motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-28 12:32:05 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

hw/nvme: fix oob memory read in fdp events log

Browse source 
As reported by Trend Micro's Zero Day Initiative, an oob memory read
vulnerability exists in nvme_fdp_events(). The host-provided offset is
not verified.

Fix this.

This is only exploitable when Flexible Data Placement mode (fdp=on) is
enabled.

Fixes: CVE-2023-4135
Fixes: 73064edfb8 ("hw/nvme: flexible data placement emulation")
Reported-by: Trend Micro's Zero Day Initiative
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit ecb1b7b082)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
This commit is contained in:
Klaus Jensen 2023-08-03 20:44:23 +02:00 committed by Michael Tokarev
parent a11a2007a5
commit dd496f92b9
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hw/nvme/ctrl.c
View file

@ -5092,6 +5092,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl *n, uint32_t endgrpid,
}
log_size = sizeof(NvmeFdpEventsLog) + ebuf->nelems * sizeof(NvmeFdpEvent);
if (off >= log_size) {
return NVME_INVALID_FIELD | NVME_DNR;
}
trans_len = MIN(log_size - off, buf_len);
elog = g_malloc0(log_size);
elog->num_events = cpu_to_le32(ebuf->nelems);