Re: [PULL 1/2] hw/nvme: fix null pointer access in directive receive
On 9/8/23 15:39, Klaus Jensen wrote:
From: Klaus Jensen
nvme_directive_receive() does not check if an endurance group has been
configured (set) prior to testing if flexible data placement is enabled
or not.
Fix this.
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815
Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
Reviewed-by: Jesper Wendel Devantier
Signed-off-by: Klaus Jensen
---
hw/nvme/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index d217ae91b506..e5b5c7034d2b 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6900,7 +6900,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n,
NvmeRequest *req)
case NVME_DIRECTIVE_IDENTIFY:
switch (doper) {
case NVME_DIRECTIVE_RETURN_PARAMS:
-if (ns->endgrp->fdp.enabled) {
+if (ns->endgrp && ns->endgrp->fdp.enabled) {
This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer
dereference in nvme_directive_receive"). Were you aware of
the security implications?
Too bad we hadn't committed "Fixes: CVE-2023-40360" as that
would have helped downstream distributions cherry-picking
security fixes ASAP, since our stable is not that frequent.
At least the commit has the 'qemu-sta...@nongnu.org' tag.
id.supported |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
id.enabled |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
id.persistent |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
Re: [PULL 1/2] hw/nvme: fix null pointer access in directive receive
24.08.2023 15:44, Philippe Mathieu-Daudé wrote:
..
This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer
dereference in nvme_directive_receive"). Were you aware of
the security implications?
Too bad we hadn't committed "Fixes: CVE-2023-40360" as that
would have helped downstream distributions cherry-picking
security fixes ASAP, since our stable is not that frequent.
https://tracker.debian.org/news/1455443/accepted-qemu-1804dfsg-2-source-into-unstable/
FWIW.
/mjt
Re: [PULL 1/2] hw/nvme: fix null pointer access in directive receive
On Aug 24 14:44, Philippe Mathieu-Daudé wrote:
> On 9/8/23 15:39, Klaus Jensen wrote:
> > From: Klaus Jensen
> >
> > nvme_directive_receive() does not check if an endurance group has been
> > configured (set) prior to testing if flexible data placement is enabled
> > or not.
> >
> > Fix this.
> >
> > Cc: qemu-sta...@nongnu.org
> > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815
> > Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
> > Reviewed-by: Jesper Wendel Devantier
> > Signed-off-by: Klaus Jensen
> > ---
> > hw/nvme/ctrl.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
> > index d217ae91b506..e5b5c7034d2b 100644
> > --- a/hw/nvme/ctrl.c
> > +++ b/hw/nvme/ctrl.c
> > @@ -6900,7 +6900,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n,
> > NvmeRequest *req)
> > case NVME_DIRECTIVE_IDENTIFY:
> > switch (doper) {
> > case NVME_DIRECTIVE_RETURN_PARAMS:
> > -if (ns->endgrp->fdp.enabled) {
> > +if (ns->endgrp && ns->endgrp->fdp.enabled) {
>
> This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer
> dereference in nvme_directive_receive"). Were you aware of
> the security implications?
>
Yes, but I was not aware of the CVE being assigned at the time. I don't
think it was?
But if what you are saying is that it was my responsibility as
maintainer, to get that reported and assigned, then I apologies and will
of course keep that in mind going forward!
signature.asc
Description: PGP signature
