[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 02/11] hw/block/nvme: assert namespaces array indices
From: |
Klaus Jensen |
Subject: |
[PULL 02/11] hw/block/nvme: assert namespaces array indices |
Date: |
Tue, 16 Mar 2021 22:47:44 +0100 |
From: Klaus Jensen <k.jensen@samsung.com>
Coverity complains about a possible memory corruption in the
nvme_ns_attach and _detach functions. While we should not (famous last
words) be able to reach this function without nsid having previously
been validated, this is still an open door for future misuse.
Make Coverity and maintainers happy by asserting that the index into the
array is valid. Also, while not detected by Coverity (yet), add an
assert in nvme_subsys_ns and nvme_subsys_register_ns as well since a
similar issue is exists there.
Fixes: 037953b5b299 ("hw/block/nvme: support namespace detach")
Fixes: CID 1450757
Fixes: CID 1450758
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
hw/block/nvme-subsys.h | 2 ++
hw/block/nvme.h | 10 ++++++++--
hw/block/nvme-subsys.c | 7 +++++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h
index fb66ae752ad5..aafa04b84829 100644
--- a/hw/block/nvme-subsys.h
+++ b/hw/block/nvme-subsys.h
@@ -54,6 +54,8 @@ static inline NvmeNamespace *nvme_subsys_ns(NvmeSubsystem
*subsys,
return NULL;
}
+ assert(nsid && nsid <= NVME_SUBSYS_MAX_NAMESPACES);
+
return subsys->namespaces[nsid];
}
diff --git a/hw/block/nvme.h b/hw/block/nvme.h
index 4955d649c7d4..5ba2efaedfd2 100644
--- a/hw/block/nvme.h
+++ b/hw/block/nvme.h
@@ -236,12 +236,18 @@ static inline bool nvme_ns_is_attached(NvmeCtrl *n,
NvmeNamespace *ns)
static inline void nvme_ns_attach(NvmeCtrl *n, NvmeNamespace *ns)
{
- n->namespaces[nvme_nsid(ns) - 1] = ns;
+ uint32_t nsid = nvme_nsid(ns);
+ assert(nsid && nsid <= NVME_MAX_NAMESPACES);
+
+ n->namespaces[nsid - 1] = ns;
}
static inline void nvme_ns_detach(NvmeCtrl *n, NvmeNamespace *ns)
{
- n->namespaces[nvme_nsid(ns) - 1] = NULL;
+ uint32_t nsid = nvme_nsid(ns);
+ assert(nsid && nsid <= NVME_MAX_NAMESPACES);
+
+ n->namespaces[nsid - 1] = NULL;
}
static inline NvmeCQueue *nvme_cq(NvmeRequest *req)
diff --git a/hw/block/nvme-subsys.c b/hw/block/nvme-subsys.c
index af4804a819ee..9fadef8cec99 100644
--- a/hw/block/nvme-subsys.c
+++ b/hw/block/nvme-subsys.c
@@ -47,15 +47,18 @@ int nvme_subsys_register_ns(NvmeNamespace *ns, Error **errp)
{
NvmeSubsystem *subsys = ns->subsys;
NvmeCtrl *n;
+ uint32_t nsid = nvme_nsid(ns);
int i;
- if (subsys->namespaces[nvme_nsid(ns)]) {
+ assert(nsid && nsid <= NVME_SUBSYS_MAX_NAMESPACES);
+
+ if (subsys->namespaces[nsid]) {
error_setg(errp, "namespace %d already registerd to subsy %s",
nvme_nsid(ns), subsys->parent_obj.id);
return -1;
}
- subsys->namespaces[nvme_nsid(ns)] = ns;
+ subsys->namespaces[nsid] = ns;
for (i = 0; i < ARRAY_SIZE(subsys->ctrls); i++) {
n = subsys->ctrls[i];
--
2.30.1
- [PULL 00/11] emulated nvme updates and fixes, Klaus Jensen, 2021/03/16
- [PULL 01/11] hw/block/nvme: fix potential overflow, Klaus Jensen, 2021/03/16
- [PULL 02/11] hw/block/nvme: assert namespaces array indices,
Klaus Jensen <=
- [PULL 03/11] hw/block/nvme: fix zone management receive reporting too many zones, Klaus Jensen, 2021/03/16
- [PULL 07/11] hw/block/nvme: add non-mdts command size limit for verify, Klaus Jensen, 2021/03/16
- [PULL 04/11] hw/block/nvme: add metadata support, Klaus Jensen, 2021/03/16
- [PULL 06/11] hw/block/nvme: add verify command, Klaus Jensen, 2021/03/16
- [PULL 05/11] hw/block/nvme: end-to-end data protection, Klaus Jensen, 2021/03/16
- [PULL 08/11] hw/block/nvme: support multiple lba formats, Klaus Jensen, 2021/03/16
- [PULL 09/11] hw/block/nvme: prefer runtime helpers instead of device parameters, Klaus Jensen, 2021/03/16
- [PULL 10/11] hw/block/nvme: pull lba format initialization, Klaus Jensen, 2021/03/16
- [PULL 11/11] hw/block/nvme: add support for the format nvm command, Klaus Jensen, 2021/03/16
- Re: [PULL 00/11] emulated nvme updates and fixes, Peter Maydell, 2021/03/18