nvme: fix oob access issue(CVE-2018-16847)

Currently, the nvme_cmb_ops mr doesn't check the addr and size. This can lead an oob access issue. This is triggerable in the guest. Add check to avoid this issue. Fixes CVE-2018-16847. Reported-by: N Li Qiang <liq3ea@gmail.com> Reviewed-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Li Qiang <liq3ea@gmail.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>

nvme: fix oob access issue(CVE-2018-16847)
Currently, the nvme_cmb_ops mr doesn't check the addr and size. This can lead an oob access issue. This is triggerable in the guest. Add check to avoid this issue. Fixes CVE-2018-16847. Reported-by: N Li Qiang <liq3ea@gmail.com> Reviewed-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Li Qiang <liq3ea@gmail.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>
5e3c0220 · Li Qiang · Kevin Wolf · 9436e082 · 5e3c0220
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

hw/block/nvme.c hw/block/nvme.c +7 -0

未找到文件。
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data,
    unsigned size)
 {
    NvmeCtrl *n = (NvmeCtrl *)opaque;
+
+    if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
+        return;
+    }
    memcpy(&n->cmbuf[addr], &data, size);
 }

@@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size)
    uint64_t val;
    NvmeCtrl *n = (NvmeCtrl *)opaque;

+    if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
+        return 0;
+    }
    memcpy(&val, &n->cmbuf[addr], size);
    return val;
 }