nvme: fix leak of uninitialized memory in io_mgmt_recv

Michael Tokarev Fri, 06 Sep 2024 00:06:41 -0700

From: Klaus Jensen <k.jen...@samsung.com>

Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
NVMe emulation that leaks contents of an uninitialized heap buffer if
subsystem and FDP emulation are enabled.


Cc: qemu-sta...@nongnu.org
Reported-by: Yutaro Shimizu <shim...@cyberdefense.jp>
Signed-off-by: Klaus Jensen <k.jen...@samsung.com>
(cherry picked from commit 6a22121c4f25b181e99479f65958ecde65da1c92)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 1fa117fdff..ca54c250b2 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -4302,7 +4302,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, 
NvmeRequest *req,
 
     nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;
     trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr);
-    buf = g_malloc(trans_len);
+    buf = g_malloc0(trans_len);
 
     trans_len = MIN(trans_len, len);
 
-- 
2.39.2

[Stable-8.2.7 50/53] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv

Reply via email to