git.ipfire.org Git - thirdparty/qemu.git/commit

author	Paolo Bonzini <pbonzini@redhat.com>
	Tue, 20 Nov 2018 18:41:48 +0000 (19:41 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Tue, 2 Apr 2019 01:36:21 +0000 (20:36 -0500)
commit	e49f868dc0d6e7b56fe50bc592ace1c222dd647b
tree	e842e17c6f6e1ab4bdece47610148f2636cc0c79	tree
parent	2c4f6cabf53bd87b7783909103364b035bc13300	commit \| diff

nvme: fix out-of-bounds access to the CMB

Because the CMB BAR has a min_access_size of 2, if you read the last
byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
error.  This is CVE-2018-16847.

Another way to fix this might be to register the CMB as a RAM memory
region, which would also be more efficient.  However, that might be a
change for big-endian machines; I didn't think this through and I don't
know how real hardware works.  Add a basic testcase for the CMB in case
somebody does this change later on.

Cc: Keith Busch <keith.busch@intel.com>
Cc: qemu-block@nongnu.org
Reported-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Tested-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 87ad860c622cc8f8916b5232bd8728c08f938fce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

hw/block/nvme.c		diff \| blob \| blame \| history
tests/Makefile.include		diff \| blob \| blame \| history
tests/nvme-test.c		diff \| blob \| blame \| history