aboutsummaryrefslogtreecommitdiff
path: root/hw/block
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2018-11-20 19:41:48 +0100
committerKevin Wolf <kwolf@redhat.com>2018-11-22 16:43:52 +0100
commit87ad860c622cc8f8916b5232bd8728c08f938fce (patch)
tree1bece30a0ef19c4dcf943470faa4434282530b9d /hw/block
parent6bf7463615752934d7221e5be9820d9da45ab2de (diff)
downloadqemu-87ad860c622cc8f8916b5232bd8728c08f938fce.zip
qemu-87ad860c622cc8f8916b5232bd8728c08f938fce.tar.gz
qemu-87ad860c622cc8f8916b5232bd8728c08f938fce.tar.bz2
nvme: fix out-of-bounds access to the CMB
Because the CMB BAR has a min_access_size of 2, if you read the last byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one error. This is CVE-2018-16847. Another way to fix this might be to register the CMB as a RAM memory region, which would also be more efficient. However, that might be a change for big-endian machines; I didn't think this through and I don't know how real hardware works. Add a basic testcase for the CMB in case somebody does this change later on. Cc: Keith Busch <keith.busch@intel.com> Cc: qemu-block@nongnu.org Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Tested-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'hw/block')
-rw-r--r--hw/block/nvme.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index 28d2843..8c35cab 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
.write = nvme_cmb_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.impl = {
- .min_access_size = 2,
+ .min_access_size = 1,
.max_access_size = 8,
},
};