hw/block/nvme: fix out-of-bounds read in nvme_subsys_ctrl

nvme_subsys_ctrl() is used in contexts where the given controller identifier is from an untrusted source. Like its friends nvme_ns() and nvme_subsys_ns(), nvme_subsys_ctrl() should just return NULL if an invalid identifier is given. Fixes: 645ce1a ("hw/block/nvme: support namespace attachment command") Cc: Minwoo Im <minwoo.im.dev@gmail.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com> Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
qemu · Apr 7, 2021 · 5dd7930 · 5dd7930
1 parent ba6219c
commit 5dd7930
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h
@@ -36,7 +36,7 @@ int nvme_subsys_register_ctrl(NvmeCtrl *n, Error **errp);
 static inline NvmeCtrl *nvme_subsys_ctrl(NvmeSubsystem *subsys,
         uint32_t cntlid)
 {
-    if (!subsys) {
+    if (!subsys || cntlid >= NVME_SUBSYS_MAX_CTRLS) {
         return NULL;
     }