qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] nvme: fix out-of-bounds access to the CMB

From: Kevin Wolf
Subject: Re: [Qemu-devel] [PATCH] nvme: fix out-of-bounds access to the CMB
Date: Thu, 22 Nov 2018 15:54:29 +0100
User-agent: Mutt/1.10.1 (2018-07-13) 
Am 20.11.2018 um 19:41 hat Paolo Bonzini geschrieben:
> Because the CMB BAR has a min_access_size of 2, if you read the last
> byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
> error.  This is CVE-2018-16847.
> 
> Another way to fix this might be to register the CMB as a RAM memory
> region, which would also be more efficient.  However, that might be a
> change for big-endian machines; I didn't think this through and I don't
> know how real hardware works.  Add a basic testcase for the CMB in case
> somebody does this change later on.
> 
> Cc: Keith Busch <address@hidden>
> Cc: address@hidden
> Reported-by: Li Qiang <address@hidden>
> Reviewed-by: Li Qiang <address@hidden>
> Tested-by: Li Qiang <address@hidden>
> Signed-off-by: Paolo Bonzini <address@hidden>

Thanks, applied to the block branch and reverted 5e3c0220d7.

Kevin
reply via email to
[Prev in Thread] Current Thread [Next in Thread]