[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] nvme: fix out-of-bounds access to the CMB
From: |
Kevin Wolf |
Subject: |
Re: [Qemu-devel] [PATCH] nvme: fix out-of-bounds access to the CMB |
Date: |
Thu, 22 Nov 2018 15:54:29 +0100 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
Am 20.11.2018 um 19:41 hat Paolo Bonzini geschrieben:
> Because the CMB BAR has a min_access_size of 2, if you read the last
> byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
> error. This is CVE-2018-16847.
>
> Another way to fix this might be to register the CMB as a RAM memory
> region, which would also be more efficient. However, that might be a
> change for big-endian machines; I didn't think this through and I don't
> know how real hardware works. Add a basic testcase for the CMB in case
> somebody does this change later on.
>
> Cc: Keith Busch <address@hidden>
> Cc: address@hidden
> Reported-by: Li Qiang <address@hidden>
> Reviewed-by: Li Qiang <address@hidden>
> Tested-by: Li Qiang <address@hidden>
> Signed-off-by: Paolo Bonzini <address@hidden>
Thanks, applied to the block branch and reverted 5e3c0220d7.
Kevin