Ping.... what't the status of this patch.
I see Kevin's new pr doesn't contain this patch.
Thanks,
Li Qiang
Currently, the nvme_cmb_ops mr doesn't check the addr and size.
This can lead an oob access issue. This is triggerable in the guest.
Add check to avoid this issue.
Fixes CVE-2018-16847.
Reported-by: Li Qiang <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Li Qiang <address@hidden>
---
hw/block/nvme.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index fc7dacb..d097add 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
{
NvmeCtrl *n = (NvmeCtrl *)opaque;
+
+ if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
+ return;
+ }
memcpy(&n->cmbuf[addr], &data, size);
}
@@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size)
uint64_t val;
NvmeCtrl *n = (NvmeCtrl *)opaque;
+ if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
+ return 0;
+ }
memcpy(&val, &n->cmbuf[addr], size);
return val;
}
--
1.8.3.1