From: Klaus Jensen <its@irrelevant.dk>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
qemu-block@nongnu.org, Klaus Jensen <k.jensen@samsung.com>,
Max Reitz <mreitz@redhat.com>, Keith Busch <kbusch@kernel.org>,
Minwoo Im <minwoo.im.dev@gmail.com>,
Klaus Jensen <its@irrelevant.dk>
Subject: [PATCH 2/2] hw/block/nvme: assert namespaces array indices
Date: Mon, 15 Mar 2021 12:03:59 +0100 [thread overview]
Message-ID: <20210315110359.51450-3-its@irrelevant.dk> (raw)
In-Reply-To: <20210315110359.51450-1-its@irrelevant.dk>
From: Klaus Jensen <k.jensen@samsung.com>
Coverity complains about a possible memory corruption in the
nvme_ns_attach and _detach functions. While we should not (famous last
words) be able to reach this function without nsid having previously
been validated, this is still an open door for future misuse.
Make Coverity and maintainers happy by asserting that the index into the
array is valid. Also, while not detected by Coverity (yet), add an
assert in nvme_subsys_ns and nvme_subsys_register_ns as well since a
similar issue is exists there.
Fixes: 037953b5b299 ("hw/block/nvme: support namespace detach")
Fixes: CID 1450757
Fixes: CID 1450758
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
hw/block/nvme-subsys.h | 2 ++
hw/block/nvme.h | 10 ++++++++--
hw/block/nvme-subsys.c | 7 +++++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h
index fb66ae752ad5..aafa04b84829 100644
--- a/hw/block/nvme-subsys.h
+++ b/hw/block/nvme-subsys.h
@@ -54,6 +54,8 @@ static inline NvmeNamespace *nvme_subsys_ns(NvmeSubsystem *subsys,
return NULL;
}
+ assert(nsid && nsid <= NVME_SUBSYS_MAX_NAMESPACES);
+
return subsys->namespaces[nsid];
}
diff --git a/hw/block/nvme.h b/hw/block/nvme.h
index 4955d649c7d4..45ba9dbc2131 100644
--- a/hw/block/nvme.h
+++ b/hw/block/nvme.h
@@ -236,12 +236,18 @@ static inline bool nvme_ns_is_attached(NvmeCtrl *n, NvmeNamespace *ns)
static inline void nvme_ns_attach(NvmeCtrl *n, NvmeNamespace *ns)
{
- n->namespaces[nvme_nsid(ns) - 1] = ns;
+ uint32_t nsid = ns->params.nsid;
+ assert(nsid && nsid <= NVME_MAX_NAMESPACES);
+
+ n->namespaces[nsid - 1] = ns;
}
static inline void nvme_ns_detach(NvmeCtrl *n, NvmeNamespace *ns)
{
- n->namespaces[nvme_nsid(ns) - 1] = NULL;
+ uint32_t nsid = ns->params.nsid;
+ assert(nsid && nsid <= NVME_MAX_NAMESPACES);
+
+ n->namespaces[nsid - 1] = NULL;
}
static inline NvmeCQueue *nvme_cq(NvmeRequest *req)
diff --git a/hw/block/nvme-subsys.c b/hw/block/nvme-subsys.c
index af4804a819ee..2f6d3b47bacf 100644
--- a/hw/block/nvme-subsys.c
+++ b/hw/block/nvme-subsys.c
@@ -47,15 +47,18 @@ int nvme_subsys_register_ns(NvmeNamespace *ns, Error **errp)
{
NvmeSubsystem *subsys = ns->subsys;
NvmeCtrl *n;
+ uint32_t nsid = ns->params.nsid;
int i;
- if (subsys->namespaces[nvme_nsid(ns)]) {
+ assert(nsid && nsid <= NVME_SUBSYS_MAX_NAMESPACES);
+
+ if (subsys->namespaces[nsid]) {
error_setg(errp, "namespace %d already registerd to subsy %s",
nvme_nsid(ns), subsys->parent_obj.id);
return -1;
}
- subsys->namespaces[nvme_nsid(ns)] = ns;
+ subsys->namespaces[nsid] = ns;
for (i = 0; i < ARRAY_SIZE(subsys->ctrls); i++) {
n = subsys->ctrls[i];
--
2.30.1
next prev parent reply other threads:[~2021-03-15 11:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-15 11:03 [PATCH 0/2] hw/block/nvme: coverity fixes Klaus Jensen
2021-03-15 11:03 ` [PATCH 1/2] hw/block/nvme: fix potential overflow Klaus Jensen
2021-03-15 11:03 ` Klaus Jensen [this message]
2021-03-15 11:19 ` [PATCH 2/2] hw/block/nvme: assert namespaces array indices Philippe Mathieu-Daudé
2021-03-15 11:24 ` Klaus Jensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210315110359.51450-3-its@irrelevant.dk \
--to=its@irrelevant.dk \
--cc=k.jensen@samsung.com \
--cc=kbusch@kernel.org \
--cc=kwolf@redhat.com \
--cc=minwoo.im.dev@gmail.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).