qemu-block
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-block] [PATCH] nvme: fix oob access issue(CVE-2018-16847)


From: Paolo Bonzini
Subject: Re: [Qemu-block] [PATCH] nvme: fix oob access issue(CVE-2018-16847)
Date: Wed, 14 Nov 2018 16:44:21 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0

On 14/11/2018 02:38, Li Qiang wrote:
> 
> 
> Paolo Bonzini <address@hidden <mailto:address@hidden>> 于2018
> 年11月14日周三 上午2:27写道:
> 
>     On 13/11/2018 11:17, Kevin Wolf wrote:
>     > Am 13.11.2018 um 02:45 hat Li Qiang geschrieben:
>     >> Ping.... what't the status of this patch.
>     >>
>     >> I see Kevin's new pr doesn't contain this patch.
>     >
>     > Oh, I thought you said that you wanted to fix this at a higher
>     level so
>     > that the problem is caught before even getting into nvme code? If you
>     > don't, I can apply the patch for my next pull request.
> 
>     As far as I know the bug doesn't exist.  Li Qiang, if you have a
>     reproducer please send it.
> 
> 
> Hello Paolo,
> Though I've send the debug information and ASAN output in the mail to
> address@hidden <mailto:address@hidden>, I'm glad provide here.
> This is for read, I think the write the same but as the PoC is in
> userspace, the mmap can only map the exact size of the MMIO,
> So we can only write within the area. But if we using a module we can
> write the out of MMIO I think
> The nvme device's parameter should set as 'cmb_size_mb=2' and the PCI
> address may differ in your system.

Ok, thanks.  I've created a reproducer using qtest (though I have to run
now and cannot post it properly).

The patch for the fix is simply:

diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index fc7dacb816..6385033af3 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1192,7 +1192,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
     .write = nvme_cmb_write,
     .endianness = DEVICE_LITTLE_ENDIAN,
     .impl = {
-        .min_access_size = 2,
+        .min_access_size = 1,
         .max_access_size = 8,
     },
 };


The memory subsystem _is_ recognizing the out-of-bounds 32-bit access,
but because min_access_size=2 it sends down a write at offset 2097151
and size 2.

Paolo



reply via email to

[Prev in Thread] Current Thread [Next in Thread]