From: Klaus Jensen <its@irrelevant.dk>
To: "Philippe Mathieu-Daudé" <philmd@linaro.org>
Cc: Richard Henderson <richard.henderson@linaro.org>,
qemu-devel@nongnu.org, qemu-block@nongnu.org,
Keith Busch <kbusch@kernel.org>,
Klaus Jensen <k.jensen@samsung.com>,
qemu-stable@nongnu.org,
Jesper Wendel Devantier <j.devantier@samsung.com>
Subject: Re: [PULL 1/2] hw/nvme: fix null pointer access in directive receive
Date: Thu, 24 Aug 2023 15:27:11 +0200 [thread overview]
Message-ID: <ZOdar5SaiEjOuYj5@cormorant.local> (raw)
In-Reply-To: <556b1036-fa1c-f207-6ce6-a9cf22805e6c@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 1641 bytes --]
On Aug 24 14:44, Philippe Mathieu-Daudé wrote:
> On 9/8/23 15:39, Klaus Jensen wrote:
> > From: Klaus Jensen <k.jensen@samsung.com>
> >
> > nvme_directive_receive() does not check if an endurance group has been
> > configured (set) prior to testing if flexible data placement is enabled
> > or not.
> >
> > Fix this.
> >
> > Cc: qemu-stable@nongnu.org
> > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815
> > Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
> > Reviewed-by: Jesper Wendel Devantier <j.devantier@samsung.com>
> > Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
> > ---
> > hw/nvme/ctrl.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
> > index d217ae91b506..e5b5c7034d2b 100644
> > --- a/hw/nvme/ctrl.c
> > +++ b/hw/nvme/ctrl.c
> > @@ -6900,7 +6900,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n, NvmeRequest *req)
> > case NVME_DIRECTIVE_IDENTIFY:
> > switch (doper) {
> > case NVME_DIRECTIVE_RETURN_PARAMS:
> > - if (ns->endgrp->fdp.enabled) {
> > + if (ns->endgrp && ns->endgrp->fdp.enabled) {
>
> This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer
> dereference in nvme_directive_receive"). Were you aware of
> the security implications?
>
Yes, but I was not aware of the CVE being assigned at the time. I don't
think it was?
But if what you are saying is that it was my responsibility as
maintainer, to get that reported and assigned, then I apologies and will
of course keep that in mind going forward!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2023-08-24 13:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-09 13:39 [PULL 0/2] hw/nvme: more fixes Klaus Jensen
2023-08-09 13:39 ` [PULL 1/2] hw/nvme: fix null pointer access in directive receive Klaus Jensen
2023-08-24 12:44 ` Philippe Mathieu-Daudé
2023-08-24 13:08 ` Michael Tokarev
2023-08-24 13:27 ` Klaus Jensen [this message]
2023-08-09 13:39 ` [PULL 2/2] hw/nvme: fix null pointer access in ruh update Klaus Jensen
2023-08-09 22:04 ` [PULL 0/2] hw/nvme: more fixes Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZOdar5SaiEjOuYj5@cormorant.local \
--to=its@irrelevant.dk \
--cc=j.devantier@samsung.com \
--cc=k.jensen@samsung.com \
--cc=kbusch@kernel.org \
--cc=philmd@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).