qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] nvme: fix out-of-bounds access to the CMB


From: Peter Maydell
Subject: Re: [Qemu-devel] [PATCH] nvme: fix out-of-bounds access to the CMB
Date: Thu, 22 Nov 2018 17:01:29 +0000

On 20 November 2018 at 18:41, Paolo Bonzini <address@hidden> wrote:
> Because the CMB BAR has a min_access_size of 2, if you read the last
> byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
> error.  This is CVE-2018-16847.

Maybe we should change the MemoryRegionOps API so that
devices have to explicitly opt in to handling accesses
that span off the end of the region size they've registered?
IIRC we have one or two oddball devices that care about that
(probably mostly x86 IO port devices), but most device
implementations will not be expecting it.

I'm also surprised that the memory subsystem permits a
2 byte access at address sz-1 here, since .impl.unaligned
is not set...

thanks
-- PMM



reply via email to

[Prev in Thread] Current Thread [Next in Thread]