nvme: sanitize metadata bounce buffer for reads

User can request more metadata bytes than the device will write. Ensure kernel buffer is initialized so we're not leaking unsanitized memory on the copy-out. Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata") Reviewed-by: Jens Axboe <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Reviewed-by: Kanchan Joshi <[email protected]> Reviewed-by: Chaitanya Kulkarni <[email protected]> Signed-off-by: Keith Busch <[email protected]>
author: Keith Busch <[email protected]> 2023-10-16 13:12:47 -0700
committer: Keith Busch <[email protected]> 2023-10-18 14:08:39 -0700
commit: 2b32c76e2b0154b98b9322ae7546b8156cd703e6 (patch)
tree: 0cb8c544784658cd755446b307fb737ea21609fb
parent: 4ae55a7dce04989f289d5c5c8c8e5c37adc36c71 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index d8ff796fd5f2..747c879e8982 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -108,9 +108,13 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf,
 	if (!buf)
 		goto out;
 
-	ret = -EFAULT;
-	if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len))
-		goto out_free_meta;
+	if (req_op(req) == REQ_OP_DRV_OUT) {
+		ret = -EFAULT;
+		if (copy_from_user(buf, ubuf, len))
+			goto out_free_meta;
+	} else {
+		memset(buf, 0, len);
+	}
 
 	bip = bio_integrity_alloc(bio, GFP_KERNEL, 1);
 	if (IS_ERR(bip)) {
author	Keith Busch <[email protected]>	2023-10-16 13:12:47 -0700
committer	Keith Busch <[email protected]>	2023-10-18 14:08:39 -0700
commit	2b32c76e2b0154b98b9322ae7546b8156cd703e6 (patch)
tree	0cb8c544784658cd755446b307fb737ea21609fb
parent	4ae55a7dce04989f289d5c5c8c8e5c37adc36c71 (diff)