev_warn_once(ns->ctrl->device, + "invalid LBA data size %u, skipping namespace\n", + id->lbaf[lbaf].ds); + ret = -ENODEV; + goto out; + } + lim = queue_limits_start_update(ns->disk->queue); memflags = blk_mq_freeze_queue(ns->disk->queue); ns->head->lba_shift = id->lbaf[lbaf].ds; ns->head->nuse = le64_to_cpu(id->nuse); - capacity = nvme_lba_to_sect(ns->head, le64_to_cpu(id->nsze)); nvme_set_ctrl_limits(ns->ctrl, &lim, false); nvme_configure_metadata(ns->ctrl, ns->head, id, nvm, info); nvme_set_chunk_sectors(ns, id, &lim);