From b02c2a85a6c8e5ecc1bfca1ef794b5897c9ebad3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 11 Aug 2023 18:47:50 +0100 Subject: [PATCH 1/2] hw/nvme: Use #define to avoid variable length array MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In nvme_map_sgl() we create an array segment[] whose size is the 'const int SEG_CHUNK_SIZE'. Since this is C, rather than C++, a "const int foo" is not a true constant, it's merely a variable with a constant value, and so semantically segment[] is a variable-length array. Switch SEG_CHUNK_SIZE to a #define so that we can make the segment[] array truly fixed-size, in the sense that it doesn't trigger the -Wvla warning. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). [PMM: rebased (function has moved file), expand commit message based on discussion from previous version of patch] Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Peter Maydell Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 539d273553..d99a6f5c9a 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -1045,7 +1045,7 @@ static uint16_t nvme_map_sgl(NvmeCtrl *n, NvmeSg *sg, NvmeSglDescriptor sgl, * descriptors and segment chain) than the command transfer size, so it is * not bounded by MDTS. */ - const int SEG_CHUNK_SIZE = 256; +#define SEG_CHUNK_SIZE 256 NvmeSglDescriptor segment[SEG_CHUNK_SIZE], *sgld, *last_sgld; uint64_t nsgld; From b3c8246750b7077add335559341268f2956f6470 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 11 Aug 2023 18:47:51 +0100 Subject: [PATCH 2/2] hw/nvme: Avoid dynamic stack allocation Instead of using a variable-length array in nvme_map_prp(), allocate on the stack with a g_autofree pointer. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index d99a6f5c9a..90687b168a 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -894,7 +894,7 @@ static uint16_t nvme_map_prp(NvmeCtrl *n, NvmeSg *sg, uint64_t prp1, len -= trans_len; if (len) { if (len > n->page_size) { - uint64_t prp_list[n->max_prp_ents]; + g_autofree uint64_t *prp_list = g_new(uint64_t, n->max_prp_ents); uint32_t nents, prp_trans; int i = 0;