|
From: | Philippe Mathieu-Daudé |
Subject: | Re: [PULL for-9.1 1/1] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv |
Date: | Tue, 20 Aug 2024 12:30:43 +0200 |
User-agent: | Mozilla Thunderbird |
Hi Klaus, On 20/8/24 06:45, Klaus Jensen wrote:
From: Klaus Jensen <k.jensen@samsung.com> Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the NVMe emulation that leaks contents of an uninitialized heap buffer if subsystem and FDP emulation are enabled.
Was this patch posted on the list for review? Usually we log here backtrace, reproducers. Which fields are leaked? Let's avoid the proven unsafe security by obscurity.
Cc: qemu-stable@nongnu.org Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp> Signed-off-by: Klaus Jensen <k.jensen@samsung.com> --- hw/nvme/ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index c6d4f61a47f9..9f277b81d83c 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -4474,7 +4474,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, NvmeRequest *req,nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr); - buf = g_malloc(trans_len); + buf = g_malloc0(trans_len);trans_len = MIN(trans_len, len);
The malloc could be done after finding the min length. Shouldn't we check len is big enough? Thanks, Phil.
[Prev in Thread] | Current Thread | [Next in Thread] |