bugfix: fix Uninitialized Free Vulnerability

Signed-off-by: nocjj <1250062498@qq.com> Signed-off-by: imxcc <xingchaochao@huawei.com>
2021-06-01 20:38:59 +08:00 · 2021-06-01 20:38:59 +08:00 · 16a74ee234
commit 16a74ee234
parent c62dab578c
1 changed files with 72 additions and 0 deletions
--- a/bugfix-fix-Uninitialized-Free-Vulnerability.patch
+++ b/bugfix-fix-Uninitialized-Free-Vulnerability.patch
@ -0,0 +1,72 @@
+From 58fe713b575a7b24b4e4694154a16808ff4a9009 Mon Sep 17 00:00:00 2001
+From: imxcc <xingchaochao@huawei.com>
+Date: Tue, 1 Jun 2021 20:38:59 +0800
+Subject: [PATCH] bugfix: fix Uninitialized Free Vulnerability
+
+Signed-off-by: nocjj <1250062498@qq.com>
+Signed-off-by: imxcc <xingchaochao@huawei.com>
+---
+ hw/block/nvme.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index 36d6a8bb3a..387e8b5c8f 100644
+--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
+@@ -216,15 +216,26 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
+     return NVME_SUCCESS;
+ 
+  unmap:
+-    qemu_sglist_destroy(qsg);
+    if (iov && iov->iov) {
+        qemu_iovec_destroy(iov);
+    }
+
+    if (qsg && qsg->sg) {
+        qemu_sglist_destroy(qsg);
+    }
+
+     return NVME_INVALID_FIELD | NVME_DNR;
+ }
+ 
+ static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len,
+                                    uint64_t prp1, uint64_t prp2)
+ {
+-    QEMUSGList qsg;
+-    QEMUIOVector iov;
+    QEMUSGList qsg = {
+        .sg = NULL,
+    };
+    QEMUIOVector iov = {
+        .iov = NULL,
+    };
+     uint16_t status = NVME_SUCCESS;
+ 
+     if (nvme_map_prp(&qsg, &iov, prp1, prp2, len, n)) {
+@@ -247,8 +258,12 @@ static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len,
+ static uint16_t nvme_dma_read_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len,
+     uint64_t prp1, uint64_t prp2)
+ {
+-    QEMUSGList qsg;
+-    QEMUIOVector iov;
+    QEMUSGList qsg = {
+        .sg = NULL,
+    };
+    QEMUIOVector iov = {
+        .iov = NULL,
+    };
+     uint16_t status = NVME_SUCCESS;
+ 
+     trace_nvme_dma_read(prp1, prp2);
+@@ -500,7 +515,7 @@ static void nvme_init_sq(NvmeSQueue *sq, NvmeCtrl *n, uint64_t dma_addr,
+     sq->size = size;
+     sq->cqid = cqid;
+     sq->head = sq->tail = 0;
+-    sq->io_req = g_new(NvmeRequest, sq->size);
+    sq->io_req = g_new0(NvmeRequest, sq->size);
+ 
+     QTAILQ_INIT(&sq->req_list);
+     QTAILQ_INIT(&sq->out_req_list);
+-- 
+2.27.0
+