hw/nvme: fix oob memory read in fdp events log
As reported by Trend Micro's Zero Day Initiative, an oob memory read
vulnerability exists in nvme_fdp_events(). The host-provided offset is
not verified.
Fix this.
This is only exploitable when Flexible Data Placement mode (fdp=on) is
enabled.
Fixes: CVE-2023-4135
Fixes: 73064edfb8
("hw/nvme: flexible data placement emulation")
Reported-by: Trend Micro's Zero Day Initiative
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
This commit is contained in:
parent
9400601a68
commit
ecb1b7b082
@ -5120,6 +5120,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl *n, uint32_t endgrpid,
|
||||
}
|
||||
|
||||
log_size = sizeof(NvmeFdpEventsLog) + ebuf->nelems * sizeof(NvmeFdpEvent);
|
||||
|
||||
if (off >= log_size) {
|
||||
return NVME_INVALID_FIELD | NVME_DNR;
|
||||
}
|
||||
|
||||
trans_len = MIN(log_size - off, buf_len);
|
||||
elog = g_malloc0(log_size);
|
||||
elog->num_events = cpu_to_le32(ebuf->nelems);
|
||||
|
Loading…
Reference in New Issue
Block a user