Git Repo - qemu.git/commit

author	Paolo Bonzini <[email protected]>
	Tue, 20 Nov 2018 18:41:48 +0000 (19:41 +0100)
committer	Kevin Wolf <[email protected]>
	Thu, 22 Nov 2018 15:43:52 +0000 (16:43 +0100)
commit	87ad860c622cc8f8916b5232bd8728c08f938fce
tree	1bece30a0ef19c4dcf943470faa4434282530b9d	tree \| snapshot
parent	6bf7463615752934d7221e5be9820d9da45ab2de	commit \| diff

nvme: fix out-of-bounds access to the CMB

Because the CMB BAR has a min_access_size of 2, if you read the last
byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
error.  This is CVE-2018-16847.

Another way to fix this might be to register the CMB as a RAM memory
region, which would also be more efficient.  However, that might be a
change for big-endian machines; I didn't think this through and I don't
know how real hardware works.  Add a basic testcase for the CMB in case
somebody does this change later on.

Cc: Keith Busch <[email protected]>
Cc: [email protected]
Reported-by: Li Qiang <[email protected]>
Reviewed-by: Li Qiang <[email protected]>
Tested-by: Li Qiang <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>

hw/block/nvme.c		diff \| blob \| blame \| history
tests/Makefile.include		diff \| blob \| blame \| history
tests/nvme-test.c		diff \| blob \| blame \| history