Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1068954,
regarding bookworm-pu: package libnvme/1.3-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068954
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
when scanning ("nvme list") some buggy NVMe ssds that don't like blocks
of less than 4096 bytes send to them, a buffer overflow happens.
Upstream fixed this in libnvme 1.7, I've cherry-picked this for
bookworm, attached is the full diff for review. Please let me know if I
can upload it to bookworm-pu.
Regards,
Daniel
diff --git a/debian/changelog b/debian/changelog
index 2666b0a..d7cef38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libnvme (1.3-1+deb12u1) bookworm; urgency=medium
+
+ * Uploading to bookworm.
+ * Cherry-picking upstream commits to fix buffer overflow during scanning
+ devices that do not support sub-4k reads (Closes: #1054631).
+
+ -- Daniel Baumann <daniel.baum...@progress-linux.org> Sun, 14 Apr 2024 08:57:21 +0200
+
libnvme (1.3-1) sid; urgency=medium
* Uploading to sid.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..f31922e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+upstream/0001-alloc-helper.patch
+upstream/0002-aligned-payloads.patch
diff --git a/debian/patches/upstream/0001-alloc-helper.patch b/debian/patches/upstream/0001-alloc-helper.patch
new file mode 100644
index 0000000..deafcae
--- /dev/null
+++ b/debian/patches/upstream/0001-alloc-helper.patch
@@ -0,0 +1,52 @@
+commit a2b8e52e46cfd888ac5a48d8ce632bd70a5caa93
+Author: Tomas Bzatek <tbza...@redhat.com>
+Date: Tue Oct 10 18:16:24 2023 +0200
+
+ util: Introduce alloc helper with alignment support
+
+ Similar to nvme-cli an alloc helper is needed for a couple
+ of ioctls sent out during tree scan.
+
+ Signed-off-by: Tomas Bzatek <tbza...@redhat.com>
+
+diff --git a/src/nvme/private.h b/src/nvme/private.h
+index 6fb9784a..ee9d738b 100644
+--- a/src/nvme/private.h
++++ b/src/nvme/private.h
+@@ -182,6 +182,8 @@ nvme_ctrl_t __nvme_lookup_ctrl(nvme_subsystem_t s, const char *transport,
+ const char *host_iface, const char *trsvcid,
+ const char *subsysnqn, nvme_ctrl_t p);
+
++void *__nvme_alloc(size_t len);
++
+ #if (LOG_FUNCNAME == 1)
+ #define __nvme_log_func __func__
+ #else
+diff --git a/src/nvme/util.c b/src/nvme/util.c
+index 8fe094d5..20679685 100644
+--- a/src/nvme/util.c
++++ b/src/nvme/util.c
+@@ -7,6 +7,7 @@
+ * Chaitanya Kulkarni <chaitanya.kulka...@wdc.com>
+ */
+
++#include <stdlib.h>
+ #include <stdio.h>
+ #include <stdbool.h>
+ #include <string.h>
+@@ -1058,3 +1059,15 @@ bool nvme_iface_primary_addr_matches(const struct ifaddrs *iface_list, const cha
+ }
+
+ #endif /* HAVE_NETDB */
++
++void *__nvme_alloc(size_t len)
++{
++ size_t _len = round_up(len, 0x1000);
++ void *p;
++
++ if (posix_memalign((void *)&p, getpagesize(), _len))
++ return NULL;
++
++ memset(p, 0, _len);
++ return p;
++}
diff --git a/debian/patches/upstream/0002-aligned-payloads.patch b/debian/patches/upstream/0002-aligned-payloads.patch
new file mode 100644
index 0000000..8c514d0
--- /dev/null
+++ b/debian/patches/upstream/0002-aligned-payloads.patch
@@ -0,0 +1,60 @@
+commit 68c6ffb11d40a427fc1fd70ac2ac97fd01952913
+Author: Tomas Bzatek <tbza...@redhat.com>
+Date: Tue Oct 10 18:18:38 2023 +0200
+
+ tree: Allocate aligned payloads for ns scan
+
+ libnvme is actually doing some namespace identification
+ during tree scan, leading to stack smash on some systems.
+
+ Signed-off-by: Tomas Bzatek <tbza...@redhat.com>
+
+diff --git a/src/nvme/tree.c b/src/nvme/tree.c
+index 00cf96f7..5636aa18 100644
+--- a/src/nvme/tree.c
++++ b/src/nvme/tree.c
+@@ -2404,26 +2404,33 @@ static void nvme_ns_parse_descriptors(struct nvme_ns *n,
+
+ static int nvme_ns_init(struct nvme_ns *n)
+ {
+- struct nvme_id_ns ns = { };
+- uint8_t buffer[NVME_IDENTIFY_DATA_SIZE] = { };
+- struct nvme_ns_id_desc *descs = (void *)buffer;
++ struct nvme_id_ns *ns;
++ struct nvme_ns_id_desc *descs;
+ uint8_t flbas;
+ int ret;
+
+- ret = nvme_ns_identify(n, &ns);
+- if (ret)
++ ns = __nvme_alloc(sizeof(*ns));
++ if (!ns)
++ return 0;
++ ret = nvme_ns_identify(n, ns);
++ if (ret) {
++ free(ns);
+ return ret;
++ }
+
+- nvme_id_ns_flbas_to_lbaf_inuse(ns.flbas, &flbas);
+- n->lba_shift = ns.lbaf[flbas].ds;
++ nvme_id_ns_flbas_to_lbaf_inuse(ns->flbas, &flbas);
++ n->lba_shift = ns->lbaf[flbas].ds;
+ n->lba_size = 1 << n->lba_shift;
+- n->lba_count = le64_to_cpu(ns.nsze);
+- n->lba_util = le64_to_cpu(ns.nuse);
+- n->meta_size = le16_to_cpu(ns.lbaf[flbas].ms);
++ n->lba_count = le64_to_cpu(ns->nsze);
++ n->lba_util = le64_to_cpu(ns->nuse);
++ n->meta_size = le16_to_cpu(ns->lbaf[flbas].ms);
+
+- if (!nvme_ns_identify_descs(n, descs))
++ descs = __nvme_alloc(NVME_IDENTIFY_DATA_SIZE);
++ if (descs && !nvme_ns_identify_descs(n, descs))
+ nvme_ns_parse_descriptors(n, descs);
+
++ free(ns);
++ free(descs);
+ return 0;
+ }
+
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.7
Hi,
Each of these bugs relates to an update including in today's bookworm
12.7 point release.
Regards,
Adam
--- End Message ---
