[PULL for-6.0 v2 10/10] hw/block/nvme: fix out-of-bounds read in nvme

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL for-6.0 v2 10/10] hw/block/nvme: fix out-of-bounds read in nvme_su

From:	Klaus Jensen
Subject:	[PULL for-6.0 v2 10/10] hw/block/nvme: fix out-of-bounds read in nvme_subsys_ctrl
Date:	Wed, 7 Apr 2021 07:46:35 +0200

From: Klaus Jensen <k.jensen@samsung.com>

nvme_subsys_ctrl() is used in contexts where the given controller
identifier is from an untrusted source. Like its friends nvme_ns() and
nvme_subsys_ns(), nvme_subsys_ctrl() should just return NULL if an
invalid identifier is given.

Fixes: 645ce1a70cb6 ("hw/block/nvme: support namespace attachment command")
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
---
 hw/block/nvme-subsys.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h
index 1cbcad9be23e..7d7ef5f7f12b 100644
--- a/hw/block/nvme-subsys.h
+++ b/hw/block/nvme-subsys.h
@@ -36,7 +36,7 @@ int nvme_subsys_register_ctrl(NvmeCtrl *n, Error **errp);
 static inline NvmeCtrl *nvme_subsys_ctrl(NvmeSubsystem *subsys,
         uint32_t cntlid)
 {
-    if (!subsys) {
+    if (!subsys || cntlid >= NVME_SUBSYS_MAX_CTRLS) {
         return NULL;
     }
 
-- 
2.31.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL for-6.0 v2 00/10] emulated nvme fixes for -rc3, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 01/10] hw/block/nvme: fix pi constraint check, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 03/10] hw/block/nvme: fix the nsid 'invalid' value, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 02/10] hw/block/nvme: fix missing string representation for ns attachment, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 04/10] hw/block/nvme: fix warning about legacy namespace configuration, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 05/10] hw/block/nvme: update dmsrl limit on namespace detachment, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 06/10] hw/block/nvme: fix handling of private namespaces, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 07/10] hw/block/nvme: add missing copyright headers, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 09/10] hw/block/nvme: fix assert crash in nvme_subsys_ns, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 08/10] hw/block/nvme: fix ns attachment out-of-bounds read, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 10/10] hw/block/nvme: fix out-of-bounds read in nvme_subsys_ctrl, Klaus Jensen <=
- Re: [PULL for-6.0 v2 00/10] emulated nvme fixes for -rc3, Peter Maydell, 2021/04/07
  - Re: [PULL for-6.0 v2 00/10] emulated nvme fixes for -rc3, Klaus Jensen, 2021/04/07

Prev by Date: [PULL for-6.0 v2 08/10] hw/block/nvme: fix ns attachment out-of-bounds read
Next by Date: Re: [PATCH 0/4] add in-tree 9pfs developers documentation
Previous by thread: [PULL for-6.0 v2 08/10] hw/block/nvme: fix ns attachment out-of-bounds read
Next by thread: Re: [PULL for-6.0 v2 00/10] emulated nvme fixes for -rc3
Index(es):
- Date
- Thread