* [PULL for-9.1 0/1] hw/nvme late fix
@ 2024-08-20 4:45 Klaus Jensen
2024-08-20 4:45 ` [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv Klaus Jensen
2024-08-20 11:29 ` [PULL for-9.1 0/1] hw/nvme late fix Richard Henderson
0 siblings, 2 replies; 5+ messages in thread
From: Klaus Jensen @ 2024-08-20 4:45 UTC (permalink / raw)
To: Peter Maydell, qemu-devel
Cc: Keith Busch, qemu-security, qemu-block, Jesper Devantier,
Klaus Jensen, Klaus Jensen
From: Klaus Jensen <k.jensen@samsung.com>
Hi,
The following changes since commit 48e4ba59a3756aad743982da16bf9b5120d91a0c:
Merge tag 'pull-riscv-to-apply-20240819-1' of https://github.com/alistair23/qemu into staging (2024-08-19 14:55:23 +1000)
are available in the Git repository at:
https://gitlab.com/birkelund/qemu.git tags/nvme-next-pull-request
for you to fetch changes up to 6a22121c4f25b181e99479f65958ecde65da1c92:
hw/nvme: fix leak of uninitialized memory in io_mgmt_recv (2024-08-20 06:16:48 +0200)
----------------------------------------------------------------
hw/nvme late fix
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmbEHsUACgkQTeGvMW1P
DenlQgf/dzz4B5pzdD0HsjNVNulxygAJEnYitiF/50LRj564hQDoisNYPvHeKMA7
wfk8jSSimTM6YkETksiR2DvnXlZ3wXn/HAhqE15GSW8vtRK2/RO9vNn51gyoFvl3
z/Wm8ahoFaNpygQQkQMIJ9QHVD3GheZH4OxMhqI1523+s7dGcUNetoZiyoBAdJ6m
7KOa/zUTPBmvpKMOEa25Ss+nZIPp9eFuCwQxhToV0gEuJFHolRZYv7GA4UjnodvJ
HrBrbsB8W4vh65FmC7WLAG9XFvNMgC0h8qtzWyKhNcxf478E7FckLvnAzSZExitj
fJzrSJV0bJHlQEM2q0yHYpL0urh5XA==
=ZeRF
-----END PGP SIGNATURE-----
----------------------------------------------------------------
Klaus Jensen (1):
hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
hw/nvme/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.45.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
2024-08-20 4:45 [PULL for-9.1 0/1] hw/nvme late fix Klaus Jensen
@ 2024-08-20 4:45 ` Klaus Jensen
2024-08-20 10:30 ` Philippe Mathieu-Daudé
2024-08-20 11:29 ` [PULL for-9.1 0/1] hw/nvme late fix Richard Henderson
1 sibling, 1 reply; 5+ messages in thread
From: Klaus Jensen @ 2024-08-20 4:45 UTC (permalink / raw)
To: Peter Maydell, qemu-devel
Cc: Keith Busch, qemu-security, qemu-block, Jesper Devantier,
Klaus Jensen, Klaus Jensen, qemu-stable, Yutaro Shimizu
From: Klaus Jensen <k.jensen@samsung.com>
Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
NVMe emulation that leaks contents of an uninitialized heap buffer if
subsystem and FDP emulation are enabled.
Cc: qemu-stable@nongnu.org
Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
hw/nvme/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index c6d4f61a47f9..9f277b81d83c 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -4474,7 +4474,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, NvmeRequest *req,
nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;
trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr);
- buf = g_malloc(trans_len);
+ buf = g_malloc0(trans_len);
trans_len = MIN(trans_len, len);
--
2.45.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
2024-08-20 4:45 ` [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv Klaus Jensen
@ 2024-08-20 10:30 ` Philippe Mathieu-Daudé
2024-08-20 10:44 ` Klaus Jensen
0 siblings, 1 reply; 5+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-08-20 10:30 UTC (permalink / raw)
To: Klaus Jensen, Peter Maydell, qemu-devel
Cc: Keith Busch, qemu-security, qemu-block, Jesper Devantier,
Klaus Jensen, qemu-stable, Yutaro Shimizu
Hi Klaus,
On 20/8/24 06:45, Klaus Jensen wrote:
> From: Klaus Jensen <k.jensen@samsung.com>
>
> Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
> NVMe emulation that leaks contents of an uninitialized heap buffer if
> subsystem and FDP emulation are enabled.
Was this patch posted on the list for review?
Usually we log here backtrace, reproducers.
Which fields are leaked?
Let's avoid the proven unsafe security by obscurity.
> Cc: qemu-stable@nongnu.org
> Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp>
> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
> ---
> hw/nvme/ctrl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
> index c6d4f61a47f9..9f277b81d83c 100644
> --- a/hw/nvme/ctrl.c
> +++ b/hw/nvme/ctrl.c
> @@ -4474,7 +4474,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, NvmeRequest *req,
>
> nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;
> trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr);
> - buf = g_malloc(trans_len);
> + buf = g_malloc0(trans_len);
>
> trans_len = MIN(trans_len, len);
The malloc could be done after finding the min length.
