[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 40/47] hw/nvme: fix buffer overrun in nvme_changed_nslist (CVE-20
From: |
Michael Roth |
Subject: |
[PATCH 40/47] hw/nvme: fix buffer overrun in nvme_changed_nslist (CVE-2021-3947) |
Date: |
Tue, 14 Dec 2021 18:01:18 -0600 |
From: Klaus Jensen <k.jensen@samsung.com>
Fix missing offset verification.
Cc: qemu-stable@nongnu.org
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Fixes: f432fdfa121 ("support changed namespace asynchronous event")
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit e2c57529c9306e4c9aac75d9879f6e7699584a22)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
hw/nvme/ctrl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 6baf9e0420..27dddb87bd 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -4164,6 +4164,11 @@ static uint16_t nvme_changed_nslist(NvmeCtrl *n, uint8_t
rae, uint32_t buf_len,
int i = 0;
uint32_t nsid;
+ if (off >= sizeof(nslist)) {
+ trace_pci_nvme_err_invalid_log_page_offset(off, sizeof(nslist));
+ return NVME_INVALID_FIELD | NVME_DNR;
+ }
+
memset(nslist, 0x0, sizeof(nslist));
trans_len = MIN(sizeof(nslist) - off, buf_len);
--
2.25.1
- [PATCH 02/47] target/arm: Don't skip M-profile reset entirely in user mode, (continued)
- [PATCH 02/47] target/arm: Don't skip M-profile reset entirely in user mode, Michael Roth, 2021/12/14
- [PATCH 31/47] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands, Michael Roth, 2021/12/14
- [PATCH 32/47] hw: m68k: virt: Add compat machine for 6.1, Michael Roth, 2021/12/14
- [PATCH 33/47] rcu: Introduce force_rcu notifier, Michael Roth, 2021/12/14
- [PATCH 34/47] accel/tcg: Register a force_rcu notifier, Michael Roth, 2021/12/14
- [PATCH 35/47] pcie: rename 'native-hotplug' to 'x-native-hotplug', Michael Roth, 2021/12/14
- [PATCH 36/47] virtio: use virtio accessor to access packed descriptor flags, Michael Roth, 2021/12/14
- [PATCH 37/47] virtio: use virtio accessor to access packed event, Michael Roth, 2021/12/14
- [PATCH 38/47] vfio: Fix memory leak of hostwin, Michael Roth, 2021/12/14
- [PATCH 39/47] nbd/server: Don't complain on certain client disconnects, Michael Roth, 2021/12/14
- [PATCH 40/47] hw/nvme: fix buffer overrun in nvme_changed_nslist (CVE-2021-3947),
Michael Roth <=
- [PATCH 03/47] virtio-net: fix use after unmap/free for sg, Michael Roth, 2021/12/14
- [PATCH 41/47] chardev/wctable: don't free the instance in wctablet_chr_finalize, Michael Roth, 2021/12/14
- [PATCH 42/47] hw/block/fdc: Extract blk_create_empty_drive(), Michael Roth, 2021/12/14
- [PATCH 43/47] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196, Michael Roth, 2021/12/14
- [PATCH 44/47] tests/qtest/fdc-test: Add a regression test for CVE-2021-20196, Michael Roth, 2021/12/14
- [PATCH 45/47] virtio-blk: Fix clean up of host notifiers for single MR transaction., Michael Roth, 2021/12/14
- [PATCH 46/47] net: vmxnet3: validate configuration values during activate (CVE-2021-20203), Michael Roth, 2021/12/14
- [PATCH 47/47] e1000: fix tx re-entrancy problem, Michael Roth, 2021/12/14
- [PATCH 04/47] qemu-nbd: Change default cache mode to writeback, Michael Roth, 2021/12/14
- [PATCH 05/47] hmp: Unbreak "change vnc", Michael Roth, 2021/12/14