On 9/8/23 15:39, Klaus Jensen wrote:
From: Klaus Jensen <k.jen...@samsung.com>
nvme_directive_receive() does not check if an endurance group has been
configured (set) prior to testing if flexible data placement is enabled
or not.
Fix this.
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815
Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
Reviewed-by: Jesper Wendel Devantier <j.devant...@samsung.com>
Signed-off-by: Klaus Jensen <k.jen...@samsung.com>
---
hw/nvme/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index d217ae91b506..e5b5c7034d2b 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6900,7 +6900,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n,
NvmeRequest *req)
case NVME_DIRECTIVE_IDENTIFY:
switch (doper) {
case NVME_DIRECTIVE_RETURN_PARAMS:
- if (ns->endgrp->fdp.enabled) {
+ if (ns->endgrp && ns->endgrp->fdp.enabled) {
This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer
dereference in nvme_directive_receive"). Were you aware of
the security implications?
Too bad we hadn't committed "Fixes: CVE-2023-40360" as that
would have helped downstream distributions cherry-picking
security fixes ASAP, since our stable is not that frequent.
At least the commit has the 'qemu-sta...@nongnu.org' tag.
id.supported |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
id.enabled |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
id.persistent |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
