diff options
| author | Richard Henderson <richard.henderson@linaro.org> | 2021-11-19 11:01:46 +0100 |
|---|---|---|
| committer | Richard Henderson <richard.henderson@linaro.org> | 2021-11-19 11:01:46 +0100 |
| commit | 9c25e1db18d872cbab3f028f93db37931dbc6ae2 (patch) | |
| tree | ade57d02097d43ea1f5a1082fe6b2a9ebb91712a /hw/nvme/ctrl.c | |
| parent | 3760a04c352f8d255b247211f6da07ac99f1630a (diff) | |
| parent | e2c57529c9306e4c9aac75d9879f6e7699584a22 (diff) | |
| download | focaccia-qemu-9c25e1db18d872cbab3f028f93db37931dbc6ae2.tar.gz focaccia-qemu-9c25e1db18d872cbab3f028f93db37931dbc6ae2.zip | |
Merge tag 'nvme-fixes-for-6.2-pull-request' of git://git.infradead.org/qemu-nvme into staging
hw/nvme fixes * Fix CVE-2021-3947 * Controller hotplugging fixes # gpg: Signature made Fri 19 Nov 2021 08:59:03 AM CET # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown] # gpg: aka "Klaus Jensen <k.jensen@samsung.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * tag 'nvme-fixes-for-6.2-pull-request' of git://git.infradead.org/qemu-nvme: hw/nvme: fix buffer overrun in nvme_changed_nslist (CVE-2021-3947) hw/nvme: change nvme-ns 'shared' default hw/nvme: reattach subsystem namespaces on hotplug Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Diffstat (limited to 'hw/nvme/ctrl.c')
| -rw-r--r-- | hw/nvme/ctrl.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 6a571d18cf..5f573c417b 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -4168,6 +4168,11 @@ static uint16_t nvme_changed_nslist(NvmeCtrl *n, uint8_t rae, uint32_t buf_len, int i = 0; uint32_t nsid; + if (off >= sizeof(nslist)) { + trace_pci_nvme_err_invalid_log_page_offset(off, sizeof(nslist)); + return NVME_INVALID_FIELD | NVME_DNR; + } + memset(nslist, 0x0, sizeof(nslist)); trans_len = MIN(sizeof(nslist) - off, buf_len); |