Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:as_python3_module
qemu.9337
0090-nvme-fix-oob-access-issue-CVE-2018-.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0090-nvme-fix-oob-access-issue-CVE-2018-.patch of Package qemu.9337
From 3b187995225fdfb2535e4a01a0d8f5e27e29c2ad Mon Sep 17 00:00:00 2001 From: Li Qiang <liq3ea@gmail.com> Date: Mon, 5 Nov 2018 13:37:31 -0700 Subject: [PATCH] nvme: fix oob access issue(CVE-2018-16847) Currently, the nvme_cmb_ops mr doesn't check the addr and size. This can lead an oob access issue. This is triggerable in the guest. Add check to avoid this issue. Fixes CVE-2018-16847. Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Li Qiang <liq3ea@gmail.com> [BR: BSC#1114529 CVE-2018-16847] Signed-off-by: Bruce Rogers <brogers@suse.com> --- hw/block/nvme.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/block/nvme.c b/hw/block/nvme.c index 441e21ed1f..7979b93ea3 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -898,6 +898,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data, unsigned size) { NvmeCtrl *n = (NvmeCtrl *)opaque; + + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { + return; + } memcpy(&n->cmbuf[addr], &data, size); } @@ -906,6 +910,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size) uint64_t val; NvmeCtrl *n = (NvmeCtrl *)opaque; + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { + return 0; + } memcpy(&val, &n->cmbuf[addr], size); return val; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor