nvme: fix oob access issue(CVE-2018-16847)
Currently, the nvme_cmb_ops mr doesn't check the addr and size. This can lead an oob access issue. This is triggerable in the guest. Add check to avoid this issue. Fixes CVE-2018-16847. Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
parent
9436e082de
commit
5e3c0220d7
@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
unsigned size)
|
||||
{
|
||||
NvmeCtrl *n = (NvmeCtrl *)opaque;
|
||||
|
||||
if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
|
||||
return;
|
||||
}
|
||||
memcpy(&n->cmbuf[addr], &data, size);
|
||||
}
|
||||
|
||||
@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size)
|
||||
uint64_t val;
|
||||
NvmeCtrl *n = (NvmeCtrl *)opaque;
|
||||
|
||||
if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) {
|
||||
return 0;
|
||||
}
|
||||
memcpy(&val, &n->cmbuf[addr], size);
|
||||
return val;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user