aboutsummaryrefslogtreecommitdiff
path: root/hw/block
diff options
context:
space:
mode:
authorLi Qiang <liq3ea@gmail.com>2018-11-01 18:22:43 -0700
committerKevin Wolf <kwolf@redhat.com>2018-11-19 12:51:16 +0100
commit5e3c0220d7e4f0361c4d36c697a8842f2b583402 (patch)
tree0b640cc5db681adc5ee152ac0d35b1054573da63 /hw/block
parent9436e082de18b2fb2ceed2e9d1beef641ae64f23 (diff)
nvme: fix oob access issue(CVE-2018-16847)
Currently, the nvme_cmb_ops mr doesn't check the addr and size. This can lead an oob access issue. This is triggerable in the guest. Add check to avoid this issue. Fixes CVE-2018-16847. Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'hw/block')
-rw-r--r--hw/block/nvme.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index 09d7c90259..d0226e7fdc 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
{
NvmeCtrl *n = (NvmeCtrl *)opaque;
+
+ if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
+ return;
+ }
memcpy(&n->cmbuf[addr], &data, size);
}
@@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size)
uint64_t val;
NvmeCtrl *n = (NvmeCtrl *)opaque;
+ if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
+ return 0;
+ }
memcpy(&val, &n->cmbuf[addr], size);
return val;
}