Ping.... what't the status of this patch. I see Kevin's new pr doesn't contain this patch.
Thanks, Li Qiang Li Qiang <liq...@gmail.com> 于2018年11月2日周五 上午9:22写道: > Currently, the nvme_cmb_ops mr doesn't check the addr and size. > This can lead an oob access issue. This is triggerable in the guest. > Add check to avoid this issue. > > Fixes CVE-2018-16847. > > Reported-by: Li Qiang <liq...@gmail.com> > Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> > Signed-off-by: Li Qiang <liq...@gmail.com> > --- > hw/block/nvme.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/hw/block/nvme.c b/hw/block/nvme.c > index fc7dacb..d097add 100644 > --- a/hw/block/nvme.c > +++ b/hw/block/nvme.c > @@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr > addr, uint64_t data, > unsigned size) > { > NvmeCtrl *n = (NvmeCtrl *)opaque; > + > + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { > + return; > + } > memcpy(&n->cmbuf[addr], &data, size); > } > > @@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr > addr, unsigned size) > uint64_t val; > NvmeCtrl *n = (NvmeCtrl *)opaque; > > + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { > + return 0; > + } > memcpy(&val, &n->cmbuf[addr], size); > return val; > } > -- > 1.8.3.1 > >