Branch: refs/heads/staging Home: https://github.com/qemu/qemu Commit: ecb1b7b082d3b7dceff0e486a114502fc52c0fdf https://github.com/qemu/qemu/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Author: Klaus Jensen <k.jen...@samsung.com> Date: 2023-08-07 (Mon, 07 Aug 2023)
Changed paths: M hw/nvme/ctrl.c Log Message: ----------- hw/nvme: fix oob memory read in fdp events log As reported by Trend Micro's Zero Day Initiative, an oob memory read vulnerability exists in nvme_fdp_events(). The host-provided offset is not verified. Fix this. This is only exploitable when Flexible Data Placement mode (fdp=on) is enabled. Fixes: CVE-2023-4135 Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") Reported-by: Trend Micro's Zero Day Initiative Signed-off-by: Klaus Jensen <k.jen...@samsung.com> Commit: 6a33f2e920ec0b489a77200888e3692664077f2d https://github.com/qemu/qemu/commit/6a33f2e920ec0b489a77200888e3692664077f2d Author: Klaus Jensen <k.jen...@samsung.com> Date: 2023-08-07 (Mon, 07 Aug 2023) Changed paths: M hw/nvme/ctrl.c M hw/nvme/nvme.h M hw/nvme/trace-events Log Message: ----------- hw/nvme: fix compliance issue wrt. iosqes/iocqes As of prior to this patch, the controller checks the value of CC.IOCQES and CC.IOSQES prior to enabling the controller. As reported by Ben in GitLab issue #1691, this is not spec compliant. The controller should only check these values when queues are created. This patch moves these checks to nvme_create_cq(). We do not need to check it in nvme_create_sq() since that will error out if the completion queue is not already created. Also, since the controller exclusively supports SQEs of size 64 bytes and CQEs of size 16 bytes, hard code that. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1691 Signed-off-by: Klaus Jensen <k.jen...@samsung.com> Commit: e0e5dca517a5964d407f48bdfccbea88113b2736 https://github.com/qemu/qemu/commit/e0e5dca517a5964d407f48bdfccbea88113b2736 Author: Richard Henderson <richard.hender...@linaro.org> Date: 2023-08-07 (Mon, 07 Aug 2023) Changed paths: M hw/nvme/ctrl.c M hw/nvme/nvme.h M hw/nvme/trace-events Log Message: ----------- Merge tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu into staging hw/nvme fixes - two fixes for hw/nvme # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmTQ2y4ACgkQTeGvMW1P # DenpWQf/WFgEljzgTcgxlfZhCyzWGwVNgKqRxlTuF6ELqm8BajCuCeA5ias6AXOr # x/gZ0VqrL91L5tRIH5Q0sdC+HBFC1yMs66jopdzc1oL1eYu1HTrLIqMDtkXp/K/P # PyGah2t4qEMtacSkad+hmB68ViUkkmhkxrWYIeufUQTfLNF5pBqNvB1kQON3jmXE # a1jI/PabYxi8Km0rfFJD6SUGmL9+m7MY/SyZAy+4EZZ1OEnp5jb3o9lbdwbhIU5e # dRX4NW4BEDiOJeIcNVDiQkXv2/Lna1B51RVMvM4owpk0eRvRXMSqs2DQ5/jp/nGb # 8uChUJ0QW68I4e9ptTfxmBsr4pSktg== # =0nwp # -----END PGP SIGNATURE----- # gpg: Signature made Mon 07 Aug 2023 04:53:18 AM PDT # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <i...@irrelevant.dk>" [unknown] # gpg: aka "Klaus Jensen <k.jen...@samsung.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu: hw/nvme: fix compliance issue wrt. iosqes/iocqes hw/nvme: fix oob memory read in fdp events log Signed-off-by: Richard Henderson <richard.hender...@linaro.org> Compare: https://github.com/qemu/qemu/compare/d7ebbfc5dbda...e0e5dca517a5