Re: [PULL 1/2] hw/nvme: fix null pointer access in directive receive
On 9/8/23 15:39, Klaus Jensen wrote: From: Klaus Jensen nvme_directive_receive() does not check if an endurance group has been configured (set) prior to testing if flexible data placement is enabled or not. Fix this. Cc: qemu-sta...@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815 Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") Reviewed-by: Jesper Wendel Devantier Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index d217ae91b506..e5b5c7034d2b 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -6900,7 +6900,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n, NvmeRequest *req) case NVME_DIRECTIVE_IDENTIFY: switch (doper) { case NVME_DIRECTIVE_RETURN_PARAMS: -if (ns->endgrp->fdp.enabled) { +if (ns->endgrp && ns->endgrp->fdp.enabled) { This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer dereference in nvme_directive_receive"). Were you aware of the security implications? Too bad we hadn't committed "Fixes: CVE-2023-40360" as that would have helped downstream distributions cherry-picking security fixes ASAP, since our stable is not that frequent. At least the commit has the 'qemu-sta...@nongnu.org' tag. id.supported |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT; id.enabled |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT; id.persistent |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
Re: [PULL 1/2] hw/nvme: fix null pointer access in directive receive
24.08.2023 15:44, Philippe Mathieu-Daudé wrote: .. This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer dereference in nvme_directive_receive"). Were you aware of the security implications? Too bad we hadn't committed "Fixes: CVE-2023-40360" as that would have helped downstream distributions cherry-picking security fixes ASAP, since our stable is not that frequent. https://tracker.debian.org/news/1455443/accepted-qemu-1804dfsg-2-source-into-unstable/ FWIW. /mjt
Re: [PULL 1/2] hw/nvme: fix null pointer access in directive receive
On Aug 24 14:44, Philippe Mathieu-Daudé wrote: > On 9/8/23 15:39, Klaus Jensen wrote: > > From: Klaus Jensen > > > > nvme_directive_receive() does not check if an endurance group has been > > configured (set) prior to testing if flexible data placement is enabled > > or not. > > > > Fix this. > > > > Cc: qemu-sta...@nongnu.org > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815 > > Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") > > Reviewed-by: Jesper Wendel Devantier > > Signed-off-by: Klaus Jensen > > --- > > hw/nvme/ctrl.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c > > index d217ae91b506..e5b5c7034d2b 100644 > > --- a/hw/nvme/ctrl.c > > +++ b/hw/nvme/ctrl.c > > @@ -6900,7 +6900,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n, > > NvmeRequest *req) > > case NVME_DIRECTIVE_IDENTIFY: > > switch (doper) { > > case NVME_DIRECTIVE_RETURN_PARAMS: > > -if (ns->endgrp->fdp.enabled) { > > +if (ns->endgrp && ns->endgrp->fdp.enabled) { > > This patch fixes CVE-2023-40360 ("QEMU: NVMe: NULL pointer > dereference in nvme_directive_receive"). Were you aware of > the security implications? > Yes, but I was not aware of the CVE being assigned at the time. I don't think it was? But if what you are saying is that it was my responsibility as maintainer, to get that reported and assigned, then I apologies and will of course keep that in mind going forward! signature.asc Description: PGP signature