[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/nvme: fix oob memory read in fdp events log
From: |
Klaus Jensen |
Subject: |
Re: [PATCH] hw/nvme: fix oob memory read in fdp events log |
Date: |
Tue, 8 Aug 2023 08:15:31 +0200 |
+CC qemu-stable
On Aug 3 20:44, Klaus Jensen wrote:
> From: Klaus Jensen <k.jensen@samsung.com>
>
> As reported by Trend Micro's Zero Day Initiative, an oob memory read
> vulnerability exists in nvme_fdp_events(). The host-provided offset is
> not verified.
>
> Fix this.
>
> This is only exploitable when Flexible Data Placement mode (fdp=on) is
> enabled.
>
> Fixes: CVE-2023-4135
> Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
> Reported-by: Trend Micro's Zero Day Initiative
> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
> ---
> hw/nvme/ctrl.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
> index f2e5a2fa737b..e9b5a55811b8 100644
> --- a/hw/nvme/ctrl.c
> +++ b/hw/nvme/ctrl.c
> @@ -5120,6 +5120,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl *n, uint32_t
> endgrpid,
> }
>
> log_size = sizeof(NvmeFdpEventsLog) + ebuf->nelems *
> sizeof(NvmeFdpEvent);
> +
> + if (off >= log_size) {
> + return NVME_INVALID_FIELD | NVME_DNR;
> + }
> +
> trans_len = MIN(log_size - off, buf_len);
> elog = g_malloc0(log_size);
> elog->num_events = cpu_to_le32(ebuf->nelems);
> --
> 2.41.0
>
--
One of us - No more doubt, silence or taboo about mental illness.
signature.asc
Description: PGP signature