1. Patchew
  2. QEMU
  3. [Stable-9.0.3 00/69] Patch Round-up for stable 9.0.3, freeze on 2024-09-16
  4. View patch

[Stable-9.0.3 63/69] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv

Michael Tokarev posted 69 patches 2 months, 2 weeks ago
[Stable-9.0.3 63/69] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
Posted by Michael Tokarev 2 months, 2 weeks ago 
From: Klaus Jensen <k.jensen@samsung.com>

Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
NVMe emulation that leaks contents of an uninitialized heap buffer if
subsystem and FDP emulation are enabled.

Cc: qemu-stable@nongnu.org
Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit 6a22121c4f25b181e99479f65958ecde65da1c92)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 652116085e..659332db0a 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -4302,7 +4302,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n, NvmeRequest *req,
 
     nruhsd = ns->fdp.nphs * endgrp->fdp.nrg;
     trans_len = sizeof(NvmeRuhStatus) + nruhsd * sizeof(NvmeRuhStatusDescr);
-    buf = g_malloc(trans_len);
+    buf = g_malloc0(trans_len);
 
     trans_len = MIN(trans_len, len);
 
-- 
2.39.2

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.