[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL for-6.0 v2 08/10] hw/block/nvme: fix ns attachment out-of-bounds r
From: |
Klaus Jensen |
Subject: |
[PULL for-6.0 v2 08/10] hw/block/nvme: fix ns attachment out-of-bounds read |
Date: |
Wed, 7 Apr 2021 07:46:33 +0200 |
From: Klaus Jensen <k.jensen@samsung.com>
nvme_ns_attachment() does not verify the contents of the host-supplied
16 bit "Number of Identifiers" field in the command payload.
Make sure the value is capped at 2047 and fix the out-of-bounds read.
Fixes: 645ce1a70cb6 ("hw/block/nvme: support namespace attachment command")
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
---
hw/block/nvme.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index d2dd82496790..87891d4d0f3b 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -4920,6 +4920,7 @@ static uint16_t nvme_ns_attachment(NvmeCtrl *n,
NvmeRequest *req)
return NVME_NS_CTRL_LIST_INVALID | NVME_DNR;
}
+ *nr_ids = MIN(*nr_ids, NVME_CONTROLLER_LIST_SIZE - 1);
for (i = 0; i < *nr_ids; i++) {
ctrl = nvme_subsys_ctrl(n->subsys, ids[i]);
if (!ctrl) {
--
2.31.1
- [PULL for-6.0 v2 00/10] emulated nvme fixes for -rc3, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 01/10] hw/block/nvme: fix pi constraint check, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 02/10] hw/block/nvme: fix missing string representation for ns attachment, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 04/10] hw/block/nvme: fix warning about legacy namespace configuration, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 05/10] hw/block/nvme: update dmsrl limit on namespace detachment, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 03/10] hw/block/nvme: fix the nsid 'invalid' value, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 06/10] hw/block/nvme: fix handling of private namespaces, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 07/10] hw/block/nvme: add missing copyright headers, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 08/10] hw/block/nvme: fix ns attachment out-of-bounds read,
Klaus Jensen <=
- [PULL for-6.0 v2 10/10] hw/block/nvme: fix out-of-bounds read in nvme_subsys_ctrl, Klaus Jensen, 2021/04/07
- [PULL for-6.0 v2 09/10] hw/block/nvme: fix assert crash in nvme_subsys_ns, Klaus Jensen, 2021/04/07
- Re: [PULL for-6.0 v2 00/10] emulated nvme fixes for -rc3, Peter Maydell, 2021/04/07