Shouldn't we check len is big enough?
Thanks,
Phil.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
2024-08-20 10:30 ` Philippe Mathieu-Daudé
@ 2024-08-20 10:44 ` Klaus Jensen
0 siblings, 0 replies; 5+ messages in thread
From: Klaus Jensen @ 2024-08-20 10:44 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Peter Maydell, qemu-devel, Keith Busch, qemu-security, qemu-block,
Jesper Devantier, Klaus Jensen, qemu-stable, Yutaro Shimizu
[-- Attachment #1: Type: text/plain, Size: 2633 bytes --]
On Aug 20 12:30, Philippe Mathieu-Daudé wrote:
> Hi Klaus,
>
> On 20/8/24 06:45, Klaus Jensen wrote:
> > From: Klaus Jensen <k.jensen@samsung.com>
> >
> > Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
> > NVMe emulation that leaks contents of an uninitialized heap buffer if
> > subsystem and FDP emulation are enabled.
>
> Was this patch posted on the list for review?
>
I wanted to get this into -rc3, so I might have jumped the gun. Didn't
add internal Reviewed-by (I should have done that). Jesper reviewed it.
Reviewed-by: Jesper Devantier <j.devantier@samsung.com>
> Usually we log here backtrace, reproducers.
It doesn't crash anything, so no backtrace; but Yutaro did provide a poc
to show the leak - those are on qemu-security and I did not request
permission to make that public.
I realize that my commit message is too brief; I will add that and post
as PATCH instead.
>
> Which fields are leaked?
Parts of the NvmeRuHandle descriptor are reserved - they are not set
explicitly here, so they end up leaking heap content.
>
> Let's avoid the proven unsafe security by obscurity.
Apologies - that was not my intention!
>
> > Cc: qemu-stable@nongnu.org
> > Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp>
> > Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
> > ---
> > hw/nvme/ctrl.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
> > index c6d4f61a47f9..9f277b81d83c 100644
> > --- a/hw/nvme/ctrl.c
> > +++ b/hw/nvme/ctrl.c
> > @@ -4474,7 +4474,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, NvmeRequest *req,
> > nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;
> > trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr);
> > - buf = g_malloc(trans_len);
> > + buf = g_malloc0(trans_len);
> > trans_len = MIN(trans_len, len);
>
> The malloc could be done after finding the min length.
>
Yes we could do that but it complicates building the data structure.
Here, what we do is build the data structure to be returned in full, and
then we transfer the minimum of what the host requested or the size of
that data structure.
Regardless, zeroing the memory somehow is required. We could also set
the reserved field to 0 explicitly, but g_malloc0 is more clear I think.
> Shouldn't we check len is big enough?
len is a host provided number of bytes. It does not have to be big
enough to fit the data structure; we transfer the minimum of the data
structure or what the host requested.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PULL for-9.1 0/1] hw/nvme late fix
2024-08-20 4:45 [PULL for-9.1 0/1] hw/nvme late fix Klaus Jensen
2024-08-20 4:45 ` [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv Klaus Jensen
@ 2024-08-20 11:29 ` Richard Henderson
1 sibling, 0 replies; 5+ messages in thread
From: Richard Henderson @ 2024-08-20 11:29 UTC (permalink / raw)
To: Klaus Jensen, Peter Maydell, qemu-devel
Cc: Keith Busch, qemu-security, qemu-block, Jesper Devantier,
Klaus Jensen
On 8/20/24 14:45, Klaus Jensen wrote:
> From: Klaus Jensen<k.jensen@samsung.com>
>
> Hi,
>
> The following changes since commit 48e4ba59a3756aad743982da16bf9b5120d91a0c:
>
> Merge tag 'pull-riscv-to-apply-20240819-1' ofhttps://github.com/alistair23/qemu into staging (2024-08-19 14:55:23 +1000)
>
> are available in the Git repository at:
>
> https://gitlab.com/birkelund/qemu.git tags/nvme-next-pull-request
>
> for you to fetch changes up to 6a22121c4f25b181e99479f65958ecde65da1c92:
>
> hw/nvme: fix leak of uninitialized memory in io_mgmt_recv (2024-08-20 06:16:48 +0200)
Applied, thanks. Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.
r~
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-08-20 11:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-20 4:45 [PULL for-9.1 0/1] hw/nvme late fix Klaus Jensen
2024-08-20 4:45 ` [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv Klaus Jensen
2024-08-20 10:30 ` Philippe Mathieu-Daudé
2024-08-20 10:44 ` Klaus Jensen
2024-08-20 11:29 ` [PULL for-9.1 0/1] hw/nvme late fix Richard Henderson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).