CVE-2025-57275

@@ -60,6 +60,13 @@ information about the QP and its controller.
 
 ### nvmf
 
+(CVE-2025-57275) Fixed (8981ddb1) an array-out-of-bounds access during update of registrants
+for a namespace when PTPL (Persist through power loss) was enabled.
+If number of registrants exceeded 16 (SPDK_NVMF_MAX_NUM_REGISTRANTS) memory after
+the array ended could have been written with data provided in Reservation Register
+command by the initiator. PTPL needed to be enabled explicitly, as it is disabled by default.
+Affected NVMe-oF transports include TCP and RDMA NVMe-oF in SPDK NVMe-oF target.
+
 Add NSSR support (NVMe Subsytem Reset) to NVMe-oF target. Once NSSR is issued - it is passed to all
 underlying namespaces (bdevs). Currenly only bdevs with PCIe transport would handle NSSR.
 See the NVMe Subsystem Reset (NSSR) section of nvmf.md for more information.

@@ -2936,9 +2936,14 @@ nvmf_ns_update_reservation_info(struct spdk_nvmf_ns *ns)
 	}
 
 	TAILQ_FOREACH_SAFE(reg, &ns->registrants, link, tmp) {
-		spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
-				    &reg->hostid);
-		info.registrants[i++].rkey = reg->rkey;
+		if (i < SPDK_NVMF_MAX_NUM_REGISTRANTS) {
+			spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
+					    &reg->hostid);
+			info.registrants[i++].rkey = reg->rkey;
+		} else {
+			SPDK_ERRLOG("More registrants that can fit into reservation info, truncating\n");
+			break;
+		}
 	}
 
 	info.num_regs = i;

@@ -2702,6 +2702,39 @@ test_nvmf_reservation_custom_ops(void)
 	ut_reservation_deinit();
 }
 
+static void
+test_nvmf_ns_reservation_add_max_registrants(void)
+{
+	struct spdk_nvmf_ns_reservation_ops ops = {
+		.is_ptpl_capable = ut_is_ptpl_capable,
+		.update = ut_update_reservation,
+		.load = ut_load_reservation,
+	};
+	spdk_nvmf_set_custom_ns_reservation_ops(&ops);
+	ut_reservation_init();
+
+	struct spdk_nvmf_reservation_info info = {};
+	int rc;
+
+	/* Register 1 past the max */
+	uint32_t i = 0;
+	for (i = 0; i < SPDK_NVMF_MAX_NUM_REGISTRANTS + 1; i++) {
+		spdk_uuid_generate(&g_ctrlr1_A.hostid);
+		rc = nvmf_ns_reservation_add_registrant(&g_ns, &g_ctrlr1_A, 0xa11 + i);
+		CU_ASSERT(rc == 0);
+	}
+	/* Update the reservation info */
+	rc = nvmf_ns_update_reservation_info(&g_ns);
+	CU_ASSERT(rc == 0);
+	/* Validate that info is capped at max */
+	rc = nvmf_ns_reservation_load(&g_ns, &info);
+	CU_ASSERT(rc == 0);
+	CU_ASSERT_EQUAL(info.num_regs, SPDK_NVMF_MAX_NUM_REGISTRANTS);
+	/* Clear should return max + 1 */
+	uint32_t cleared = nvmf_ns_reservation_clear_all_registrants(&g_ns);
+	CU_ASSERT_EQUAL(cleared, SPDK_NVMF_MAX_NUM_REGISTRANTS + 1);
+}
+
 int
 main(int argc, char **argv)
 {
@@ -2740,6 +2773,7 @@ main(int argc, char **argv)
 	CU_ADD_TEST(suite, test_nvmf_ns_reservation_restore);
 	CU_ADD_TEST(suite, test_nvmf_subsystem_state_change);
 	CU_ADD_TEST(suite, test_nvmf_reservation_custom_ops);
+	CU_ADD_TEST(suite, test_nvmf_ns_reservation_add_max_registrants);
 
 	allocate_threads(1);
 	set_thread(0);