[Qemu-devel] [PATCH 2/3] nvme: check size before memcpy

P J P Mon, 22 Oct 2018 05:17:29 -0700

From: Prasad J Pandit <p...@fedoraproject.org>

While in nvme_mmio_read, memcpy could read past the 'n->bar'
buffer, if addr offset was pointing towards its tail end.
Add check to avoid OOB access.


Reported-by: Caihongzhu <caihong...@huawei.com>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
 hw/block/nvme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index fc7dacb816..87afc19b61 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1059,7 +1059,7 @@ static uint64_t nvme_mmio_read(void *opaque, hwaddr addr, 
unsigned size)
         /* should RAZ, fall through for now */
     }
 
-    if (addr < sizeof(n->bar)) {
+    if (addr + size <= sizeof(n->bar)) {
         memcpy(&val, ptr + addr, size);
     } else {
         NVME_GUEST_ERR(nvme_ub_mmiord_invalid_ofs,
-- 
2.17.2

[Qemu-devel] [PATCH 2/3] nvme: check size before memcpy

Reply via email to