qemu-stable
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_m


From: Philippe Mathieu-Daudé
Subject: Re: [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
Date: Tue, 20 Aug 2024 12:30:43 +0200
User-agent: Mozilla Thunderbird

Hi Klaus,

On 20/8/24 06:45, Klaus Jensen wrote:
From: Klaus Jensen <k.jensen@samsung.com>

Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
NVMe emulation that leaks contents of an uninitialized heap buffer if
subsystem and FDP emulation are enabled.

Was this patch posted on the list for review?

Usually we log here backtrace, reproducers.

Which fields are leaked?

Let's avoid the proven unsafe security by obscurity.

Cc: qemu-stable@nongnu.org
Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
  hw/nvme/ctrl.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index c6d4f61a47f9..9f277b81d83c 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -4474,7 +4474,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, 
NvmeRequest *req,
nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;
      trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr);
-    buf = g_malloc(trans_len);
+    buf = g_malloc0(trans_len);
trans_len = MIN(trans_len, len);

The malloc could be done after finding the min length.

Shouldn't we check len is big enough?

Thanks,

Phil.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]