Bug#1068954: bookworm-pu: package libnvme/1.3-1+deb12u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Sun, Apr 14, 2024 at 09:08:01AM +0200, Daniel Baumann wrote:
> diff --git a/debian/changelog b/debian/changelog
> index 2666b0a..d7cef38 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +libnvme (1.3-1+deb12u1) bookworm; urgency=medium
> +
> +  * Uploading to bookworm.

This doesn't need repeating, the target is already in the change header.

Otherwise please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Processed: Re: Bug#1068954: bookworm-pu: package libnvme/1.3-1+deb12u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #1068954 [release.debian.org] bookworm-pu: package libnvme/1.3-1+deb12u1
Added tag(s) confirmed.

-- 
1068954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068954
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1068954: bookworm-pu: package libnvme/1.3-1+deb12u1

[Daniel Baumann]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

Hi,

when scanning ("nvme list") some buggy NVMe ssds that don't like blocks 
of less than 4096 bytes send to them, a buffer overflow happens.


Upstream fixed this in libnvme 1.7, I've cherry-picked this for 
bookworm, attached is the full diff for review. Please let me know if I 
can upload it to bookworm-pu.


Regards,
Danieldiff --git a/debian/changelog b/debian/changelog
index 2666b0a..d7cef38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libnvme (1.3-1+deb12u1) bookworm; urgency=medium
+
+  * Uploading to bookworm.
+  * Cherry-picking upstream commits to fix buffer overflow during scanning
+devices that do not support sub-4k reads (Closes: #1054631).
+
+ -- Daniel Baumann   Sun, 14 Apr 2024 08:57:21 +0200
+
 libnvme (1.3-1) sid; urgency=medium
 
   * Uploading to sid.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..f31922e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+upstream/0001-alloc-helper.patch
+upstream/0002-aligned-payloads.patch
diff --git a/debian/patches/upstream/0001-alloc-helper.patch b/debian/patches/upstream/0001-alloc-helper.patch
new file mode 100644
index 000..deafcae
--- /dev/null
+++ b/debian/patches/upstream/0001-alloc-helper.patch
@@ -0,0 +1,52 @@
+commit a2b8e52e46cfd888ac5a48d8ce632bd70a5caa93
+Author: Tomas Bzatek 
+Date:   Tue Oct 10 18:16:24 2023 +0200
+
+util: Introduce alloc helper with alignment support
+
+Similar to nvme-cli an alloc helper is needed for a couple
+of ioctls sent out during tree scan.
+
+Signed-off-by: Tomas Bzatek 
+
+diff --git a/src/nvme/private.h b/src/nvme/private.h
+index 6fb9784a..ee9d738b 100644
+--- a/src/nvme/private.h
 b/src/nvme/private.h
+@@ -182,6 +182,8 @@ nvme_ctrl_t __nvme_lookup_ctrl(nvme_subsystem_t s, const char *transport,
+ 			   const char *host_iface, const char *trsvcid,
+ 			   const char *subsysnqn, nvme_ctrl_t p);
+ 
++void *__nvme_alloc(size_t len);
++
+ #if (LOG_FUNCNAME == 1)
+ #define __nvme_log_func __func__
+ #else
+diff --git a/src/nvme/util.c b/src/nvme/util.c
+index 8fe094d5..20679685 100644
+--- a/src/nvme/util.c
 b/src/nvme/util.c
+@@ -7,6 +7,7 @@
+  * 	Chaitanya Kulkarni 
+  */
+ 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -1058,3 +1059,15 @@ bool nvme_iface_primary_addr_matches(const struct ifaddrs *iface_list, const cha
+ }
+ 
+ #endif /* HAVE_NETDB */
++
++void *__nvme_alloc(size_t len)
++{
++	size_t _len = round_up(len, 0x1000);
++	void *p;
++
++	if (posix_memalign((void *)&p, getpagesize(), _len))
++		return NULL;
++
++	memset(p, 0, _len);
++	return p;
++}
diff --git a/debian/patches/upstream/0002-aligned-payloads.patch b/debian/patches/upstream/0002-aligned-payloads.patch
new file mode 100644
index 000..8c514d0
--- /dev/null
+++ b/debian/patches/upstream/0002-aligned-payloads.patch
@@ -0,0 +1,60 @@
+commit 68c6ffb11d40a427fc1fd70ac2ac97fd01952913
+Author: Tomas Bzatek 
+Date:   Tue Oct 10 18:18:38 2023 +0200
+
+tree: Allocate aligned payloads for ns scan
+
+libnvme is actually doing some namespace identification
+during tree scan, leading to stack smash on some systems.
+
+Signed-off-by: Tomas Bzatek 
+
+diff --git a/src/nvme/tree.c b/src/nvme/tree.c
+index 00cf96f7..5636aa18 100644
+--- a/src/nvme/tree.c
 b/src/nvme/tree.c
+@@ -2404,26 +2404,33 @@ static void nvme_ns_parse_descriptors(struct nvme_ns *n,
+ 
+ static int nvme_ns_init(struct nvme_ns *n)
+ {
+-	struct nvme_id_ns ns = { };
+-	uint8_t buffer[NVME_IDENTIFY_DATA_SIZE] = { };
+-	struct nvme_ns_id_desc *descs = (void *)buffer;
++	struct nvme_id_ns *ns;
++	struct nvme_ns_id_desc *descs;
+ 	uint8_t flbas;
+ 	int ret;
+ 
+-	ret = nvme_ns_identify(n, &ns);
+-	if (ret)
++	ns = __nvme_alloc(sizeof(*ns));
++	if (!ns)
++		return 0;
++	ret = nvme_ns_identify(n, ns);
++	if (ret) {
++		free(ns);
+ 		return ret;
++	}
+ 
+-	nvme_id_ns_flbas_to_lbaf_inuse(ns.flbas, &flbas);
+-	n->lba_shift = ns.lbaf[flbas].ds;
++	nvme_id_ns_flbas_to_lbaf_inuse(ns->flbas, &flbas);
++	n->lba_shift = ns->lbaf[flbas].ds;
+ 	n->lba_size = 1 << n->lba_shift;
+-	n->lba_count = le64_to_cpu(ns.nsze);
+-	n->lba_util = le64_to_cpu(ns.nuse);
+-	n->meta_size = le16_to_cpu(ns.lbaf[flbas].ms);
++	n->lba_count = le64_to_cpu(ns->nsze);
++	n->lba_util = le64_to_cpu(ns->nuse);
++	n->meta_size = le16_to_cpu(ns->lbaf[flbas].ms);
+ 
+-	if (!nvme_ns_identify_descs(n, descs))
++	descs = __nvme_alloc(NVME_IDENTIFY_DATA_SIZE);
++	if (descs && !nvme_ns_identify_descs(n, descs))
+ 		nvme_ns_parse_descriptors(n, descs);
+ 
++	free(ns);
++	free(descs);
+ 	return 0;
+ }
+