Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
when scanning ("nvme list") some buggy NVMe ssds that don't like blocks
of less than 4096 bytes send to them, a buffer overflow happens.
Upstream fixed this in libnvme 1.7, I've cherry-picked this for
bookworm, attached is the full diff for review. Please let me know if I
can upload it to bookworm-pu.
Regards,
Daniel
diff --git a/debian/changelog b/debian/changelog
index 2666b0a..d7cef38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libnvme (1.3-1+deb12u1) bookworm; urgency=medium
+
+ * Uploading to bookworm.
+ * Cherry-picking upstream commits to fix buffer overflow during scanning
+ devices that do not support sub-4k reads (Closes: #1054631).
+
+ -- Daniel Baumann <daniel.baum...@progress-linux.org> Sun, 14 Apr 2024 08:57:21 +0200
+
libnvme (1.3-1) sid; urgency=medium
* Uploading to sid.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..f31922e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+upstream/0001-alloc-helper.patch
+upstream/0002-aligned-payloads.patch
diff --git a/debian/patches/upstream/0001-alloc-helper.patch b/debian/patches/upstream/0001-alloc-helper.patch
new file mode 100644
index 0000000..deafcae
--- /dev/null
+++ b/debian/patches/upstream/0001-alloc-helper.patch
@@ -0,0 +1,52 @@
+commit a2b8e52e46cfd888ac5a48d8ce632bd70a5caa93
+Author: Tomas Bzatek <tbza...@redhat.com>
+Date: Tue Oct 10 18:16:24 2023 +0200
+
+ util: Introduce alloc helper with alignment support
+
+ Similar to nvme-cli an alloc helper is needed for a couple
+ of ioctls sent out during tree scan.
+
+ Signed-off-by: Tomas Bzatek <tbza...@redhat.com>
+
+diff --git a/src/nvme/private.h b/src/nvme/private.h
+index 6fb9784a..ee9d738b 100644
+--- a/src/nvme/private.h
++++ b/src/nvme/private.h
+@@ -182,6 +182,8 @@ nvme_ctrl_t __nvme_lookup_ctrl(nvme_subsystem_t s, const char *transport,
+ const char *host_iface, const char *trsvcid,
+ const char *subsysnqn, nvme_ctrl_t p);
+
++void *__nvme_alloc(size_t len);
++
+ #if (LOG_FUNCNAME == 1)
+ #define __nvme_log_func __func__
+ #else
+diff --git a/src/nvme/util.c b/src/nvme/util.c
+index 8fe094d5..20679685 100644
+--- a/src/nvme/util.c
++++ b/src/nvme/util.c
+@@ -7,6 +7,7 @@
+ * Chaitanya Kulkarni <chaitanya.kulka...@wdc.com>
+ */
+
++#include <stdlib.h>
+ #include <stdio.h>
+ #include <stdbool.h>
+ #include <string.h>
+@@ -1058,3 +1059,15 @@ bool nvme_iface_primary_addr_matches(const struct ifaddrs *iface_list, const cha
+ }
+
+ #endif /* HAVE_NETDB */
++
++void *__nvme_alloc(size_t len)
++{
++ size_t _len = round_up(len, 0x1000);
++ void *p;
++
++ if (posix_memalign((void *)&p, getpagesize(), _len))
++ return NULL;
++
++ memset(p, 0, _len);
++ return p;
++}
diff --git a/debian/patches/upstream/0002-aligned-payloads.patch b/debian/patches/upstream/0002-aligned-payloads.patch
new file mode 100644
index 0000000..8c514d0
--- /dev/null
+++ b/debian/patches/upstream/0002-aligned-payloads.patch
@@ -0,0 +1,60 @@
+commit 68c6ffb11d40a427fc1fd70ac2ac97fd01952913
+Author: Tomas Bzatek <tbza...@redhat.com>
+Date: Tue Oct 10 18:18:38 2023 +0200
+
+ tree: Allocate aligned payloads for ns scan
+
+ libnvme is actually doing some namespace identification
+ during tree scan, leading to stack smash on some systems.
+
+ Signed-off-by: Tomas Bzatek <tbza...@redhat.com>
+
+diff --git a/src/nvme/tree.c b/src/nvme/tree.c
+index 00cf96f7..5636aa18 100644
+--- a/src/nvme/tree.c
++++ b/src/nvme/tree.c
+@@ -2404,26 +2404,33 @@ static void nvme_ns_parse_descriptors(struct nvme_ns *n,
+
+ static int nvme_ns_init(struct nvme_ns *n)
+ {
+- struct nvme_id_ns ns = { };
+- uint8_t buffer[NVME_IDENTIFY_DATA_SIZE] = { };
+- struct nvme_ns_id_desc *descs = (void *)buffer;
++ struct nvme_id_ns *ns;
++ struct nvme_ns_id_desc *descs;
+ uint8_t flbas;
+ int ret;
+
+- ret = nvme_ns_identify(n, &ns);
+- if (ret)
++ ns = __nvme_alloc(sizeof(*ns));
++ if (!ns)
++ return 0;
++ ret = nvme_ns_identify(n, ns);
++ if (ret) {
++ free(ns);
+ return ret;
++ }
+
+- nvme_id_ns_flbas_to_lbaf_inuse(ns.flbas, &flbas);
+- n->lba_shift = ns.lbaf[flbas].ds;
++ nvme_id_ns_flbas_to_lbaf_inuse(ns->flbas, &flbas);
++ n->lba_shift = ns->lbaf[flbas].ds;
+ n->lba_size = 1 << n->lba_shift;
+- n->lba_count = le64_to_cpu(ns.nsze);
+- n->lba_util = le64_to_cpu(ns.nuse);
+- n->meta_size = le16_to_cpu(ns.lbaf[flbas].ms);
++ n->lba_count = le64_to_cpu(ns->nsze);
++ n->lba_util = le64_to_cpu(ns->nuse);
++ n->meta_size = le16_to_cpu(ns->lbaf[flbas].ms);
+
+- if (!nvme_ns_identify_descs(n, descs))
++ descs = __nvme_alloc(NVME_IDENTIFY_DATA_SIZE);
++ if (descs && !nvme_ns_identify_descs(n, descs))
+ nvme_ns_parse_descriptors(n, descs);
+
++ free(ns);
++ free(descs);
+ return 0;
+ }
+
