| Message ID | 20230803184422.27521-2-its@irrelevant.dk |
|---|---|
| State | New |
| Headers | show |
| Series | hw/nvme: fix oob memory read in fdp events log | expand |
+CC qemu-stable On Aug 3 20:44, Klaus Jensen wrote: > From: Klaus Jensen <k.jensen@samsung.com> > > As reported by Trend Micro's Zero Day Initiative, an oob memory read > vulnerability exists in nvme_fdp_events(). The host-provided offset is > not verified. > > Fix this. > > This is only exploitable when Flexible Data Placement mode (fdp=on) is > enabled. > > Fixes: CVE-2023-4135 > Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") > Reported-by: Trend Micro's Zero Day Initiative > Signed-off-by: Klaus Jensen <k.jensen@samsung.com> > --- > hw/nvme/ctrl.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c > index f2e5a2fa737b..e9b5a55811b8 100644 > --- a/hw/nvme/ctrl.c > +++ b/hw/nvme/ctrl.c > @@ -5120,6 +5120,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl *n, uint32_t endgrpid, > } > > log_size = sizeof(NvmeFdpEventsLog) + ebuf->nelems * sizeof(NvmeFdpEvent); > + > + if (off >= log_size) { > + return NVME_INVALID_FIELD | NVME_DNR; > + } > + > trans_len = MIN(log_size - off, buf_len); > elog = g_malloc0(log_size); > elog->num_events = cpu_to_le32(ebuf->nelems); > -- > 2.41.0 >
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index f2e5a2fa737b..e9b5a55811b8 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -5120,6 +5120,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl *n, uint32_t endgrpid, } log_size = sizeof(NvmeFdpEventsLog) + ebuf->nelems * sizeof(NvmeFdpEvent); + + if (off >= log_size) { + return NVME_INVALID_FIELD | NVME_DNR; + } + trans_len = MIN(log_size - off, buf_len); elog = g_malloc0(log_size); elog->num_events = cpu_to_le32(ebuf->nelems);