[nvmewin] FW: NVME fuzz test fixes

Thomas Freeman thomas.freeman at hgst.com
Tue Sep 15 08:04:10 PDT 2015


Uma,
With the inbox driver installed, using a variety of buffer sizes, I issued Report Luns to a device with 2 namespaces.
Prior to issuing the command, I initialized my buffer with all 0xFF’s so I could see what bytes were being changed.


Buffer size / Result
0x3              No data was written to the buffer – the buffer remained all 0xFF’s.
0x4, 0xF, 0x11, 0x17 Only the length field (0x00000010) was written
0x18    - All data was written as follows:
                00000010 FFFFFFFF 00000000 00000000
                00010000 00000000 (the rest of the buffer remained 0xFF’s)


Tom Freeman
Software Engineer, Device Manager and Driver Development
HGST, a Western Digital company
thomas.freeman at hgst.com<mailto:thomas.freeman at hgst.com>
507-322-2311

[HGST_Logo_email]
3605 Hwy 52 N
Rochester, MN 55901
www.hgst.com<https://hgst.jiveon.com/external-link.jspa?url=http://www.hgst.com/>

From: Uma Parepalli [mailto:Uma.Parepalli at skhms.com]
Sent: Monday, September 14, 2015 7:13 PM
To: Thomas Freeman <thomas.freeman at hgst.com>; Robles, Raymond C <raymond.c.robles at intel.com>; nvmewin at lists.openfabrics.org; uliur at google.com
Subject: RE: [nvmewin] FW: NVME fuzz test fixes

Just curious, do you see the same issues if you use the standard Windows inbox driver?
Thank you,
Uma

Uma Parepalli
uma.parepalli at skhms.com<mailto:uma.parepalli at skhms.com> Cell: 408 805 9260
SK Hynix Memory Solutions, 3103 N 1st St, San Jose, CA 95134



From: nvmewin-bounces at lists.openfabrics.org<mailto:nvmewin-bounces at lists.openfabrics.org> [mailto:nvmewin-bounces at lists.openfabrics.org] On Behalf Of Thomas Freeman
Sent: Monday, September 14, 2015 1:42 PM
To: Robles, Raymond C; nvmewin at lists.openfabrics.org<mailto:nvmewin at lists.openfabrics.org>; uliur at google.com<mailto:uliur at google.com>
Subject: Re: [nvmewin] FW: NVME fuzz test fixes

Iuliu,
The changes look good.
I have just a few comments.

1.        nvmeSnti.C/Line 1157 – memset(pResponseBuffer, 0, allocLength);  This was added to the comment, but it’s not clear why. I suspect it is an accidental addition. If so, this should be removed.

2.       nvmeSnti.c/Line 1519 – Since the Lun value is actually written to the second byte of the entry, the comparison should be:

if (lunIdDataOffset + SINGLE_LVL_LUN_OFFSET >= allocLength)



As an example, test with a buffer size of 0x11. Without this change, the driver will actually write the byte after the allocated buffer.

3.       nvmeSnti.c/Line 2652 & 2669. Your change handles the case where there is no data buffer. But, it does not handle the case where the buffer is smaller than sizeof(DESCRIPTOR_FORMAT_SENSE_DATA). With a small buffer allocation, these writes would access beyond the allocated buffer

                                    pSenseData->ErrorCode                    = FIXED_SENSE_DATA;

            pSenseData->SenseKey                     = SCSI_SENSE_NO_SENSE;

            pSenseData->AdditionalSenseLength        = FIXED_SENSE_DATA_ADD_LENGTH;

            pSenseData->AdditionalSenseCode          = SCSI_ADSENSE_NO_SENSE;

            pSenseData->AdditionalSenseCodeQualifier = 0;


Regards,
Tom Freeman
Software Engineer, Device Manager and Driver Development
HGST, a Western Digital company
thomas.freeman at hgst.com<mailto:thomas.freeman at hgst.com>
507-322-2311

[HGST_Logo_email]
3605 Hwy 52 N
Rochester, MN 55901
www.hgst.com<https://hgst.jiveon.com/external-link.jspa?url=http://www.hgst.com/>

From: nvmewin-bounces at lists.openfabrics.org<mailto:nvmewin-bounces at lists.openfabrics.org> [mailto:nvmewin-bounces at lists.openfabrics.org]<mailto:[mailto:nvmewin-bounces at lists.openfabrics.org]> On Behalf Of Robles, Raymond C
Sent: Friday, September 11, 2015 3:29 PM
To: nvmewin at lists.openfabrics.org<mailto:nvmewin at lists.openfabrics.org>
Subject: [nvmewin] FW: NVME fuzz test fixes

All,

Here is the original patch from Google (Iuliu) for the WHCK fuzz tests.

Thanks,
Ray

From: nvmewin-bounces at lists.openfabrics.org<mailto:nvmewin-bounces at lists.openfabrics.org> [mailto:nvmewin-bounces at lists.openfabrics.org] On Behalf Of Iuliu Rus
Sent: Monday, August 03, 2015 1:37 PM
To: nvmewin at lists.openfabrics.org<mailto:nvmewin at lists.openfabrics.org>
Subject: [nvmewin] NVME fuzz test fixes

Hello,
I have attached the fixes we (Google) did for the several crashes / corruptions exposed by the Windows HCK fuzztest.exe.
We have tested this on qemu/ Server 2012 R2.
The password on the zip is "nvme" :)
HGST E-mail Confidentiality Notice & Disclaimer:
This e-mail and any files transmitted with it may contain confidential or legally privileged information of HGST and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited.  If you have received this e-mail in error, please notify the sender immediately and delete the e-mail in its entirety from your system.
The information contained in this e-mail is considered confidential of SK hynix memory solutions Inc. and intended only for the persons addressed or copied in this e-mail. Any unauthorized use, dissemination of the information, or copying of this message is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email.
HGST E-mail Confidentiality Notice & Disclaimer:
This e-mail and any files transmitted with it may contain confidential or legally privileged information of HGST and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited.  If you have received this e-mail in error, please notify the sender immediately and delete the e-mail in its entirety from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/nvmewin/attachments/20150915/cb12f9a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4274 bytes
Desc: image001.png
URL: <http://lists.openfabrics.org/pipermail/nvmewin/attachments/20150915/cb12f9a1/attachment.png>


More information about the nvmewin mailing list