Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847)

[Li Qiang]

Ping.... what't the status of this patch.

I see Kevin's new pr doesn't contain this patch.

Thanks,
Li Qiang

Li Qiang <address@hidden> 于2018年11月2日周五 上午9:22写道：

> Currently, the nvme_cmb_ops mr doesn't check the addr and size.
> This can lead an oob access issue. This is triggerable in the guest.
> Add check to avoid this issue.
>
> Fixes CVE-2018-16847.
>
> Reported-by: Li Qiang <address@hidden>
> Reviewed-by: Paolo Bonzini <address@hidden>
> Signed-off-by: Li Qiang <address@hidden>
> ---
>  hw/block/nvme.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/hw/block/nvme.c b/hw/block/nvme.c
> index fc7dacb..d097add 100644
> --- a/hw/block/nvme.c
> +++ b/hw/block/nvme.c
> @@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr
> addr, uint64_t data,
>      unsigned size)
>  {
>      NvmeCtrl *n = (NvmeCtrl *)opaque;
> +
> +    if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
> +        return;
> +    }
>      memcpy(&n->cmbuf[addr], &data, size);
>  }
>
> @@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr
> addr, unsigned size)
>      uint64_t val;
>      NvmeCtrl *n = (NvmeCtrl *)opaque;
>
> +    if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
> +        return 0;
> +    }
>      memcpy(&val, &n->cmbuf[addr], size);
>      return val;
>  }
> --
> 1.8.3.1
>
>