c98850e210
- hw/nvme: Avoid dynamic stack allocation - ppc/vof: Fix missed fields in VOF cleanup - ui: fix crash when there are no active_console - tests/qtest/pflash: Clean up local variable shadowing - target/ppc: Fix the order of kvm_enable judgment about kvmppc_set_interrupt() - tulip: Assign default MAC address if not specified - hw/char: fix qcode array bounds check in ESCC impl Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From aa1f9c961de247522e772275635b7f15bf5bb13f Mon Sep 17 00:00:00 2001
|
|
From: dinglimin <dinglimin@cmss.chinamobile.com>
|
|
Date: Sat, 16 Sep 2023 17:20:08 +0800
|
|
Subject: [PATCH] hw/nvme: Avoid dynamic stack allocation
|
|
|
|
cheery-pick from b3c8246750b7077add335559341268f2956f6470
|
|
|
|
Instead of using a variable-length array in nvme_map_prp(),
|
|
allocate on the stack with a g_autofree pointer.
|
|
|
|
The codebase has very few VLAs, and if we can get rid of them all we
|
|
can make the compiler error on new additions. This is a defensive
|
|
measure against security bugs where an on-stack dynamic allocation
|
|
isn't correctly size-checked (e.g. CVE-2021-3527).
|
|
|
|
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
|
|
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
|
|
---
|
|
hw/nvme/ctrl.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
|
|
index debd3916dd..d64dd9c361 100644
|
|
--- a/hw/nvme/ctrl.c
|
|
+++ b/hw/nvme/ctrl.c
|
|
@@ -702,7 +702,7 @@ static uint16_t nvme_map_prp(NvmeCtrl *n, NvmeSg *sg, uint64_t prp1,
|
|
len -= trans_len;
|
|
if (len) {
|
|
if (len > n->page_size) {
|
|
- uint64_t prp_list[n->max_prp_ents];
|
|
+ g_autofree uint64_t *prp_list = g_new(uint64_t, n->max_prp_ents);
|
|
uint32_t nents, prp_trans;
|
|
int i = 0;
|
|
|
|
--
|
|
2.41.0.windows.1
|
|
|