[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ecb1b7: hw/nvme: fix oob memory read in fdp e
|
From: |
Richard Henderson |
|
Subject: |
[Qemu-commits] [qemu/qemu] ecb1b7: hw/nvme: fix oob memory read in fdp events log |
|
Date: |
Mon, 07 Aug 2023 13:36:32 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: ecb1b7b082d3b7dceff0e486a114502fc52c0fdf
https://github.com/qemu/qemu/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2023-08-07 (Mon, 07 Aug 2023)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: fix oob memory read in fdp events log
As reported by Trend Micro's Zero Day Initiative, an oob memory read
vulnerability exists in nvme_fdp_events(). The host-provided offset is
not verified.
Fix this.
This is only exploitable when Flexible Data Placement mode (fdp=on) is
enabled.
Fixes: CVE-2023-4135
Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
Reported-by: Trend Micro's Zero Day Initiative
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Commit: 6a33f2e920ec0b489a77200888e3692664077f2d
https://github.com/qemu/qemu/commit/6a33f2e920ec0b489a77200888e3692664077f2d
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2023-08-07 (Mon, 07 Aug 2023)
Changed paths:
M hw/nvme/ctrl.c
M hw/nvme/nvme.h
M hw/nvme/trace-events
Log Message:
-----------
hw/nvme: fix compliance issue wrt. iosqes/iocqes
As of prior to this patch, the controller checks the value of CC.IOCQES
and CC.IOSQES prior to enabling the controller. As reported by Ben in
GitLab issue #1691, this is not spec compliant. The controller should
only check these values when queues are created.
This patch moves these checks to nvme_create_cq(). We do not need to
check it in nvme_create_sq() since that will error out if the completion
queue is not already created.
Also, since the controller exclusively supports SQEs of size 64 bytes
and CQEs of size 16 bytes, hard code that.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1691
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Commit: e0e5dca517a5964d407f48bdfccbea88113b2736
https://github.com/qemu/qemu/commit/e0e5dca517a5964d407f48bdfccbea88113b2736
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-08-07 (Mon, 07 Aug 2023)
Changed paths:
M hw/nvme/ctrl.c
M hw/nvme/nvme.h
M hw/nvme/trace-events
Log Message:
-----------
Merge tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu into
staging
hw/nvme fixes
- two fixes for hw/nvme
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmTQ2y4ACgkQTeGvMW1P
# DenpWQf/WFgEljzgTcgxlfZhCyzWGwVNgKqRxlTuF6ELqm8BajCuCeA5ias6AXOr
# x/gZ0VqrL91L5tRIH5Q0sdC+HBFC1yMs66jopdzc1oL1eYu1HTrLIqMDtkXp/K/P
# PyGah2t4qEMtacSkad+hmB68ViUkkmhkxrWYIeufUQTfLNF5pBqNvB1kQON3jmXE
# a1jI/PabYxi8Km0rfFJD6SUGmL9+m7MY/SyZAy+4EZZ1OEnp5jb3o9lbdwbhIU5e
# dRX4NW4BEDiOJeIcNVDiQkXv2/Lna1B51RVMvM4owpk0eRvRXMSqs2DQ5/jp/nGb
# 8uChUJ0QW68I4e9ptTfxmBsr4pSktg==
# =0nwp
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 07 Aug 2023 04:53:18 AM PDT
# gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9
# gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown]
# gpg: aka "Klaus Jensen <k.jensen@samsung.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838
# Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9
* tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu:
hw/nvme: fix compliance issue wrt. iosqes/iocqes
hw/nvme: fix oob memory read in fdp events log
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Compare: https://github.com/qemu/qemu/compare/9400601a689a...e0e5dca517a5