Cherry-picking upstream commits to fix buffer overflow during scanning devices that do not support sub-4k reads (Closes: #1054631).

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org> Signed-off-by: Daniel Baumann <daniel@debian.org>
2025-02-16 10:52:11 +01:00 · 2025-02-16 10:52:11 +01:00 · 3dd70921f9
commit 3dd70921f9
parent cd3404518a
3 changed files with 99 additions and 0 deletions
--- a/debian/patches/series
+++ b/debian/patches/series
@ -0,0 +1,2 @@
+upstream/0001-alloc-helper.patch
+upstream/0002-aligned-payloads.patch
--- a/debian/patches/upstream/0001-alloc-helper.patch
+++ b/debian/patches/upstream/0001-alloc-helper.patch
@ -0,0 +1,44 @@
+Author: Tomas Bzatek <tbzatek@redhat.com>
+Description: util: Introduce alloc helper with alignment support
+ Similar to nvme-cli an alloc helper is needed for a couple
+ of ioctls sent out during tree scan.
+
+diff -Naurp libnvme.orig/src/nvme/private.h libnvme/src/nvme/private.h
+--- libnvme.orig/src/nvme/private.h
+++ libnvme/src/nvme/private.h
+@@ -145,6 +145,8 @@ nvme_ctrl_t __nvme_lookup_ctrl(nvme_subs
+ 			       const char *host_iface, const char *trsvcid,
+ 			       nvme_ctrl_t p);
+ 
+void *__nvme_alloc(size_t len);
+
+ #if (LOG_FUNCNAME == 1)
+ #define __nvme_log_func __func__
+ #else
+diff -Naurp libnvme.orig/src/nvme/util.c libnvme/src/nvme/util.c
+--- libnvme.orig/src/nvme/util.c
+++ libnvme/src/nvme/util.c
+@@ -7,6 +7,7 @@
+  * 	    Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+  */
+ 
+#include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <errno.h>
+@@ -901,3 +902,15 @@ int nvme_uuid_random(unsigned char uuid[
+ 
+ 	return 0;
+ }
+
+void *__nvme_alloc(size_t len)
+{
+	size_t _len = round_up(len, 0x1000);
+	void *p;
+
+	if (posix_memalign((void *)&p, getpagesize(), _len))
+		return NULL;
+
+	memset(p, 0, _len);
+	return p;
+}
--- a/debian/patches/upstream/0002-aligned-payloads.patch
+++ b/debian/patches/upstream/0002-aligned-payloads.patch
@ -0,0 +1,53 @@
+Author: Tomas Bzatek <tbzatek@redhat.com>
+Description: tree: Allocate aligned payloads for ns scan
+ libnvme is actually doing some namespace identification
+ during tree scan, leading to stack smash on some systems.
+
+diff -Naurp libnvme.orig/src/nvme/tree.c libnvme/src/nvme/tree.c
+--- libnvme.orig/src/nvme/tree.c
+++ libnvme/src/nvme/tree.c
+@@ -1788,26 +1788,33 @@ static void nvme_ns_parse_descriptors(st
+ 
+ static int nvme_ns_init(struct nvme_ns *n)
+ {
+-	struct nvme_id_ns ns = { };
+-	uint8_t buffer[NVME_IDENTIFY_DATA_SIZE] = { };
+-	struct nvme_ns_id_desc *descs = (void *)buffer;
+	struct nvme_id_ns *ns;
+	struct nvme_ns_id_desc *descs;
+ 	uint8_t flbas;
+ 	int ret;
+ 
+-	ret = nvme_ns_identify(n, &ns);
+-	if (ret)
+	ns = __nvme_alloc(sizeof(*ns));
+	if (!ns)
+		return 0;
+	ret = nvme_ns_identify(n, ns);
+	if (ret) {
+		free(ns);
+ 		return ret;
+	}
+ 
+-	nvme_id_ns_flbas_to_lbaf_inuse(ns.flbas, &flbas);
+-	n->lba_shift = ns.lbaf[flbas].ds;
+	nvme_id_ns_flbas_to_lbaf_inuse(ns->flbas, &flbas);
+	n->lba_shift = ns->lbaf[flbas].ds;
+ 	n->lba_size = 1 << n->lba_shift;
+-	n->lba_count = le64_to_cpu(ns.nsze);
+-	n->lba_util = le64_to_cpu(ns.nuse);
+-	n->meta_size = le16_to_cpu(ns.lbaf[flbas].ms);
+	n->lba_count = le64_to_cpu(ns->nsze);
+	n->lba_util = le64_to_cpu(ns->nuse);
+	n->meta_size = le16_to_cpu(ns->lbaf[flbas].ms);
+ 
+-	if (!nvme_ns_identify_descs(n, descs))
+	descs = __nvme_alloc(NVME_IDENTIFY_DATA_SIZE);
+	if (descs && !nvme_ns_identify_descs(n, descs))
+ 		nvme_ns_parse_descriptors(n, descs);
+ 
+	free(ns);
+	free(descs);
+ 	return 0;
+ }
+