From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51004) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gIOFi-0002Yn-5n for qemu-devel@nongnu.org; Thu, 01 Nov 2018 21:27:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gIOFf-0004tk-1I for qemu-devel@nongnu.org; Thu, 01 Nov 2018 21:27:58 -0400 From: Li Qiang Date: Thu, 1 Nov 2018 18:22:43 -0700 Message-Id: <1541121763-3277-1-git-send-email-liq3ea@gmail.com> Subject: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: keith.busch@intel.com, kwolf@redhat.com, mreitz@redhat.com Cc: pbonzini@redhat.com, ppandit@redhat.com, qemu-block@nongnu.org, qemu-devel@nongnu.org, Li Qiang Currently, the nvme_cmb_ops mr doesn't check the addr and size. This can lead an oob access issue. This is triggerable in the guest. Add check to avoid this issue. Fixes CVE-2018-16847. Reported-by: Li Qiang Reviewed-by: Paolo Bonzini Signed-off-by: Li Qiang --- hw/block/nvme.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/block/nvme.c b/hw/block/nvme.c index fc7dacb..d097add 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data, unsigned size) { NvmeCtrl *n = (NvmeCtrl *)opaque; + + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { + return; + } memcpy(&n->cmbuf[addr], &data, size); } @@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size) uint64_t val; NvmeCtrl *n = (NvmeCtrl *)opaque; + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { + return 0; + } memcpy(&val, &n->cmbuf[addr], size); return val; } -- 1.8.3.1