[SeaBIOS] [PATCH] nvme: avoid use-after-free in nvme_controller_enable()

Jan Beulich via SeaBIOS posted 1 patch 2 years, 2 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/seabios tags/patchew/9ba6267e-8a27-72e3-a499-ed67a600bb7f@suse.com
[SeaBIOS] [PATCH] nvme: avoid use-after-free in nvme_controller_enable()
Posted by Jan Beulich via SeaBIOS 2 years, 2 months ago
Commit b68f313c9139 ("nvme: Record maximum allowed request size")
introduced a use of "identify" past it being passed to free(). Latch the
value of interest into a local variable.

Reported-by: Coverity (ID 1497613)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
It was a Xen Project Coverity run which reported this after our updating
to 1.15.0.

--- a/src/hw/nvme.c
+++ b/src/hw/nvme.c
@@ -620,6 +620,7 @@
             identify->nn, (identify->nn == 1) ? "" : "s");
 
     ctrl->ns_count = identify->nn;
+    u8 mdts = identify->mdts;
     free(identify);
 
     if ((ctrl->ns_count == 0) || nvme_create_io_queues(ctrl)) {
@@ -631,7 +632,7 @@
     /* Populate namespace IDs */
     int ns_idx;
     for (ns_idx = 0; ns_idx < ctrl->ns_count; ns_idx++) {
-        nvme_probe_ns(ctrl, ns_idx, identify->mdts);
+        nvme_probe_ns(ctrl, ns_idx, mdts);
     }
 
     dprintf(3, "NVMe initialization complete!\n");

_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org