Bug 2232677 (CVE-2023-40360) - CVE-2023-40360 QEMU: NVMe: NULL pointer dereference in nvme_directive_receive()
Summary: CVE-2023-40360 QEMU: NVMe: NULL pointer dereference in nvme_directive_receive()
Keywords:
Status: NEW
Alias: CVE-2023-40360
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2232678 2232679 2232680 2233910
Blocks: 2232676
TreeView+ depends on / blocked
 
Reported: 2023-08-17 21:03 UTC by Zack Miele
Modified: 2023-08-23 18:17 UTC (History)
11 users (show)

Fixed In Version: qemu-kvm 8.1.0-rc3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the virtual nvme device in QEMU. The nvme_directive_receive() function does not check if an endurance group has been configured (set) prior to testing if flexible data placement is enabled, potentially leading to a NULL pointer dereference issue.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Zack Miele 2023-08-17 21:03:41 UTC
QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.

https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98
https://gitlab.com/qemu-project/qemu/-/issues/1815
https://www.qemu.org/docs/master/system/security.html

Comment 2 Mauro Matteo Cascella 2023-08-23 17:13:55 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98

Comment 3 Mauro Matteo Cascella 2023-08-23 17:19:20 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2233910]


Note You need to log in before you can comment on or make changes to this bug.