Google Git
Sign in
android / trusty / external / qemu / 87ad860c622cc8f8916b5232bd8728c08f938fce
commit87ad860c622cc8f8916b5232bd8728c08f938fce[log] [tgz]
authorPaolo Bonzini <pbonzini@redhat.com>Tue Nov 20 19:41:48 2018 +0100
committerKevin Wolf <kwolf@redhat.com>Thu Nov 22 16:43:52 2018 +0100
tree1bece30a0ef19c4dcf943470faa4434282530b9d
parent6bf7463615752934d7221e5be9820d9da45ab2de [diff]
nvme: fix out-of-bounds access to the CMB

Because the CMB BAR has a min_access_size of 2, if you read the last
byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
error.  This is CVE-2018-16847.

Another way to fix this might be to register the CMB as a RAM memory
region, which would also be more efficient.  However, that might be a
change for big-endian machines; I didn't think this through and I don't
know how real hardware works.  Add a basic testcase for the CMB in case
somebody does this change later on.

Cc: Keith Busch <keith.busch@intel.com>
Cc: qemu-block@nongnu.org
Reported-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Tested-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
3 files changed
tree: 1bece30a0ef19c4dcf943470faa4434282530b9d
  1. accel/
  2. audio/
  3. backends/
  4. block/
  5. bsd-user/
  6. chardev/
  7. contrib/
  8. crypto/
  9. default-configs/
  10. disas/
  11. docs/
  12. fpu/
  13. fsdev/
  14. gdb-xml/
  15. hw/
  16. include/
  17. io/
  18. libdecnumber/
  19. linux-headers/
  20. linux-user/
  21. migration/
  22. nbd/
  23. net/
  24. pc-bios/
  25. po/
  26. qapi/
  27. qga/
  28. qobject/
  29. qom/
  30. replay/
  31. roms/
  32. scripts/
  33. scsi/
  34. slirp/
  35. stubs/
  36. target/
  37. tcg/
  38. tests/
  39. trace/
  40. ui/
  41. util/
  42. capstone
  43. dtc
  44. .dir-locals.el
  45. .editorconfig
  46. .exrc
  47. .gdbinit
  48. .gitignore
  49. .gitmodules
  50. .gitpublish
  51. .mailmap
  52. .shippable.yml
  53. .travis.yml
  54. arch_init.c
  55. balloon.c
  56. block.c
  57. blockdev-nbd.c
  58. blockdev.c
  59. blockjob.c
  60. bootdevice.c
  61. bt-host.c
  62. bt-vhci.c
  63. Changelog
  64. CODING_STYLE
  65. configure
  66. COPYING
  67. COPYING.LIB
  68. cpus-common.c
  69. cpus.c
  70. device-hotplug.c
  71. device_tree.c
  72. disas.c
  73. dma-helpers.c
  74. dump.c
  75. exec.c
  76. gdbstub.c
  77. HACKING
  78. hmp-commands-info.hx
  79. hmp-commands.hx
  80. hmp.c
  81. hmp.h
  82. ioport.c
  83. iothread.c
  84. job-qmp.c
  85. job.c
  86. LICENSE
  87. MAINTAINERS
  88. Makefile
  89. Makefile.objs
  90. Makefile.target
  91. memory.c
  92. memory_ldst.inc.c
  93. memory_mapping.c
  94. module-common.c
  95. monitor.c
  96. numa.c
  97. os-posix.c
  98. os-win32.c
  99. qdev-monitor.c
  100. qdict-test-data.txt
  101. qemu-bridge-helper.c
  102. qemu-deprecated.texi
  103. qemu-doc.texi
  104. qemu-edid.c
  105. qemu-ga.texi
  106. qemu-img-cmds.hx
  107. qemu-img.c
  108. qemu-img.texi
  109. qemu-io-cmds.c
  110. qemu-io.c
  111. qemu-keymap.c
  112. qemu-nbd.c
  113. qemu-nbd.texi
  114. qemu-option-trace.texi
  115. qemu-options-wrapper.h
  116. qemu-options.h
  117. qemu-options.hx
  118. qemu-seccomp.c
  119. qemu-tech.texi
  120. qemu.nsi
  121. qemu.sasl
  122. qmp.c
  123. qtest.c
  124. README
  125. replication.c
  126. replication.h
  127. rules.mak
  128. thunk.c
  129. tpm.c
  130. trace-events
  131. VERSION
  132. version.rc
  133. vl.c
  134. win_dump.c
  135. win_dump.h