qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847)

From: Philippe Mathieu-Daudé
Subject: Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847)
Date: Fri, 2 Nov 2018 08:51:56 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 
On 2/11/18 2:22, Li Qiang wrote:

Currently, the nvme_cmb_ops mr doesn't check the addr and size.
This can lead an oob access issue. This is triggerable in the guest.
Add check to avoid this issue.

Fixes CVE-2018-16847.

Reported-by: Li Qiang <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Li Qiang <address@hidden>
---
  hw/block/nvme.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index fc7dacb..d097add 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, 
uint64_t data,
      unsigned size)
  {
      NvmeCtrl *n = (NvmeCtrl *)opaque;
+
+    if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {


Should this be reported via qemu_log_mask(LOG_GUEST_ERROR, ...)?


+        return;
+    }
      memcpy(&n->cmbuf[addr], &data, size);
  }
@@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size) 
      uint64_t val;
      NvmeCtrl *n = (NvmeCtrl *)opaque;
+ if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { 

Ditto.


+        return 0;
+    }
      memcpy(&val, &n->cmbuf[addr], size);
      return val;
  }
reply via email to
[Prev in Thread] Current Thread [Next in Thread]