hw/block/nvme: harden cmb access

Since the controller has only supported PRPs so far it has not been required to check the ending address (addr + len - 1) of the CMB access for validity since it has been guaranteed to be in range of the CMB. This changes when the controller adds support for SGLs (next patch), so add that check. Signed-off-by: Klaus Jensen <k.jensen@samsung.com> Reviewed-by: Keith Busch <kbusch@kernel.org>
author: Klaus Jensen <k.jensen@samsung.com> 2020-03-30 23:23:15 +0200
committer: Klaus Jensen <k.jensen@samsung.com> 2020-10-27 07:24:47 +0100
commit: 6e0ac3a03f3ab0d0b69d086e3226bac77a20a468 (patch)
tree: a89900b39a70e0bcebfc7d8cb42e82e89b789965 /hw/block
parent: 92a10ec17f3ae7221b23f3eaefa29066e10d7973 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index 0e916d48d7..c0f1f8ccd4 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -142,7 +142,12 @@ static inline void *nvme_addr_to_cmb(NvmeCtrl *n, hwaddr addr)
 
 static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
 {
-    if (n->bar.cmbsz && nvme_addr_is_cmb(n, addr)) {
+    hwaddr hi = addr + size - 1;
+    if (hi < addr) {
+        return 1;
+    }
+
+    if (n->bar.cmbsz && nvme_addr_is_cmb(n, addr) && nvme_addr_is_cmb(n, hi)) {
         memcpy(buf, nvme_addr_to_cmb(n, addr), size);
         return 0;
     }
author	Klaus Jensen <k.jensen@samsung.com>	2020-03-30 23:23:15 +0200
committer	Klaus Jensen <k.jensen@samsung.com>	2020-10-27 07:24:47 +0100
commit	6e0ac3a03f3ab0d0b69d086e3226bac77a20a468 (patch)
tree	a89900b39a70e0bcebfc7d8cb42e82e89b789965 /hw/block
parent	92a10ec17f3ae7221b23f3eaefa29066e10d7973 (diff)