[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847)
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847) |
Date: |
Wed, 14 Nov 2018 16:44:21 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 |
On 14/11/2018 02:38, Li Qiang wrote:
>
>
> Paolo Bonzini <address@hidden <mailto:address@hidden>> 于2018
> 年11月14日周三 上午2:27写道:
>
> On 13/11/2018 11:17, Kevin Wolf wrote:
> > Am 13.11.2018 um 02:45 hat Li Qiang geschrieben:
> >> Ping.... what't the status of this patch.
> >>
> >> I see Kevin's new pr doesn't contain this patch.
> >
> > Oh, I thought you said that you wanted to fix this at a higher
> level so
> > that the problem is caught before even getting into nvme code? If you
> > don't, I can apply the patch for my next pull request.
>
> As far as I know the bug doesn't exist. Li Qiang, if you have a
> reproducer please send it.
>
>
> Hello Paolo,
> Though I've send the debug information and ASAN output in the mail to
> address@hidden <mailto:address@hidden>, I'm glad provide here.
> This is for read, I think the write the same but as the PoC is in
> userspace, the mmap can only map the exact size of the MMIO,
> So we can only write within the area. But if we using a module we can
> write the out of MMIO I think
> The nvme device's parameter should set as 'cmb_size_mb=2' and the PCI
> address may differ in your system.
Ok, thanks. I've created a reproducer using qtest (though I have to run
now and cannot post it properly).
The patch for the fix is simply:
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index fc7dacb816..6385033af3 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1192,7 +1192,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
.write = nvme_cmb_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.impl = {
- .min_access_size = 2,
+ .min_access_size = 1,
.max_access_size = 8,
},
};
The memory subsystem _is_ recognizing the out-of-bounds 32-bit access,
but because min_access_size=2 it sends down a write at offset 2097151
and size 2.
Paolo
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), (continued)
Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Keith Busch, 2018/11/02
Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Li Qiang, 2018/11/12
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Kevin Wolf, 2018/11/13
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Li Qiang, 2018/11/13
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Paolo Bonzini, 2018/11/13
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Li Qiang, 2018/11/13
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847),
Paolo Bonzini <=
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Li Qiang, 2018/11/14
- Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847), Paolo Bonzini, 2018/11/15