|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [qemu-xen stable-4.18] hw/nvme: fix oob memory read in fdp events log
commit dd496f92b97a9a2d36f83a91d8adae90ba65465a
Author: Klaus Jensen <k.jensen@xxxxxxxxxxx>
AuthorDate: Thu Aug 3 20:44:23 2023 +0200
Commit: Michael Tokarev <mjt@xxxxxxxxxx>
CommitDate: Sun Sep 10 19:39:41 2023 +0300
hw/nvme: fix oob memory read in fdp events log
As reported by Trend Micro's Zero Day Initiative, an oob memory read
vulnerability exists in nvme_fdp_events(). The host-provided offset is
not verified.
Fix this.
This is only exploitable when Flexible Data Placement mode (fdp=on) is
enabled.
Fixes: CVE-2023-4135
Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
Reported-by: Trend Micro's Zero Day Initiative
Signed-off-by: Klaus Jensen <k.jensen@xxxxxxxxxxx>
(cherry picked from commit ecb1b7b082d3b7dceff0e486a114502fc52c0fdf)
Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
---
hw/nvme/ctrl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 812246689c..e16e19ead8 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -5092,6 +5092,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl *n, uint32_t
endgrpid,
}
log_size = sizeof(NvmeFdpEventsLog) + ebuf->nelems * sizeof(NvmeFdpEvent);
+
+ if (off >= log_size) {
+ return NVME_INVALID_FIELD | NVME_DNR;
+ }
+
trans_len = MIN(log_size - off, buf_len);
elog = g_malloc0(log_size);
elog->num_events = cpu_to_le32(ebuf->nelems);
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.18
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |