From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Klaus Jensen <its@irrelevant.dk>,
Peter Maydell <peter.maydell@linaro.org>,
qemu-devel@nongnu.org
Cc: Keith Busch <kbusch@kernel.org>,
qemu-security@nongnu.org, qemu-block@nongnu.org,
Jesper Devantier <foss@defmacro.it>,
Klaus Jensen <k.jensen@samsung.com>,
qemu-stable@nongnu.org, Yutaro Shimizu <shimizu@cyberdefense.jp>
Subject: Re: [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
Date: Tue, 20 Aug 2024 12:30:43 +0200 [thread overview]
Message-ID: <65bac872-f461-4e2b-b959-7bf020139fd5@linaro.org> (raw)
In-Reply-To: <20240820044505.84005-4-its@irrelevant.dk>
Hi Klaus,
On 20/8/24 06:45, Klaus Jensen wrote:
> From: Klaus Jensen <k.jensen@samsung.com>
>
> Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
> NVMe emulation that leaks contents of an uninitialized heap buffer if
> subsystem and FDP emulation are enabled.
Was this patch posted on the list for review?
Usually we log here backtrace, reproducers.
Which fields are leaked?
Let's avoid the proven unsafe security by obscurity.
> Cc: qemu-stable@nongnu.org
> Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp>
> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
> ---
> hw/nvme/ctrl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
> index c6d4f61a47f9..9f277b81d83c 100644
> --- a/hw/nvme/ctrl.c
> +++ b/hw/nvme/ctrl.c
> @@ -4474,7 +4474,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, NvmeRequest *req,
>
> nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;
> trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr);
> - buf = g_malloc(trans_len);
> + buf = g_malloc0(trans_len);
>
> trans_len = MIN(trans_len, len);
The malloc could be done after finding the min length.
Shouldn't we check len is big enough?
Thanks,
Phil.
next prev parent reply other threads:[~2024-08-20 10:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-20 4:45 [PULL for-9.1 0/1] hw/nvme late fix Klaus Jensen
2024-08-20 4:45 ` [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv Klaus Jensen
2024-08-20 10:30 ` Philippe Mathieu-Daudé [this message]
2024-08-20 10:44 ` Klaus Jensen
2024-08-20 11:29 ` [PULL for-9.1 0/1] hw/nvme late fix Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65bac872-f461-4e2b-b959-7bf020139fd5@linaro.org \
--to=philmd@linaro.org \
--cc=foss@defmacro.it \
--cc=its@irrelevant.dk \
--cc=k.jensen@samsung.com \
--cc=kbusch@kernel.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-security@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=shimizu@cyberdefense.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).