From: Prasad J Pandit <p...@fedoraproject.org> While in nvme_mmio_read, memcpy could read past the 'n->bar' buffer, if addr offset was pointing towards its tail end. Add check to avoid OOB access.
Reported-by: Caihongzhu <caihong...@huawei.com> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/block/nvme.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/block/nvme.c b/hw/block/nvme.c index fc7dacb816..87afc19b61 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -1059,7 +1059,7 @@ static uint64_t nvme_mmio_read(void *opaque, hwaddr addr, unsigned size) /* should RAZ, fall through for now */ } - if (addr < sizeof(n->bar)) { + if (addr + size <= sizeof(n->bar)) { memcpy(&val, ptr + addr, size); } else { NVME_GUEST_ERR(nvme_ub_mmiord_invalid_ofs, -- 2.17.2