Commit 5e3c0220 authored by Li Qiang's avatar Li Qiang Committed by Kevin Wolf
Browse files

nvme: fix oob access issue(CVE-2018-16847) 



Currently, the nvme_cmb_ops mr doesn't check the addr and size.
This can lead an oob access issue. This is triggerable in the guest.
Add check to avoid this issue.

Fixes CVE-2018-16847.

Reported-by: default avatarLi Qiang <liq3ea@gmail.com>
Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarLi Qiang <liq3ea@gmail.com>
Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
parent 9436e082

hw/block/nvme.c

+7 −0
Original line number Diff line number Diff line
@@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data, 
    unsigned size)

{

    NvmeCtrl *n = (NvmeCtrl *)opaque;



    if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {

        return;

    }

    memcpy(&n->cmbuf[addr], &data, size);

}
@@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size) 
    uint64_t val;

    NvmeCtrl *n = (NvmeCtrl *)opaque;



    if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {

        return 0;

    }

    memcpy(&val, &n->cmbuf[addr], size);

    return val;

}